Menu

Channel Encryption

Christian Ferrari
Attachments
security_ce_01.png (11083 bytes)
security_ce_02.png (11551 bytes)

This page is no more maintained, the current one is at https://www.tiian.org/flom/security/Channel_Encryption.html

Configuration example for "Channel Encryption" security level

The example uses two different nodes; these are the names used during all the example:

  • node1, name: ubuntu1004.brenta.org, operating system: Ubuntu Linux 10.04 (64 bit)
  • node2, name: centos71-64.brenta.org, operating system: CentOS 7.1 (64 bit)

The page [Channel Encryption Debug] explains how to debug this type of configuration in case of issue.

Setting up the certification authority and the required certificates

The instruction that are shown below are inspired by this precious documentation.
Take a look to the original documentation of the previous link for a good explanation related to certification authority and certificates.

Creating a CA (Certification Authority) of name CA1

Connect to node1, and execute these commands to create the directory structure:

tiian@ubuntu1004:~$ mkdir flom_ssl
tiian@ubuntu1004:~$ cd flom_ssl
tiian@ubuntu1004:~/flom_ssl$ mkdir CA1
tiian@ubuntu1004:~/flom_ssl$ cd CA1
tiian@ubuntu1004:~/flom_ssl/CA1$ mkdir certs crl newcerts private
tiian@ubuntu1004:~/flom_ssl/CA1$ echo "01" > serial
tiian@ubuntu1004:~/flom_ssl/CA1$ cp /dev/null index.txt
tiian@ubuntu1004:~/flom_ssl/CA1$ ls -la
total 28
drwxr-xr-x 6 tiian tiian 4096 2016-03-29 22:09 .
drwxr-xr-x 3 tiian tiian 4096 2016-03-29 22:09 ..
drwxr-xr-x 2 tiian tiian 4096 2016-03-29 22:09 certs
drwxr-xr-x 2 tiian tiian 4096 2016-03-29 22:09 crl
-rw-r--r-- 1 tiian tiian    0 2016-03-29 22:09 index.txt
drwxr-xr-x 2 tiian tiian 4096 2016-03-29 22:09 newcerts
drwxr-xr-x 2 tiian tiian 4096 2016-03-29 22:09 private
-rw-r--r-- 1 tiian tiian    3 2016-03-29 22:09 serial

Pick-up a openssl.cnf example file; FLoM provide a pre-configured file in directory /usr/local/share/doc/flom/:

tiian@ubuntu1004:~/flom_ssl/CA1$ ls -la /usr/local/share/doc/flom/flom_openssl.conf 
-rw-r--r-- 1 root root 9431 2016-03-28 19:34 /usr/local/share/doc/flom/flom_openssl.conf

copy it locally:

tiian@ubuntu1004:~/flom_ssl/CA1$ cp /usr/local/share/doc/flom/flom_openssl.conf .

You can configure it as described here, but for basic usage the supplied one should be good enough.

Generate the certificate for the CA:

tiian@ubuntu1004:~/flom_ssl/CA1$ openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config flom_openssl.conf 
Generating a 1024 bit RSA private key
...++++++
..............++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IT]:
State or Province Name (full name) [Treviso]:
Locality Name (eg, city) [Mogliano Veneto]:
Organization Name (eg, company) [FLoM Software Corporation]:
Organizational Unit Name (eg, section) [Development and Research]:
Common Name (eg, YOUR name) []:CA for FLoM Channel Encryption
Email Address []:

File cacert.pem contains the X.509 certificate of the certification authority you have just created and file private/cakey.pem contains the private key associated to the certification authority.

tiian@ubuntu1004:~/flom_ssl/CA1$ ls -la cacert.pem private/cakey.pem 
-rw-r--r-- 1 tiian tiian 1411 2016-03-29 22:19 cacert.pem
-rw-r--r-- 1 tiian tiian  963 2016-03-29 22:19 private/cakey.pem

Creating a first X.509 certificate

To implement a channel encryption configuration just one certificate is enough.

Now you have to execute 4 commands; the system asks for a password: the same password used for the certification authority (see above).

tiian@ubuntu1004:~/flom_ssl/CA1$ openssl req -nodes -new -x509 -keyout first_key.pem -out first_req.pem -days 3650 -config flom_openssl.conf
tiian@ubuntu1004:~/flom_ssl/CA1$ openssl x509 -x509toreq -in first_req.pem -signkey first_key.pem -out tmp.pem
tiian@ubuntu1004:~/flom_ssl/CA1$ openssl ca -config flom_openssl.conf -policy policy_anything -out first_cert.pem -infiles tmp.pem
tiian@ubuntu1004:~/flom_ssl/CA1$ rm tmp.pem

