Hi Bart,
this is a good start, but we also need to add code for the newer version of
TLS if we should apply to the RFC's.
For the moment I don't have any time to work on it. The DTLS/TLS stuff also
have some major bugs/design issues that
needs to be fixed.
Regards
Anders Wallin
On Sat, Nov 30, 2019 at 6:24 AM Bart Van Assche <bvanass...@acm.org> wrote:
> Hi Anders and Larry,
>
> How about making it possible to tell Net-SNMP to use a more recent version
> of TLS, e.g. as follows:
>
> diff --git a/include/net-snmp/library/default_store.h
> b/include/net-snmp/library/default_store.h
> index 16747aa5600e..9f80c77e439c 100644
> --- a/include/net-snmp/library/default_store.h
> +++ b/include/net-snmp/library/default_store.h
> @@ -183,6 +183,7 @@ extern "C" {
> #define NETSNMP_DS_LIB_SSH_PUBKEY 33
> #define NETSNMP_DS_LIB_SSH_PRIVKEY 34
> #define NETSNMP_DS_LIB_OUTPUT_PRECISION 35
> +#define NETSNMP_DS_LIB_TLS_VERSION 36
> #define NETSNMP_DS_LIB_MAX_STR_ID 48 /* match NETSNMP_DS_MAX_SUBIDS */
>
> /*
> diff --git a/man/snmpd.conf.5.def b/man/snmpd.conf.5.def
> index 9dae9909ba7e..4053680601b2 100644
> --- a/man/snmpd.conf.5.def
> +++ b/man/snmpd.conf.5.def
> @@ -190,6 +190,8 @@ certificate file.
> This string will select the algorithms to use when negotiating
> security during (D)TLS session establishment. See the openssl manual
> page ciphers(1) for details on the format. Examples strings include:
> +.IP "[snmp] tlsVersion"
> +[ ... ]
> .RS
> .nf
> diff --git a/snmplib/transports/snmpTLSBaseDomain.c
> b/snmplib/transports/snmpTLSBaseDomain.c
> index 223c3a0aaed7..9e1b4496f193 100644
> --- a/snmplib/transports/snmpTLSBaseDomain.c
> +++ b/snmplib/transports/snmpTLSBaseDomain.c
> @@ -784,6 +784,10 @@ netsnmp_tlsbase_ctor(void) {
> NETSNMP_DS_LIBRARY_ID,
> NETSNMP_DS_LIB_TLS_ALGORITMS);
>
> + netsnmp_ds_register_config(ASN_OCTET_STR, "snmp", "tlsVersion",
> + NETSNMP_DS_LIBRARY_ID,
> + NETSNMP_DS_LIB_TLS_VERSION);
> +
> /*
> * for the client
> */
> diff --git a/snmplib/transports/snmpTLSTCPDomain.c
> b/snmplib/transports/snmpTLSTCPDomain.c
> index 857e433ddf2e..76f62361e500 100644
> --- a/snmplib/transports/snmpTLSTCPDomain.c
> +++ b/snmplib/transports/snmpTLSTCPDomain.c
> @@ -723,7 +723,16 @@ netsnmp_tlstcp_open_client(netsnmp_transport *t)
> }
>
> #ifdef SSL_CTX_set_max_proto_version
> - SSL_CTX_set_max_proto_version(tlsdata->ssl_context, TLS1_VERSION);
> + {
> + const char *tls_version;
> +
> + tls_version = netsnmp_ds_get_string(NETSNMP_DS_LIBRARY_ID,
> + NETSNMP_DS_LIB_TLS_VERSION);
> + if (tls_version && strcmp(tls_version, "any") == 0)
> + ;
> + else
> + SSL_CTX_set_max_proto_version(tlsdata->ssl_context,
> TLS1_VERSION);
> + }
> #endif
>
> /* RFC5953 Section 5.3.1: Establishing a Session as a Client
> Bart.
>
> On 2019-11-27 13:22, Anders Wallin wrote:
>
> Hi Larry,
>
> I see the same problem!
>
> You should think more then twice before using TLS/DTLS.
> The code is full of bugs and design issues (like sending traps before
> checking hostnames etc) and it's using deprecated version of TLS.
>
> Regards
> Anders Wallin
>
>
> On Wed, Nov 27, 2019 at 9:33 PM Larry Hayes <lhay...@gmail.com> wrote:
>
>> It is even worse with TLS.
