Re: Behavior of snmptrapd and snmpd when using certificates (TSM, DTLS)

Fri, 29 Nov 2019 21:27:11 -0800

Hi Anders and Larry,

How about making it possible to tell Net-SNMP to use a more recent version of TLS, e.g. as follows:

diff --git a/include/net-snmp/library/default_store.h b/include/net-snmp/library/default_store.h
index 16747aa5600e..9f80c77e439c 100644
--- a/include/net-snmp/library/default_store.h
+++ b/include/net-snmp/library/default_store.h
@@ -183,6 +183,7 @@ extern "C" {
 #define NETSNMP_DS_LIB_SSH_PUBKEY 33
 #define NETSNMP_DS_LIB_SSH_PRIVKEY 34
 #define NETSNMP_DS_LIB_OUTPUT_PRECISION 35
+#define NETSNMP_DS_LIB_TLS_VERSION 36
 #define NETSNMP_DS_LIB_MAX_STR_ID 48 /* match NETSNMP_DS_MAX_SUBIDS */

 /*
diff --git a/man/snmpd.conf.5.def b/man/snmpd.conf.5.def
index 9dae9909ba7e..4053680601b2 100644
--- a/man/snmpd.conf.5.def
+++ b/man/snmpd.conf.5.def
@@ -190,6 +190,8 @@ certificate file.
 This string will select the algorithms to use when negotiating
 security during (D)TLS session establishment. See the openssl manual
 page ciphers(1) for details on the format. Examples strings include:
+.IP "[snmp] tlsVersion"
+[ ... ]
 .RS
 .nf
diff --git a/snmplib/transports/snmpTLSBaseDomain.c b/snmplib/transports/snmpTLSBaseDomain.c
index 223c3a0aaed7..9e1b4496f193 100644
--- a/snmplib/transports/snmpTLSBaseDomain.c
+++ b/snmplib/transports/snmpTLSBaseDomain.c
@@ -784,6 +784,10 @@ netsnmp_tlsbase_ctor(void) {
                              NETSNMP_DS_LIBRARY_ID,
                              NETSNMP_DS_LIB_TLS_ALGORITMS);

+ netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "tlsVersion",
+                            NETSNMP_DS_LIBRARY_ID,
+                            NETSNMP_DS_LIB_TLS_VERSION);
+
 /*
  * for the client
  */
diff --git a/snmplib/transports/snmpTLSTCPDomain.c b/snmplib/transports/snmpTLSTCPDomain.c
index 857e433ddf2e..76f62361e500 100644
--- a/snmplib/transports/snmpTLSTCPDomain.c
+++ b/snmplib/transports/snmpTLSTCPDomain.c
@@ -723,7 +723,16 @@ netsnmp_tlstcp_open_client(netsnmp_transport *t)
     }

 #ifdef SSL_CTX_set_max_proto_version
-    SSL_CTX_set_max_proto_version(tlsdata->ssl_context, TLS1_VERSION);
+    {
+    const char *tls_version;
+
+    tls_version = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
+    NETSNMP_DS_LIB_TLS_VERSION);
+    if (tls_version && strcmp(tls_version, "any") == 0)
+        ;
+    else
+        SSL_CTX_set_max_proto_version(tlsdata->ssl_context, TLS1_VERSION);
+    }
 #endif

 /* RFC5953 Section 5.3.1: Establishing a Session as a Client

Bart.

On 2019-11-27 13:22, Anders Wallin wrote:
Hi Larry,

I see the same problem!

You should think more then twice before using TLS/DTLS. 
The code is full of bugs and design issues (like sending traps before checking hostnames etc) and it's using deprecated version of TLS.

Regards
Anders Wallin


On Wed, Nov 27, 2019 at 9:33 PM Larry Hayes <lhay...@gmail.com> wrote:
It is even worse with TLS.

When the snmptrapd is restarted without restarting the snmpd:

kill the snmptrapd:

From the snmpd logs:  snmpd detects the connection close.

Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp:
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: remote side closed connection
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp:
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Shutting down SSL connection
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlsbase:
Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Freeing TLS Base data for a session

Start the snmptrapd up again

When snmpd tries to send a trap:

Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap:
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: send_trap -1 -1
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: MYMib-MIB::myMib
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]:
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap:
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: sending trap type=167, version=139482016
Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: snmpd: send_trap: Generic error (Unknown error -146129760)


Both DTLS and TLS issue seems to center around the fact that snmpd does not properly handle the case where the trap receiver's connection goes away.

Anyone else seeing this behavior?

On Wed, Nov 20, 2019 at 10:24 AM Larry Hayes <lhay...@gmail.com> wrote:
Hello,

I am using net-snmp v5.8 r0.

I think I have successfully configured an snmpd server to generate V3 Traps/Informs using TSM with certificates and have an snmptrapd receive those V3 Traps/Informs.
As I can see the Trap/Infom data dumped to the window snmptrapd is running.

My issue is, when I restart snmptrapd, it can no longer receive V3 Traps/Informs using TSM without restarting the snmpd also.

snmptrapd can receive V2 Traps/Infoms without restarting snmpd.

Is this the normal/desired behavior with DTLS?
(I have not tried TLS yet)


sudo snmptrapd -Dtsm,tls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san -f -Losd dtlsudp:10162 udp:162


2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP: [10.20.19.57]:33656->[10.20.19.57]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93     SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62   SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh"     SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37"      SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57"
2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP: [10.20.19.57]:60888->[10.20.19.57]:162]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93     SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62   SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh"     SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37"      SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57"
dtlsudp: received 229 raw bytes on way to dtls
dtlsudp: starting a new connection
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint (nil)
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 0x1249450
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 0x1249450
cert:find:params:  hint = 04:BF:CF:1A:9C:5D:7A:9D:87:7E:1D:D8:A3:77:1A:DD:D7:76:77:0B
cert:find:found: using cert manager.crt / 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1) (uses=identity+remote_peer (3))
cert:find:found: using cert manager.crt / 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1) (uses=identity+remote_peer (3))


snmpd -Dtls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san -f -Lsd udp:0.0.0.0:161 dtlsudp:10161

Config:
trapsess -v 2c 10.20.19.57:162 -c public
trapsess -v 2c -Ci -r 0 10.20.19.57:162 -c public
trapsess -v 3 -Ci -r 0 -T their_identity=manager.crt  dtlsudp:10.20.19.57:10162

snmpd: logging
Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: dtlsudp:
Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: sending 193 bytes



_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users






















					Reply via email to