The output should be something like this:

tiian@ubuntu1004:~/flom_ssl/CA1$ openssl req -nodes -new -x509 -keyout first_key.pem -out first_req.pem -days 3650 -config flom_openssl.conf
Generating a 1024 bit RSA private key
.........++++++
...++++++
writing new private key to 'first_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IT]:
State or Province Name (full name) [Treviso]:
Locality Name (eg, city) [Mogliano Veneto]:
Organization Name (eg, company) [FLoM Software Corporation]:
Organizational Unit Name (eg, section) [Development and Research]:
Common Name (eg, YOUR name) []:Generic FLoM node
Email Address []:
tiian@ubuntu1004:~/flom_ssl/CA1$ openssl x509 -x509toreq -in first_req.pem -signkey first_key.pem -out tmp.pem
Getting request Private Key
Generating certificate request
tiian@ubuntu1004:~/flom_ssl/CA1$ openssl ca -config flom_openssl.conf -policy policy_anything -out first_cert.pem -infiles tmp.pem
Using configuration from flom_openssl.conf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 29 20:29:07 2016 GMT
            Not After : Mar 29 20:29:07 2017 GMT
        Subject:
            countryName               = IT
            stateOrProvinceName       = Treviso
            localityName              = Mogliano Veneto
            organizationName          = FLoM Software Corporation
            organizationalUnitName    = Development and Research
            commonName                = Generic FLoM node
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E9:77:80:9F:6F:A7:1D:55:E6:46:31:48:91:E8:64:DD:37:3B:58:5D
            X509v3 Authority Key Identifier: 
                keyid:71:E4:77:AE:FD:4B:17:9C:4D:9E:7C:B6:1D:8D:37:08:F2:DD:09:AC

Certificate is to be certified until Mar 29 20:29:07 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
tiian@ubuntu1004:~/flom_ssl/CA1$ rm tmp.pem

If everything is fine, you must have two files: first_cert.pem contains the X.509 certificate for your FLoM node(s) and first_key.pem contains the private key associated to the certicate:

tiian@ubuntu1004:~/flom_ssl/CA1$ ls -la first_cert.pem first_key.pem 
-rw-r--r-- 1 tiian tiian 3391 2016-03-29 22:29 first_cert.pem
-rw-r--r-- 1 tiian tiian  887 2016-03-29 22:26 first_key.pem

Certificate "installation"

Only 3 files are needed to FLoM process (flom):

  • first_cert.pem
  • first_key.pem
  • cacert.pem

copy them in a easy to use place on both systems.
Local copy:

tiian@ubuntu1004:~/flom_ssl/CA1$ mkdir /tmp/flom_ssl
tiian@ubuntu1004:~/flom_ssl/CA1$ cp cacert.pem first_cert.pem first_key.pem /tmp/flom_ssl/
tiian@ubuntu1004:~/flom_ssl/CA1$ ls -la /tmp/flom_ssl/
total 20
drwxr-xr-x 2 tiian tiian 4096 2016-03-29 22:39 .
drwxrwxrwt 5 root  root  4096 2016-03-29 22:39 ..
-rw-r--r-- 1 tiian tiian 1411 2016-03-29 22:39 cacert.pem
-rw-r--r-- 1 tiian tiian 3391 2016-03-29 22:39 first_cert.pem
-rw-r--r-- 1 tiian tiian  887 2016-03-29 22:39 first_key.pem

Remote copy:

tiian@ubuntu1004:~/flom_ssl/CA1$ scp -r /tmp/flom_ssl/ 
tiian@centos71-64.brenta.org:/tmp
Enter passphrase for key '/home/tiian/.ssh/id_rsa': 
first_cert.pem                                100% 3391     3.3KB/s   00:00    
cacert.pem                                    100% 1411     1.4KB/s   00:00    
first_key.pem                                 100%  887     0.9KB/s   00:00

Check the content in node2:

[tiian@centos71-64 CA1]$ ls -la /tmp/flom_ssl/
total 16
drwxr-xr-x.  2 tiian tiian   64 29 mar 22.40 .
drwxrwxrwt. 10 root  root  4096 29 mar 22.40 ..
-rw-r--r--.  1 tiian tiian 1411 29 mar 22.40 cacert.pem
-rw-r--r--.  1 tiian tiian 3391 29 mar 22.40 first_cert.pem
-rw-r--r--.  1 tiian tiian  887 29 mar 22.40 first_key.pem

Using TLS (channel encryption security level) with FLoM

Setting a trace mask to trace the messaged produced by flom_tls and flom_tcp modules can help to troubleshoot a possible issue.

