Hi Bart, this is a good start, but we also need to add code for the newer version of TLS if we should apply to the RFC's. For the moment I don't have any time to work on it. The DTLS/TLS stuff also have some major bugs/design issues that needs to be fixed.
Regards Anders Wallin On Sat, Nov 30, 2019 at 6:24 AM Bart Van Assche <bvanass...@acm.org> wrote: > Hi Anders and Larry, > > How about making it possible to tell Net-SNMP to use a more recent version > of TLS, e.g. as follows: > > diff --git a/include/net-snmp/library/default_store.h > b/include/net-snmp/library/default_store.h > index 16747aa5600e..9f80c77e439c 100644 > --- a/include/net-snmp/library/default_store.h > +++ b/include/net-snmp/library/default_store.h > @@ -183,6 +183,7 @@ extern "C" { > #define NETSNMP_DS_LIB_SSH_PUBKEY 33 > #define NETSNMP_DS_LIB_SSH_PRIVKEY 34 > #define NETSNMP_DS_LIB_OUTPUT_PRECISION 35 > +#define NETSNMP_DS_LIB_TLS_VERSION 36 > #define NETSNMP_DS_LIB_MAX_STR_ID 48 /* match NETSNMP_DS_MAX_SUBIDS */ > > /* > diff --git a/man/snmpd.conf.5.def b/man/snmpd.conf.5.def > index 9dae9909ba7e..4053680601b2 100644 > --- a/man/snmpd.conf.5.def > +++ b/man/snmpd.conf.5.def > @@ -190,6 +190,8 @@ certificate file. > This string will select the algorithms to use when negotiating > security during (D)TLS session establishment. See the openssl manual > page ciphers(1) for details on the format. Examples strings include: > +.IP "[snmp] tlsVersion" > +[ ... ] > .RS > .nf > diff --git a/snmplib/transports/snmpTLSBaseDomain.c > b/snmplib/transports/snmpTLSBaseDomain.c > index 223c3a0aaed7..9e1b4496f193 100644 > --- a/snmplib/transports/snmpTLSBaseDomain.c > +++ b/snmplib/transports/snmpTLSBaseDomain.c > @@ -784,6 +784,10 @@ netsnmp_tlsbase_ctor(void) { > NETSNMP_DS_LIBRARY_ID, > NETSNMP_DS_LIB_TLS_ALGORITMS); > > + netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "tlsVersion", > + NETSNMP_DS_LIBRARY_ID, > + NETSNMP_DS_LIB_TLS_VERSION); > + > /* > * for the client > */ > diff --git a/snmplib/transports/snmpTLSTCPDomain.c > b/snmplib/transports/snmpTLSTCPDomain.c > index 857e433ddf2e..76f62361e500 100644 > --- a/snmplib/transports/snmpTLSTCPDomain.c > +++ b/snmplib/transports/snmpTLSTCPDomain.c > @@ -723,7 +723,16 @@ netsnmp_tlstcp_open_client(netsnmp_transport *t) > } > > #ifdef SSL_CTX_set_max_proto_version > - SSL_CTX_set_max_proto_version(tlsdata->ssl_context, TLS1_VERSION); > + { > + const char *tls_version; > + > + tls_version = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID, > + NETSNMP_DS_LIB_TLS_VERSION); > + if (tls_version && strcmp(tls_version, "any") == 0) > + ; > + else > + SSL_CTX_set_max_proto_version(tlsdata->ssl_context, > TLS1_VERSION); > + } > #endif > > /* RFC5953 Section 5.3.1: Establishing a Session as a Client > Bart. > > On 2019-11-27 13:22, Anders Wallin wrote: > > Hi Larry, > > I see the same problem! > > You should think more then twice before using TLS/DTLS. > The code is full of bugs and design issues (like sending traps before > checking hostnames etc) and it's using deprecated version of TLS. > > Regards > Anders Wallin > > > On Wed, Nov 27, 2019 at 9:33 PM Larry Hayes <lhay...@gmail.com> wrote: > >> It is even worse with TLS. >> >> When the snmptrapd is restarted without restarting the snmpd: >> >> kill the snmptrapd: >> >> From the snmpd logs: snmpd detects the connection close. >> >> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp: >> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: remote side closed connection >> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp: >> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Shutting down SSL connection >> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlsbase: >> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Freeing TLS Base data for a >> session >> >> Start the snmptrapd up again >> >> When snmpd tries to send a trap: >> >> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap: >> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: send_trap -1 -1 >> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: MYMib-MIB::myMib >> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: >> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap: >> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: sending trap type=167, >> version=139482016 >> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: snmpd: send_trap: Generic >> error (Unknown error -146129760) >> >> >> Both DTLS and TLS issue seems to center around the fact that snmpd does >> not properly handle the case where the trap receiver's connection goes away. >> >> Anyone else seeing this behavior? >> >> On Wed, Nov 20, 2019 at 10:24 AM Larry Hayes <lhay...@gmail.com> wrote: >> >>> Hello, >>> >>> I am using net-snmp v5.8 r0. >>> >>> I think I have successfully configured an snmpd server to generate V3 >>> Traps/Informs using TSM with certificates and have an snmptrapd receive >>> those V3 Traps/Informs. >>> As I can see the Trap/Infom data dumped to the window snmptrapd is >>> running. >>> >>> My issue is, when I restart snmptrapd, it can no longer receive V3 >>> Traps/Informs using TSM without restarting the snmpd also. >>> >>> snmptrapd can receive V2 Traps/Infoms without restarting snmpd. >>> >>> Is this the normal/desired behavior with DTLS? >>> (I have not tried TLS yet) >>> >>> >>> sudo snmptrapd >>> -Dtsm,tls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san >>> -f -Losd dtlsudp:10162 udp:162 >>> >>> >>> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP: >>> [10.20.19.57]:33656->[10.20.19.57]:162]: >>> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93 >>> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62 >>> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh" >>> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37" >>> SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57" >>> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP: >>> [10.20.19.57]:60888->[10.20.19.57]:162]: >>> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93 >>> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62 >>> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh" >>> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37" >>> SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57" >>> dtlsudp: received 229 raw bytes on way to dtls >>> dtlsudp: starting a new connection >>> cert:find:params: looking for identity(1) in DEFAULT(0x0), hint (nil) >>> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint >>> 0x1249450 >>> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint >>> 0x1249450 >>> cert:find:params: hint = >>> 04:BF:CF:1A:9C:5D:7A:9D:87:7E:1D:D8:A3:77:1A:DD:D7:76:77:0B >>> cert:find:found: using cert manager.crt / >>> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1) >>> (uses=identity+remote_peer (3)) >>> cert:find:found: using cert manager.crt / >>> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1) >>> (uses=identity+remote_peer (3)) >>> >>> >>> snmpd >>> -Dtls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san -f >>> -Lsd udp:0.0.0.0:161 dtlsudp:10161 >>> >>> Config: >>> trapsess -v 2c 10.20.19.57:162 -c public >>> trapsess -v 2c -Ci -r 0 10.20.19.57:162 -c public >>> trapsess -v 3 -Ci -r 0 -T their_identity=manager.crt dtlsudp: >>> 10.20.19.57:10162 >>> >>> snmpd: logging >>> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: dtlsudp: >>> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: sending 193 bytes >>> >>> >>> >
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users