>>
>> When the snmptrapd is restarted without restarting the snmpd:
>>
>> kill the snmptrapd:
>>
>> From the snmpd logs: snmpd detects the connection close.
>>
>> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp:
>> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: remote side closed connection
>> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlstcp:
>> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Shutting down SSL connection
>> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: tlsbase:
>> Nov 27 14:23:51 apcon-ubuntu snmpd[22569]: Freeing TLS Base data for a
>> session
>>
>> Start the snmptrapd up again
>>
>> When snmpd tries to send a trap:
>>
>> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap:
>> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: send_trap -1 -1
>> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: MYMib-MIB::myMib
>> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]:
>> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: trap:
>> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: sending trap type=167,
>> version=139482016
>> Nov 27 14:24:08 apcon-ubuntu snmpd[22569]: snmpd: send_trap: Generic
>> error (Unknown error -146129760)
>>
>>
>> Both DTLS and TLS issue seems to center around the fact that snmpd does
>> not properly handle the case where the trap receiver's connection goes away.
>>
>> Anyone else seeing this behavior?
>>
>> On Wed, Nov 20, 2019 at 10:24 AM Larry Hayes <lhay...@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> I am using net-snmp v5.8 r0.
>>>
>>> I think I have successfully configured an snmpd server to generate V3
>>> Traps/Informs using TSM with certificates and have an snmptrapd receive
>>> those V3 Traps/Informs.
>>> As I can see the Trap/Infom data dumped to the window snmptrapd is
>>> running.
>>>
>>> My issue is, when I restart snmptrapd, it can no longer receive V3
>>> Traps/Informs using TSM without restarting the snmpd also.
>>>
>>> snmptrapd can receive V2 Traps/Infoms without restarting snmpd.
>>>
>>> Is this the normal/desired behavior with DTLS?
>>> (I have not tried TLS yet)
>>>
>>>
>>> sudo snmptrapd
>>> -Dtsm,tls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san
>>> -f -Losd dtlsudp:10162 udp:162
>>>
>>>
>>> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP:
>>> [10.20.19.57]:33656->[10.20.19.57]:162]:
>>> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93
>>> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62
>>> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh"
>>> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37"
>>> SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57"
>>> 2019-11-20 10:11:50 apcon-ubuntu.apconnet.apcon.com [UDP:
>>> [10.20.19.57]:60888->[10.20.19.57]:162]:
>>> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10093) 0:01:40.93
>>> SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.10830.5.0.62
>>> SNMPv2-SMI::enterprises.10830.2.15.0 = STRING: "cli-ssh"
>>> SNMPv2-SMI::enterprises.10830.2.16.0 = STRING: "admin/10.20.19.37"
>>> SNMPv2-SMI::enterprises.10830.2.17.0 = STRING: "10.20.19.57"
>>> dtlsudp: received 229 raw bytes on way to dtls
>>> dtlsudp: starting a new connection
>>> cert:find:params: looking for identity(1) in DEFAULT(0x0), hint (nil)
>>> cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint
>>> 0x1249450
>>> cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint
>>> 0x1249450
>>> cert:find:params: hint =
>>> 04:BF:CF:1A:9C:5D:7A:9D:87:7E:1D:D8:A3:77:1A:DD:D7:76:77:0B
>>> cert:find:found: using cert manager.crt /
>>> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1)
>>> (uses=identity+remote_peer (3))
>>> cert:find:found: using cert manager.crt /
>>> 04bfcf1a9c5d7a9d877e1dd8a3771addd776770b for identity(1)
>>> (uses=identity+remote_peer (3))
>>>
>>>
>>> snmpd
>>> -Dtls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san -f
>>> -Lsd udp:0.0.0.0:161 dtlsudp:10161
>>>
>>> Config:
>>> trapsess -v 2c 10.20.19.57:162 -c public
>>> trapsess -v 2c -Ci -r 0 10.20.19.57:162 -c public
>>> trapsess -v 3 -Ci -r 0 -T their_identity=manager.crt dtlsudp:
>>> 10.20.19.57:10162
>>>
>>> snmpd: logging
>>> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: dtlsudp:
>>> Nov 20 10:19:21 apcon-ubuntu snmpd[5857]: sending 193 bytes
>>>
>>>
>>>
>
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