This is the command to start a FLoM daemon (server) using TLS inside node1:

tiian@ubuntu1004:~$ export FLOM_TRACE_MASK=0x60000
tiian@ubuntu1004:~$ echo $FLOM_TRACE_MASK
0x60000
tiian@ubuntu1004:~$ flom -a ubuntu1004.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/first_cert.pem --tls-private-key=/tmp/flom_ssl/first_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -d -1 -- true
2016-03-29 23:02:57.968705 [1756/0x6fd7e0] flom_tcp_init
2016-03-29 23:02:57.968738 [1756/0x6fd7e0] flom_tcp_init
2016-03-29 23:02:57.968742 [1756/0x6fd7e0] flom_tcp_connect
2016-03-29 23:02:57.968744 [1756/0x6fd7e0] flom_tcp_connect: connecting to address 'ubuntu1004.brenta.org' and port 28015
2016-03-29 23:02:57.969475 [1756/0x6fd7e0] flom_tcp_connect/getaddrinfo(): [ai_flags=2,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='ubuntu1004.brenta.org'] [ai_flags=2,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-29 23:02:57.969485 [1756/0x6fd7e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:02:57.969496 [1756/0x6fd7e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:02:57.969517 [1756/0x6fd7e0] flom_tcp_try_connect/connect(): errno=111 'Connection refused', skipping...
2016-03-29 23:02:57.969522 [1756/0x6fd7e0] flom_tcp_try_connect: sa addrlen=28; IPv6 address, sin6_port=28015, sin6_flowinfo=0x0, sin6_addr='fe80::5054:ff:feba:34b0', sin6_scope_id=0
2016-03-29 23:02:57.969531 [1756/0x6fd7e0] flom_tcp_try_connect: sa addrlen=28; IPv6 address, sin6_port=28015, sin6_flowinfo=0x0, sin6_addr='fe80::5054:ff:feba:34b0', sin6_scope_id=0
2016-03-29 23:02:57.969539 [1756/0x6fd7e0] flom_tcp_try_connect/connect(): errno=22 'Invalid argument', skipping...
2016-03-29 23:02:57.969544 [1756/0x6fd7e0] flom_tcp_connect/excp=1/ret_cod=7/errno=22
2016-03-29 23:02:57.970562 [1756/0x6fd7e0] flom_tcp_init
2016-03-29 23:02:57.970569 [1756/0x6fd7e0] flom_tcp_connect
2016-03-29 23:02:57.970571 [1756/0x6fd7e0] flom_tcp_connect: connecting to address 'ubuntu1004.brenta.org' and port 28015
2016-03-29 23:02:57.970837 [1756/0x6fd7e0] flom_tcp_connect/getaddrinfo(): [ai_flags=2,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='ubuntu1004.brenta.org'] [ai_flags=2,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-29 23:02:57.970847 [1756/0x6fd7e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:02:57.970855 [1756/0x6fd7e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:02:57.970879 [1756/0x6fd7e0] flom_tcp_connect: domain=2, sockfd=3, socket_type=16, addrlen=0
2016-03-29 23:02:57.970882 [1756/0x6fd7e0] flom_tcp_connect: addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:02:57.970888 [1756/0x6fd7e0] flom_tcp_connect/excp=2/ret_cod=0/errno=22
2016-03-29 23:02:57.970892 [1756/0x6fd7e0] flom_tls_init: calling SSL_library_init()...
2016-03-29 23:02:57.970937 [1756/0x6fd7e0] flom_tls_init: calling SSL_load_error_strings()...
2016-03-29 23:02:57.971204 [1756/0x6fd7e0] flom_tls_init: calling OpenSSL_add_all_algorithms()...
2016-03-29 23:02:57.971245 [1756/0x6fd7e0] flom_tls_context
2016-03-29 23:02:57.971248 [1756/0x6fd7e0] flom_tls_context: setting TLS/SSL method to TLSv1_client_method()
2016-03-29 23:02:57.971336 [1756/0x6fd7e0] flom_tls_context: SSL_CTX_set_verify(0x7271c0, 1, flom_tls_callback)
2016-03-29 23:02:57.971342 [1756/0x6fd7e0] flom_tls_context/excp=2/ret_cod=0/errno=22
2016-03-29 23:02:57.971345 [1756/0x6fd7e0] flom_tls_set_cert
2016-03-29 23:02:57.971347 [1756/0x6fd7e0] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/first_cert.pem', SSL_FILETYPE_PEM)
2016-03-29 23:02:57.971423 [1756/0x6fd7e0] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/first_key.pem', SSL_FILETYPE_PEM)
2016-03-29 23:02:57.971450 [1756/0x6fd7e0] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-29 23:02:57.971456 [1756/0x6fd7e0] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-29 23:02:57.971494 [1756/0x6fd7e0] flom_tls_set_cert/excp=4/ret_cod=0/errno=22
2016-03-29 23:02:57.971498 [1756/0x6fd7e0] flom_tls_connect
2016-03-29 23:02:57.971500 [1756/0x6fd7e0] flom_tls_prepare
2016-03-29 23:02:57.971512 [1756/0x6fd7e0] flom_tls_prepare/excp=3/ret_cod=0/errno=22
2016-03-29 23:02:57.972351 [1756/0x6fd7e0] flom_tls_callback: preverify_ok=1
2016-03-29 23:02:57.972355 [1756/0x6fd7e0] flom_tls_callback: ret_cod=1
2016-03-29 23:02:57.972401 [1756/0x6fd7e0] flom_tls_callback: preverify_ok=1
2016-03-29 23:02:57.972403 [1756/0x6fd7e0] flom_tls_callback: ret_cod=1
2016-03-29 23:02:57.973554 [1756/0x6fd7e0] flom_tls_connect: connection established with AES256-SHA encryption
2016-03-29 23:02:57.973559 [1756/0x6fd7e0] flom_tls_cert_parse
...
2016-03-29 23:02:57.973589 [1756/0x6fd7e0] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
...
2016-03-29 23:02:57.977242 [1756/0x6fd7e0] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
2016-03-29 23:02:57.977251 [1756/0x6fd7e0] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-29 23:02:57.977254 [1756/0x6fd7e0] flom_tls_connect/excp=3/ret_cod=0/errno=0
2016-03-29 23:02:57.977299 [1756/0x6fd7e0] flom_tls_send
2016-03-29 23:02:57.977315 [1756/0x6fd7e0] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-29 23:02:57.977321 [1756/0x6fd7e0] flom_tls_recv
2016-03-29 23:02:57.977601 [1756/0x6fd7e0] flom_tls_recv: received 147 of 1024 bytes
2016-03-29 23:02:57.977606 [1756/0x6fd7e0] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-29 23:02:57.978303 [1756/0x6fd7e0] flom_tls_send
2016-03-29 23:02:57.978325 [1756/0x6fd7e0] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-29 23:02:57.978455 [1756/0x6fd7e0] flom_tcp_close
2016-03-29 23:02:57.978461 [1756/0x6fd7e0] flom_tcp_close/excp=1/ret_cod=0/errno=107
tiian@ubuntu1004:~$ pgrep flom
1759

