Hello,
I’m getting some issues with the SNMPv3 SHA2 on version net-snmp 5.7.3. I’m
getting below error while doing SNMPv3 query using SHA-256 certs :
snmpwalk -OQ -v 3 -t 3 --defSecurityModel=tsm -u SNMPV3-NMS -l authPriv -T
our_identity=xx:xx -T their_identity=xx:xx dtlsudp6:[ip_v6]:10161
.1.3.6.1.4.1.17270.50.2.2.2.1.1.3.10101
error finding client identity keys
failed to create the SSL session structure
failed to open a new dtls connection
failed rfc5343 contextEngineID probing
snmpwalk: Failure in sendto (Permission denied)
When I debug further then find out that root cause of this issue , Its still
taking SHA-256 fingerprint as sha1 ,See below :
9:dtlsudp: start_new_cached_connection(): transports/snmpDTLSUDPDomain.c, 216:
trace: start_new_cached_connection(): transports/snmpDTLSUDPDomain.c, 284:
dtlsudp: starting a new connection
trace: start_new_cached_connection(): transports/snmpDTLSUDPDomain.c, 317:
dtlsudp: starting a new connection as a client to sock: 3
trace: sslctx_client_setup(): transports/snmpTLSBaseDomain.c, 522:
sslctx_client: looking for local id:
F9:18:91:76:0D:87:3E:70:50:9F:8A:9A:BB:87:32:FD:E6:16:0D:DD:0A:C3:23:38:33:C5:B1:E7:3B:BF:41:AE
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 13320976
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 13320976
Here Fingerprint 0x2 it means it looking for the identity for SHA1 certs ,its
should be 4 for SHA256, During cert dump its dumping the fingerprints correctly
its showing :
9:cert:dump: subject: /C=US/ST=CA/O= Corporation/OU=CPT/CN=
SNMPV3-NMS/emailAddress=siteam@xxx
9:cert:dump: issuer: /C=US/ST=CA/L=Sunnyvale/O= Corporation/OU=CPT/CN=
SNMPV3-CA/emailAddress=siteamy@xxx
9:cert:dump: fingerprint:
sha256(4):f91891760d873e70409f8aabbb8721fdff160ssddeac3f33834c5b1d73bbf51
9:cert:dump: 0: basicConstraints = CA:FALSE
9:cert:dump: 1: nsComment = OpenSSL Generated Certificate (net-snmp)
9:cert:dump: 2: keyUsage = Digital Signature, Non Repudiation, Key
Encipherment
9:cert:dump: 3: subjectKeyIdentifier = XX:XX….XX
9:cert:dump: 4: authorityKeyIdentifier =
keyid:7F:3F:9F:7D:3D:11:8D:46:F5:B2:4A:F0:09:6E:2C:EF:A0:ED:66:F0
9:cert:dump: DirName:/C=US/ST=CA/L=Sunnyvale/O= Corporation/OU=CPT/CN=
SNMPV3-CA/emailAddress=siteam@xxx
9:cert:dump: serial:F5:43:97:FE:FF:C3:86:6C
As per the code, for SHA256 its uses 4 and SHA-1 2 , in the debug logs its
dumping the certs correctly :
include/net-snmp/library/cert_util.h
/** RFC 5246 hash algorithms (Section 7.4.1.4.1) */
#define NS_HASH_NONE 0
#define NS_HASH_MD5 1
#define NS_HASH_SHA1 2
#define NS_HASH_SHA224 3
#define NS_HASH_SHA256 4
#define NS_HASH_SHA384 5
#define NS_HASH_SHA512 6
#define NS_HASH_MAX NS_HASH_SHA512
/** SNMP-TLS-TM-MIB */
Also when I’m checking the current net-snmp configuration its showing below :
-------------------------------------------------------
Net-SNMP configuration summary:
---------------------------------------------------------
SNMP Versions Supported: 1 2c 3
Building for: linux
Net-SNMP Version: 5.7.3
Network transport support: Callback Unix Alias UDP UDPIPv6 TCPIPv6 TCP
DTLSUDP TLSTCP UDPIPv4Base UDPBase IPv4Base SocketBase IPv6Base TCPBase TLSBase
SNMPv3 Security Modules: usm tsm
Agent MIB code: default_modules => snmpv3mibs mibII ucd_snmp
notification notification-log-mib target agent_mibs agentx disman/event
disman/schedule utilities host
MYSQL Trap Logging: unavailable
Embedded Perl support: enabled
SNMP Perl modules: building -- embeddable
SNMP Python modules: disabled
Crypto support from: crypto
Authentication support: SHA1
Encryption support: DES AES
Local DNSSEC validation: disabled
Is it something to do with SHA-256 configuration for net-snmp? In configure I
don’t see any options to make it to SHA-256 .
-Rishi
On 12/20/17, 9:43 AM, "Robert Story" <[email protected]> wrote:
On Thu 2017-12-14 16:30:01+0100 Stephan wrote:
> Dear users,
>
> I would like to use stronger auth algorithms then SHA1, e.g. SHA 384,
> with SNMPv3 USM.
> In older posts on the mailing list, I have read that this will be
> supported in version 5.8
>
> So, does anyone know when 5.8 will be released? Otherwise, do you
> know if e.g. 5.7.3 already supports SHA384 and how to configure it?
Stronger SHA-2 auth and longer AES key support is in the master branch
if you want to kick the tires.
Pre-releases for 5.8 will start in the next week or two.
--
Robert Story <http://www.isi.edu/~rstory>
USC Information Sciences Institute <http://www.isi.edu/>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
