Need help bringing up TLS v1.2 support

Tue, 08 Apr 2014 01:12:01 -0700 

I have an Ubuntu box running net-snmp 5.7.1 which I have modified to support 
ecdsa and sha384.  I have an embedded application running net-snmp 5.6.1.1 
which has had the same modification performed and openssl-1.0.1.  The Ubuntu 
net-snmp is configured with the joe-cool certificates from the net-snmp tls 
tutorial.  The embedded net-snmp has a self-signed cert of type 
ecdsa-with-sha384.

At a terminal window on the Ubuntu machine, I enter the following commands:

net-snmp-cert -t remote import remote.crt

snmpget -u rco -l authPriv -x AES -X 'asdASD12!@' -a SHA -A 'asdASD12!@' -T 
our_identity=tutorial-joecool -T their_identity=remote -t 10 tls:192.168.1.141 
sysUpTime.0

Wireshark has been used to analyze the message exchange.  It has been 
configured with the private keys for both entities.  It shows the following 
message exchange (tcp acks removed):

Ubuntu send Client Hello

Embedded sends Server Hello, Certificate, Certificate Request, Server Hello Done

Ubuntu sends Certificate, Client Key Exchange

Ubuntu sends Certificate Verify, Change Cipher Spec, Encrypted Handshake Message

Embedded sends New Session Ticket, Change Cipher Spec, Encrypted Handshake

Ubuntu sends Application Data

Embedded sends Encrypted Alert with code 21 (Decryption Failed)

Ubuntu sends Encrypted Alert with code 21 (Decryption Failed)

I am trying to track down the cause of the Encrypted Alert message.  In reading 
the RFCs I expected to see a Server Key Exchange message but it seems to be 
missing.

Any thoughts/suggestions on the direction I should take for tracking this down 
will be greatly appreciated.

Thomas Stone


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users

Reply via email to