This is the trace produced by FLoM daemon that runs in node1:

tiian@ubuntu1004:~$ cat /tmp/flom-daemon.trc 
2016-03-29 23:02:57.969919 [1759/0x6fd7e0] flom_tcp_init
2016-03-29 23:02:57.969946 [1759/0x6fd7e0] flom_tcp_listen
2016-03-29 23:02:57.969948 [1759/0x6fd7e0] flom_tcp_listen: binding address 'ubuntu1004.brenta.org' and port 28015
2016-03-29 23:02:57.970465 [1759/0x6fd7e0] flom_tcp_listen/getaddrinfo(): [ai_flags=1,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='{null}'] [ai_flags=1,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-29 23:02:57.970470 [1759/0x6fd7e0] flom_tcp_listen: ai_addr addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:02:57.970479 [1759/0x6fd7e0] flom_tcp_listen: bound!
2016-03-29 23:02:57.970491 [1759/0x6fd7e0] flom_tcp_listen/excp=3/ret_cod=0/errno=22
...
2016-03-29 23:02:57.971570 [1759/0x6fd7e0] flom_tls_init: calling SSL_library_init()...
2016-03-29 23:02:57.971619 [1759/0x6fd7e0] flom_tls_init: calling SSL_load_error_strings()...
2016-03-29 23:02:57.971880 [1759/0x6fd7e0] flom_tls_init: calling OpenSSL_add_all_algorithms()...
2016-03-29 23:02:57.971920 [1759/0x6fd7e0] flom_tls_context
2016-03-29 23:02:57.971923 [1759/0x6fd7e0] flom_tls_context: setting TLS/SSL method to TLSv1_server_method()
2016-03-29 23:02:57.972001 [1759/0x6fd7e0] flom_tls_context: SSL_CTX_set_verify(0x727890, 3, flom_tls_callback)
2016-03-29 23:02:57.972006 [1759/0x6fd7e0] flom_tls_context/excp=2/ret_cod=0/errno=22
2016-03-29 23:02:57.972008 [1759/0x6fd7e0] flom_tls_set_cert
2016-03-29 23:02:57.972010 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/first_cert.pem', SSL_FILETYPE_PEM)
2016-03-29 23:02:57.972075 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/first_key.pem', SSL_FILETYPE_PEM)
2016-03-29 23:02:57.972098 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-29 23:02:57.972103 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-29 23:02:57.972147 [1759/0x6fd7e0] flom_tls_set_cert/excp=4/ret_cod=0/errno=22
2016-03-29 23:02:57.972151 [1759/0x6fd7e0] flom_tls_accept
2016-03-29 23:02:57.972153 [1759/0x6fd7e0] flom_tls_prepare
2016-03-29 23:02:57.972161 [1759/0x6fd7e0] flom_tls_prepare/excp=3/ret_cod=0/errno=22
...
2016-03-29 23:02:57.973656 [1759/0x6fd7e0] flom_tls_accepted: connection accepted with AES256-SHA encryption
2016-03-29 23:02:57.973662 [1759/0x6fd7e0] flom_tls_cert_parse
...
2016-03-29 23:02:57.973690 [1759/0x6fd7e0] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
...
2016-03-29 23:02:57.973764 [1759/0x6fd7e0] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
2016-03-29 23:02:57.973791 [1759/0x6fd7e0] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-29 23:02:57.973796 [1759/0x6fd7e0] flom_tls_accept/excp=3/ret_cod=0/errno=0
2016-03-29 23:02:57.977348 [1759/0x6fd7e0] flom_tls_recv
2016-03-29 23:02:57.977370 [1759/0x6fd7e0] flom_tls_recv: received 203 of 512 bytes
2016-03-29 23:02:57.977372 [1759/0x6fd7e0] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-29 23:02:57.977497 [1759/0x741f80] flom_tcp_init
2016-03-29 23:02:57.977505 [1759/0x741f80] flom_tcp_init
2016-03-29 23:02:57.977555 [1759/0x741f80] flom_tls_send
2016-03-29 23:02:57.977580 [1759/0x741f80] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-29 23:02:57.978346 [1759/0x741f80] flom_tls_recv
2016-03-29 23:02:57.978364 [1759/0x741f80] flom_tls_recv: received 109 of 512 bytes
