[Csync2] SSL Handshake Problem

Discussion:

Mike Young

2012-01-12 17:16:54 UTC

Hi,

I am trying to configure csync2 on a couple of OpenSuse 12.1 nodes, but I'm
having a problem with respect to TLS handshaking. I've added an entry to
/etc/services as was required in the Csync paper (csync2 30865/tcp
# Csync2 service) and I've configured xinetd to enable the service. The
service appears to start without any issues, until I actually perform a

node1:/etc/csync2 # csync2 -xv
Connecting to host node2 (SSL) ...
WARNING: no socket to connect to
Received record packet of unknown type 87
SSL: handshake failed: An unexpected TLS packet was received.
(GNUTLS_E_UNEXPECTED_PACKET)

I thought maybe my SSL certificates may have been malformed, so I

openssl genrsa \
-out /etc/csync2_ssl_key.pem 1024
openssl req -new \
-key /etc/csync2_ssl_key.pem \
-out /etc/csync2_ssl_cert.csr
openssl x509 -req -days 600 \
-in /etc/csync2_ssl_cert.csr \
-signkey /etc/csync2_ssl_key.pem \
-out /etc/csync2_ssl_cert.pem

But that also didn't fix the problem. And help is greatly appreciated.

Thanks in advance,

Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linbit.com/pipermail/csync2/attachments/20120112/90dcffe4/attachment.htm>

Tim Serong

2012-01-13 04:21:16 UTC

Permalink

Post by Mike Young
Hi,
I am trying to configure csync2 on a couple of OpenSuse 12.1 nodes, but
I'm having a problem with respect to TLS handshaking. I've added an
entry to /etc/services as was required in the Csync paper (csync2
30865/tcp # Csync2 service) and I've configured xinetd to enable the
service. The service appears to start without any issues, until I
node1:/etc/csync2 # csync2 -xv
Connecting to host node2 (SSL) ...
WARNING: no socket to connect to
Received record packet of unknown type 87
SSL: handshake failed: An unexpected TLS packet was received.
(GNUTLS_E_UNEXPECTED_PACKET)

Is this csync2 1.34 as shipped with openSUSE 12.1, or a newer one built
from source manually?

IIRC I had the exact same problem just prior to the 12.1 release,
because the spec file had:

Requires: xinetd libgnutls26 libgnutls-extra26 gnutls sqlite2 librsync
libtasn1-3

Removing the explicit lib requires and letting RPM sort out the mess
fixed it for me, i.e. the above line was changed to:

Requires: xinetd gnutls sqlite2

Post by Mike Young
I thought maybe my SSL certificates may have been malformed, so I
openssl genrsa \
-out /etc/csync2_ssl_key.pem 1024
openssl req -new \
-key /etc/csync2_ssl_key.pem \
-out /etc/csync2_ssl_cert.csr
openssl x509 -req -days 600 \
-in /etc/csync2_ssl_cert.csr \
-signkey /etc/csync2_ssl_key.pem \
-out /etc/csync2_ssl_cert.pem
But that also didn't fix the problem. And help is greatly appreciated.

One other thing to check is that the SSL certificates on all nodes have
the exact same details, i.e. same common name etc. IMO this is
unbelievably dumb/broken, but seems to be necessary for some reason.

HTH,

Tim

--
Tim Serong
Senior Clustering Engineer
SUSE
tserong at suse.com

Giampaolo Tomassoni

2012-02-02 14:34:48 UTC

Permalink

Post by Tim Serong
One other thing to check is that the SSL certificates on all nodes have
the exact same details, i.e. same common name etc. IMO this is
unbelievably dumb/broken, but seems to be necessary for some reason.

You're right: it is dumb/broken, but this is the way the SSL handshake was
first implemented in csync2.

Actually, the two certificates have to be exactly the same because the
server node performs a byte comparison of the client one with its own: there
is no effective chain-of-trust verification or whatever else is usually
involved with digital certificates.

Basically, certificates in csync2 are more or less like shared keys, but
they allow for ssl encription.

Giampaolo Tomassoni

Mike Young

2012-01-13 07:17:40 UTC

Permalink

Post by Tim Serong

Post by Mike Young
Hi,
I am trying to configure csync2 on a couple of OpenSuse 12.1 nodes, but
I'm having a problem with respect to TLS handshaking. I've added an
entry to /etc/services as was required in the Csync paper (csync2
30865/tcp # Csync2 service) and I've configured xinetd to enable the
service. The service appears to start without any issues, until I
actually perform a "csync2 ?xv" operation. Then I get the following
node1:/etc/csync2 # csync2 -xv
Connecting to host node2 (SSL) ...
WARNING: no socket to connect to
Received record packet of unknown type 87
SSL: handshake failed: An unexpected TLS packet was received.
(GNUTLS_E_UNEXPECTED_PACKET)

Is this csync2 1.34 as shipped with openSUSE 12.1, or a newer one built
from source manually?

This was the version that shipped with 12.1. I also tried to build up
v1.34, but it kept complaining about gnutls' config file that seemed to be
deprecated in newer versions.

Post by Tim Serong
IIRC I had the exact same problem just prior to the 12.1 release,
Requires: xinetd libgnutls26 libgnutls-extra26 gnutls sqlite2 librsync
libtasn1-3
Removing the explicit lib requires and letting RPM sort out the mess
Requires: xinetd gnutls sqlite2

I'll give that a try. I appreciate the tip.

Post by Tim Serong

That was my assumption as well, so I regenerated the certs to ensure the
details were the same.

I'll take the rpm and tweak the spec file as you did. And I really
appreciate the suggestion.

Thanks,

Mike

Post by Tim Serong
HTH,
Tim
--
Tim Serong
Senior Clustering Engineer
SUSE
tserong at suse.com
_______________________________________________
Csync2 mailing list
Csync2 at lists.linbit.com
http://lists.linbit.com/mailman/listinfo/csync2