RE: [Nufw-users] How to get the right certificate when usingnutcpc to connect to NuFW

[Nguyen Anh Dung]

Hi Eric Leblond,
Thanks for your response, I did test it for 2 hours and got nothing :(
I tried to do another way: As in the guideline
        openssl  req  -new  -x509  -keyout  private/CAkey.pem  -out     
private/CAcert.pem
        You have to set a strong password here and keep it secret.
        
        Generating nufw and nuauth private keys:
        openssl  genrsa  -out  private/nufw-key.pem
        openssl  genrsa  -out  private/nuauth-key.pem
        Generating Certificate Signing Requests for both nufw and nuauth keys:
        openssl  req  -new  -key  private/nufw-key.pem  -out  nufw.csr
        openssl  req  -new  -key  private/nuauth-key.pem  -out  nuauth.csr
        
        Having our keys signed by the certificate authority we created:
        openssl  x509  -req  -days  365  -in  nufw.csr  -CA     
private/CAcert.pem  \
        -CAkey  private/CAkey.pem  -CAcreateserial  -out  nufw-cert.pem
        openssl  x509  -req  -days  365  -in  nuauth.csr  -CA   
private/CAcert.pem  \
        -CAkey  private/CAkey.pem  -CAcreateserial  -out  nuauth-cert.pem
        
        Copy the files where needed:
      For nufw:
        cp  private/nufw-key.pem  /etc/nufw/
        cp  nufw-cert.pem  /etc/nufw/
        For nuauth:
        cp  private/nuauth-key.pem  /etc/nufw/
        cp  nuauth-cert.pem  /etc/nufw/

I created the certificate authority (CAcert.pem) and I copid it to 
/etc/nufw/NuFW-cacert.pem.
Then I tried nutcpc again
nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem -K 
/etc/nufw/nufw-key.pem -H right
There are errors:

In client side:
Connecting to NuFW gateway (right)
Server Certificate OK
TLS session lost, check your certificate validity.
Unable to initate connection to NuFW gateway
Problem: Error in the certificate.
Authentication failed (check parameters)

In server side:
** Message: [7] TLS Handshaking (last error: 0)
** Message: [9] Peer provided 1 certificates
** Message: [9] module checks certificate
Unable to setup connect
** Message: [7] client didn't choose mechanism
** Message: Authentication error: SASL error: authentication process interupted.
** Message: Authentication error: user: (null) from 127.0.0.1 port (4819), 
protocol version 4

Thank you so much.
Dzung Nguyen.

-----Message d'origine-----
De : Eric Leblond [mailto:address@hidden 
Envoyé : mercredi 28 octobre 2009 16:59
À : Nguyen Anh Dung
Cc : address@hidden
Objet : Re: [Nufw-users] How to get the right certificate when usingnutcpc to 
connect to NuFW

Hi,

Le mercredi 28 octobre 2009 à 16:20 +0700, Nguyen Anh Dung a écrit :
> Hi All,
> I'm a newbie to NuFW and i'm trying to install NuFW from source code
> in Trustix Linux 3.0.5 (kernel 2.6.19.7-3). After several days of
> wrestling :P, i installed it successfully as guided in the handbook
> 2.2.
> I do everything as guided in the handbook from step 3.5.1 to step
> 3.6.3 (with common name in certificate is 'right' (my hostname)).
> 
> However, when i used nutcpc to connect to NuFW, there are errors:
> 
> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem
> -K /etc/nufw/nufw-key.pem -H right
> Error in client
>    Connecting to NuFW gateway (right)
>    Unable to initate connection to NuFW gateway
>    Problem: Certificate authority verification failed: invalid, signer not 
> found
>    Authentication failed (check parameters)
> Error in server
>    ** Message: [7] TLS Handshaking (last error: 0)
>    ** Message: [4] TLS handshake has failed (The peer did not send any
> certificate.)
>    ** Message: [4] Failed connection from client 127.0.0.1
>    GNUTLS ERROR: Error in the push function
>    Unable to setup connect

This error is commonly found when client and server do not used the same
certificate authority. Please check that nuauth is using a certificate
provided by NuFW-cacert.pem. If this is not the case, nutcpc will not
send its certificate to the server because it has no certificate the
server can check.

BR,

> 
> nutcpc -N -d -U root -H right (as in the guideline)
> Error in client
>     *******    WARNING   ******
>     You are trying to connect to nuauth without configuring a
> certificate authority (CA)
>     You are vulnerable to attack like man-in-the-middle.
>     Do you really want to do that? Type "yes" to continue: yes
>     Connecting to NuFW gateway (127.0.0.1)
>     TLS error: server request certificate, none configured
>     Unable to initate connection to NuFW gateway
>     Problem: Certificate authority verification failed: invalid,
> signer not found
>     Authentication failed (check parameters)
> Error in server
>    WARNING: you have not provided any certificate authority.
>    nutcpc will *NOT* verify server certificate trust.
>    Use the -A <cafile> option to setup CA.
>    As certificate will not be trusted, disabling FQDN check.
>    ** Message: [7] TLS Handshaking (last error: 0)
>    ** Message: [4] TLS handshake has failed (The peer did not send any
> certificate.)
>    ** Message: [4] Failed connection from client 127.0.0.1
>    GNUTLS ERROR: Error in the push function
>    Unable to setup connect
> 
> I use "netstat -np" and confirm that nuauth has connected to NuFW.
> 
> BTW, nutcpc have 3 options, -C, -A, and -K. I can understand -K but
> confuse about -A and -C. How can i distinguish them and create them?

-A : certificate authority : the public certificate of the PKI
-K : the private key
-C : the certificate (corresponding to the private key)

> 
> P/S: Is there any one who only follow the instructions in the handbook
> can make NuFW work?

Looks like some have succedeed ;)

BR,

> 
> Thank you so much.
> Dzung Nguyen.
> 
> 
> _______________________________________________
> Nufw-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/nufw-users