2016-03-29 23:02:57.978366 [1759/0x741f80] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-29 23:02:57.978379 [1759/0x741f80] flom_tls_recv
2016-03-29 23:02:57.978384 [1759/0x741f80] flom_tls_recv/SSL_read: SSL error=5 (SSL_ERROR_SYSCALL)
2016-03-29 23:02:57.978387 [1759/0x741f80] flom_tls_recv/excp=0/ret_cod=-409/errno=0
2016-03-29 23:02:57.978390 [1759/0x741f80] flom_tcp_close
2016-03-29 23:02:57.978398 [1759/0x741f80] flom_tcp_close/excp=1/ret_cod=0/errno=0
2016-03-29 23:03:05.429333 [1759/0x6fd7e0] flom_tcp_init
2016-03-29 23:03:05.429388 [1759/0x6fd7e0] flom_tcp_init
2016-03-29 23:03:05.429405 [1759/0x6fd7e0] flom_tls_context
2016-03-29 23:03:05.429412 [1759/0x6fd7e0] flom_tls_context: setting TLS/SSL method to TLSv1_server_method()
2016-03-29 23:03:05.429503 [1759/0x6fd7e0] flom_tls_context: SSL_CTX_set_verify(0x7295b0, 3, flom_tls_callback)
2016-03-29 23:03:05.429515 [1759/0x6fd7e0] flom_tls_context/excp=2/ret_cod=0/errno=0
2016-03-29 23:03:05.429523 [1759/0x6fd7e0] flom_tls_set_cert
2016-03-29 23:03:05.429530 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/first_cert.pem', SSL_FILETYPE_PEM)
2016-03-29 23:03:05.429765 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/first_key.pem', SSL_FILETYPE_PEM)
2016-03-29 23:03:05.429852 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-29 23:03:05.429865 [1759/0x6fd7e0] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-29 23:03:05.430001 [1759/0x6fd7e0] flom_tls_set_cert/excp=4/ret_cod=0/errno=0
2016-03-29 23:03:05.430057 [1759/0x6fd7e0] flom_tls_accept
2016-03-29 23:03:05.430068 [1759/0x6fd7e0] flom_tls_prepare
2016-03-29 23:03:05.430089 [1759/0x6fd7e0] flom_tls_prepare/excp=3/ret_cod=0/errno=0
...
2016-03-29 23:03:05.440654 [1759/0x6fd7e0] flom_tls_accepted: connection accepted with AES256-SHA encryption
2016-03-29 23:03:05.440676 [1759/0x6fd7e0] flom_tls_cert_parse
...
2016-03-29 23:03:05.440764 [1759/0x6fd7e0] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
...
2016-03-29 23:03:05.440987 [1759/0x6fd7e0] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
2016-03-29 23:03:05.441039 [1759/0x6fd7e0] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-29 23:03:05.441051 [1759/0x6fd7e0] flom_tls_accept/excp=3/ret_cod=0/errno=0
2016-03-29 23:03:05.441074 [1759/0x741f80] flom_tcp_close
2016-03-29 23:03:05.441089 [1759/0x741f80] flom_tcp_close/excp=1/ret_cod=0/errno=0
2016-03-29 23:03:05.441659 [1759/0x6fd7e0] flom_tls_recv
2016-03-29 23:03:05.441742 [1759/0x6fd7e0] flom_tls_recv: received 203 of 512 bytes
2016-03-29 23:03:05.441755 [1759/0x6fd7e0] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-29 23:03:05.442078 [1759/0x743850] flom_tcp_init
2016-03-29 23:03:05.442093 [1759/0x743850] flom_tcp_init
2016-03-29 23:03:05.442131 [1759/0x743850] flom_tls_send
2016-03-29 23:03:05.442172 [1759/0x743850] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-29 23:03:05.443779 [1759/0x743850] flom_tls_recv
2016-03-29 23:03:05.443859 [1759/0x743850] flom_tls_recv: received 109 of 512 bytes
2016-03-29 23:03:05.443869 [1759/0x743850] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-29 23:03:05.443890 [1759/0x743850] flom_tls_recv
2016-03-29 23:03:05.443899 [1759/0x743850] flom_tls_recv/SSL_read: SSL error=5 (SSL_ERROR_SYSCALL)
2016-03-29 23:03:05.443905 [1759/0x743850] flom_tls_recv/excp=0/ret_cod=-409/errno=0
2016-03-29 23:03:05.443910 [1759/0x743850] flom_tcp_close
2016-03-29 23:03:05.443941 [1759/0x743850] flom_tcp_close/excp=1/ret_cod=0/errno=0

This is the command to start a FLoM client using TLS inside node2:

[tiian@centos71-64 ~]$ export FLOM_TRACE_MASK=0x60000
[tiian@centos71-64 ~]$ echo $FLOM_TRACE_MASK
0x60000
[tiian@centos71-64 ~]$ flom -a ubuntu1004.brenta.org --tls-certificate=/tmp/flom_ssl/first_cert.pem --tls-private-key=/tmp/flom_ssl/first_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -- echo 'Hello world!'
2016-03-29 23:03:04.745922 [2141/0x1858400] flom_tcp_init
2016-03-29 23:03:04.746059 [2141/0x1858400] flom_tcp_init
2016-03-29 23:03:04.746071 [2141/0x1858400] flom_tcp_connect
2016-03-29 23:03:04.746078 [2141/0x1858400] flom_tcp_connect: connecting to address 'ubuntu1004.brenta.org' and port 28015
2016-03-29 23:03:04.747736 [2141/0x1858400] flom_tcp_connect/getaddrinfo(): [ai_flags=2,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='ubuntu1004.brenta.org'] [ai_flags=2,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-29 23:03:04.747782 [2141/0x1858400] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:03:04.747840 [2141/0x1858400] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:03:04.748342 [2141/0x1858400] flom_tcp_connect: domain=2, sockfd=3, socket_type=16, addrlen=0
2016-03-29 23:03:04.748373 [2141/0x1858400] flom_tcp_connect: addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-29 23:03:04.748410 [2141/0x1858400] flom_tcp_connect/excp=2/ret_cod=0/errno=22
2016-03-29 23:03:04.748434 [2141/0x1858400] flom_tls_init: calling SSL_library_init()...
2016-03-29 23:03:04.748689 [2141/0x1858400] flom_tls_init: calling SSL_load_error_strings()...
2016-03-29 23:03:04.752408 [2141/0x1858400] flom_tls_init: calling OpenSSL_add_all_algorithms()...
2016-03-29 23:03:04.752614 [2141/0x1858400] flom_tls_context
2016-03-29 23:03:04.752623 [2141/0x1858400] flom_tls_context: setting TLS/SSL method to TLSv1_client_method()
2016-03-29 23:03:04.753101 [2141/0x1858400] flom_tls_context: SSL_CTX_set_verify(0x1878210, 1, flom_tls_callback)
2016-03-29 23:03:04.753128 [2141/0x1858400] flom_tls_context/excp=2/ret_cod=0/errno=22
2016-03-29 23:03:04.753138 [2141/0x1858400] flom_tls_set_cert
2016-03-29 23:03:04.753144 [2141/0x1858400] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/first_cert.pem', SSL_FILETYPE_PEM)
2016-03-29 23:03:04.753567 [2141/0x1858400] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/first_key.pem', SSL_FILETYPE_PEM)
2016-03-29 23:03:04.753684 [2141/0x1858400] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-29 23:03:04.753700 [2141/0x1858400] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-29 23:03:04.753963 [2141/0x1858400] flom_tls_set_cert/excp=4/ret_cod=0/errno=22
2016-03-29 23:03:04.753986 [2141/0x1858400] flom_tls_connect
2016-03-29 23:03:04.753997 [2141/0x1858400] flom_tls_prepare
2016-03-29 23:03:04.754105 [2141/0x1858400] flom_tls_prepare/excp=3/ret_cod=0/errno=22
2016-03-29 23:03:04.755174 [2141/0x1858400] flom_tls_callback: preverify_ok=1
2016-03-29 23:03:04.755198 [2141/0x1858400] flom_tls_callback: ret_cod=1
2016-03-29 23:03:04.755398 [2141/0x1858400] flom_tls_callback: preverify_ok=1
2016-03-29 23:03:04.755414 [2141/0x1858400] flom_tls_callback: ret_cod=1
2016-03-29 23:03:04.760231 [2141/0x1858400] flom_tls_connect: connection established with AES256-SHA encryption
2016-03-29 23:03:04.760257 [2141/0x1858400] flom_tls_cert_parse
...
2016-03-29 23:03:04.760387 [2141/0x1858400] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
...
2016-03-29 23:03:04.760568 [2141/0x1858400] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
2016-03-29 23:03:04.760592 [2141/0x1858400] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-29 23:03:04.760599 [2141/0x1858400] flom_tls_connect/excp=3/ret_cod=0/errno=0
2016-03-29 23:03:04.760750 [2141/0x1858400] flom_tls_send
2016-03-29 23:03:04.760805 [2141/0x1858400] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-29 23:03:04.760824 [2141/0x1858400] flom_tls_recv
2016-03-29 23:03:04.761566 [2141/0x1858400] flom_tls_recv: received 147 of 1024 bytes
2016-03-29 23:03:04.761581 [2141/0x1858400] flom_tls_recv/excp=1/ret_cod=0/errno=0
Hello world!
2016-03-29 23:03:04.762902 [2141/0x1858400] flom_tls_send
2016-03-29 23:03:04.762947 [2141/0x1858400] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-29 23:03:04.763342 [2141/0x1858400] flom_tcp_close
2016-03-29 23:03:04.763369 [2141/0x1858400] flom_tcp_close/excp=1/ret_cod=0/errno=107

Remove trace mask and the old daemon, then restart the daemon on node1:

tiian@ubuntu1004:~$ pkill flom
tiian@ubuntu1004:~$ pgrep flom
tiian@ubuntu1004:~$ unset FLOM_TRACE_MASK
tiian@ubuntu1004:~$ flom -a ubuntu1004.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/first_cert.pem --tls-private-key=/tmp/flom_ssl/first_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -d -1 -- true
tiian@ubuntu1004:~$ pgrep flom
1821

Remove trace mask, then restart the client on node2:

[tiian@centos71-64 ~]$ unset FLOM_TRACE_MASK
[tiian@centos71-64 ~]$ flom -a ubuntu1004.brenta.org --tls-certificate=/tmp/flom_ssl/first_cert.pem --tls-private-key=/tmp/flom_ssl/first_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -- echo 'Hello world!'
Hello world!

Configuration hint

A more convenient way to setup all the TLS parameters is to use a FLoM [Configuration] file: these are the keys you have to customize:

[TLS]
# Name of the file that contains the X.509 certificate assigned to this peer
# (Uncomment below row if necessary)
#TlsCertificate=cert.pem
# Name of the file that contains the private key of this peer
# (Uncomment below row if necessary)
#TlsPrivateKey=priv_key.pem
# Name of the file that contains the X.509 certificate of the certification
# authority used to sign the certificate of this peer
# (Uncomment below row if necessary)
#TlsCaCertificate=ca_cert.pem
# Check if the CommonName (CN) of the peer certificate matches the peer unique
# identifier; valid values are "yes" and "no" (case insensitive)
# (Uncomment below row if necessary)
#TlsCheckPeerId=yes

System message logging

Both client and server writes logging messages on the system log.

On the server side (node 1):

tiian@ubuntu1004:~$ sudo tail -f /var/log/syslog 
[sudo] password for tiian: 
Mar 29 23:12:50 ubuntu1004 flom: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
Mar 29 23:12:50 ubuntu1004 flom: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
Mar 29 23:12:50 ubuntu1004 flom[1821]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
Mar 29 23:12:50 ubuntu1004 flom[1821]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
Mar 29 23:12:50 ubuntu1004 flom[1821]: FLM015I a connecting peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 8
Mar 29 23:12:50 ubuntu1004 flom: FLM016I the serving peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 16
Mar 29 23:13:47 ubuntu1004 flom[1821]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
Mar 29 23:13:47 ubuntu1004 flom[1821]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
Mar 29 23:13:47 ubuntu1004 flom[1821]: FLM015I a connecting peer sent id '6046574205df4258aeb409bf377235e0' for verb 1 and step 8

These messages are related to the connection incoming from node2:

Mar 29 23:13:47 ubuntu1004 flom[1821]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
Mar 29 23:13:47 ubuntu1004 flom[1821]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
Mar 29 23:13:47 ubuntu1004 flom[1821]: FLM015I a connecting peer sent id '6046574205df4258aeb409bf377235e0' for verb 1 and step 8

On the client side (node2), these are the corresponding messages:

Mar 29 23:13:46 centos71-64 flom: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
Mar 29 23:13:46 centos71-64 flom: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
Mar 29 23:13:46 centos71-64 flom: FLM016I the serving peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 16

FLoM peer unique ID

From the above logs:

  • node2 (client) sends ID 6046574205df4258aeb409bf377235e0 to node 1 (server)
  • node1 (send) sends back ID 91ed6d1ed76c5773c7503d285679b33b to node 2 (client)

both nodes sent their own identity, but identity is not verified due to command line option --tls-check-peer-id=no.
In [Mutual Authentication] the IDs are checked against the CN (commonName) field inside the X.509 certificate.

Role exchange

Client and server roles can be switched.

Start a daemon inside node2:

[tiian@centos71-64 ~]$ pkill flom
[tiian@centos71-64 ~]$ pgrep flom
[tiian@centos71-64 ~]$ flom -a centos71-64.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/first_cert.pem --tls-private-key=/tmp/flom_ssl/first_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -d -1 -- true
[tiian@centos71-64 ~]$ pgrep flom
2177

Start a client inside node1:

tiian@ubuntu1004:~$ pkill flom
tiian@ubuntu1004:~$ pgrep flom
tiian@ubuntu1004:~$ flom -a centos71-64.brenta.org --tls-certificate=/tmp/flom_ssl/first_cert.pem --tls-private-key=/tmp/flom_ssl/first_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -- echo 'Hello world!'
Hello world!

Using different X.509 certificates

You can create a second certificate using the same certification authority:

tiian@ubuntu1004:~/flom_ssl/CA1$ openssl req -nodes -new -x509 -keyout second_key.pem -out second_req.pem -days 3650 -config flom_openssl.conf
Generating a 1024 bit RSA private key
............................................................................++++++
...++++++
writing new private key to 'second_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IT]:
State or Province Name (full name) [Treviso]:
Locality Name (eg, city) [Mogliano Veneto]:
Organization Name (eg, company) [FLoM Software Corporation]:
Organizational Unit Name (eg, section) [Development and Research]:
Common Name (eg, YOUR name) []:Another FLoM node
Email Address []:
tiian@ubuntu1004:~/flom_ssl/CA1$ openssl x509 -x509toreq -in second_req.pem -signkey second_key.pem -out tmp.pem
Getting request Private Key
Generating certificate request
tiian@ubuntu1004:~/flom_ssl/CA1$ openssl ca -config flom_openssl.conf -policy policy_anything -out second_cert.pem -infiles tmp.pem
Using configuration from flom_openssl.conf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Mar 29 21:33:31 2016 GMT
            Not After : Mar 29 21:33:31 2017 GMT
        Subject:
            countryName               = IT
            stateOrProvinceName       = Treviso
            localityName              = Mogliano Veneto
            organizationName          = FLoM Software Corporation
            organizationalUnitName    = Development and Research
            commonName                = Another FLoM node
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4E:94:97:A8:E5:F5:2E:45:02:28:70:C9:9C:4C:2E:3B:1D:A8:A6:14
            X509v3 Authority Key Identifier: 
                keyid:71:E4:77:AE:FD:4B:17:9C:4D:9E:7C:B6:1D:8D:37:08:F2:DD:09:AC

Certificate is to be certified until Mar 29 21:33:31 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
tiian@ubuntu1004:~/flom_ssl/CA1$ rm tmp.pem
tiian@ubuntu1004:~/flom_ssl/CA1$ ls -la second_cert.pem second_key.pem 
-rw-r--r-- 1 tiian tiian 3391 2016-03-29 23:33 second_cert.pem
-rw-r--r-- 1 tiian tiian  887 2016-03-29 23:32 second_key.pem
tiian@ubuntu1004:~/flom_ssl/CA1$ cp second_cert.pem second_key.pem /tmp/flom_ssl/

And use it for the server on node1:

tiian@ubuntu1004:~/flom_ssl/CA1$ pkill flom
tiian@ubuntu1004:~/flom_ssl/CA1$ pgrep flom
tiian@ubuntu1004:~/flom_ssl/CA1$ flom -a ubuntu1004.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/second_cert.pem --tls-private-key=/tmp/flom_ssl/second_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -d -1 -- true
tiian@ubuntu1004:~/flom_ssl/CA1$ pgrep flom
2233

Use the old certificate for the client on node2:

[tiian@centos71-64 ~]$ flom -a ubuntu1004.brenta.org --tls-certificate=/tmp/flom_ssl/first_cert.pem --tls-private-key=/tmp/flom_ssl/first_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=no -- echo 'Hello world!'
Hello world!

System logging

These are the messages written by the server on node1:

Mar 29 23:37:36 ubuntu1004 flom[2233]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
Mar 29 23:37:36 ubuntu1004 flom[2233]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Generic FLoM node
Mar 29 23:37:36 ubuntu1004 flom[2233]: FLM015I a connecting peer sent id '6046574205df4258aeb409bf377235e0' for verb 1 and step 8

and these are the messages written by the client on node2:

Mar 29 23:37:35 centos71-64 flom: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Channel Encryption
Mar 29 23:37:35 centos71-64 flom: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=Another FLoM node
Mar 29 23:37:35 centos71-64 flom: FLM016I the serving peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 16

The CN field of the peer certificates are now different:

  • the client (node2) presents a certificate with "CN=Generic FLoM node" to the server (node1)
  • the server (node1) sends back a certificate with "CN=Another FLoM node" to the client (node2)

The peers use different certificates, but from an authentication point of view this is not relevant: FLoM Channel Encryption security level only needs one (or more) valid X.509 certificate(s) signed by the same certification authority.

Related

Wiki: Channel Encryption Debug
Wiki: Configuration
Wiki: Mutual Authentication
Wiki: Security

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.