Menu

Mutual Authentication

Christian Ferrari
Attachments
security_ma_01.png (15560 bytes)
security_ma_02.png (15689 bytes)
security_ma_03.png (15403 bytes)

This page is no more maintained, the current one is at https://www.tiian.org/flom/security/Mutual_Authentication.html

Configuration example for "Mutual Authentication" security level

The example uses two different nodes; these are the names used during all the example:

  • node1, name: ubuntu1004.brenta.org, operating system: Ubuntu Linux 10.04 (64 bit)
  • node2, name: centos71-64.brenta.org, operating system: CentOS 7.1 (64 bit)

It is suggested to understand how [Channel Encryption] security level configuration works before proceeding with this more complex one.

The page [Mutual Authentication Debug] explains how to debug this type of configuration in case of issue.

Setting up the certification authority and the required certificates

The instruction that are shown below are inspired by this precious documentation.
Take a look to the original documentation of the previous link for a good explanation related to certification authority and certificates.

Creating a CA (Certification Authority) of name CA2

Connect to node1, and execute these commands to create the directory structure:

tiian@ubuntu1004:~$ mkdir flom_ssl
tiian@ubuntu1004:~$ cd flom_ssl
tiian@ubuntu1004:~/flom_ssl$ cd CA2
tiian@ubuntu1004:~/flom_ssl/CA2$ ls
tiian@ubuntu1004:~/flom_ssl/CA2$ mkdir certs crl newcerts private
tiian@ubuntu1004:~/flom_ssl/CA2$ echo "01" > serial
tiian@ubuntu1004:~/flom_ssl/CA2$ cp /dev/null index.txt
tiian@ubuntu1004:~/flom_ssl/CA2$ ls -la
total 28
drwxr-xr-x 6 tiian tiian 4096 2016-03-30 21:54 .
drwxr-xr-x 4 tiian tiian 4096 2016-03-30 21:53 ..
drwxr-xr-x 2 tiian tiian 4096 2016-03-30 21:53 certs
drwxr-xr-x 2 tiian tiian 4096 2016-03-30 21:53 crl
-rw-r--r-- 1 tiian tiian    0 2016-03-30 21:54 index.txt
drwxr-xr-x 2 tiian tiian 4096 2016-03-30 21:53 newcerts
drwxr-xr-x 2 tiian tiian 4096 2016-03-30 21:53 private
-rw-r--r-- 1 tiian tiian    3 2016-03-30 21:54 serial

Pick-up a openssl.cnf example file; FLoM provide a pre-configured file in directory /usr/local/share/doc/flom/:

tiian@ubuntu1004:~/flom_ssl/CA2$ ls -la /usr/local/share/doc/flom/flom_openssl.conf
-rw-r--r-- 1 root root 9431 2016-03-28 19:34 /usr/local/share/doc/flom/flom_openssl.conf

copy it locally:

tiian@ubuntu1004:~/flom_ssl/CA2$ cp /usr/local/share/doc/flom/flom_openssl.conf .

You can configure it as described here, but for basic usage the supplied one should be good enough.

Generate the certificate for the CA:

tiian@ubuntu1004:~/flom_ssl/CA2$ openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 3650 -config flom_openssl.conf
Generating a 1024 bit RSA private key
...++++++
.................................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IT]:
State or Province Name (full name) [Treviso]:
Locality Name (eg, city) [Mogliano Veneto]:
Organization Name (eg, company) [FLoM Software Corporation]:
Organizational Unit Name (eg, section) [Development and Research]:
Common Name (eg, YOUR name) []:CA for FLoM Mutual Authentication
Email Address []:

File cacert.pem contains the X.509 certificate of the certification authority you have just created and file private/cakey.pem contains the private key associated to the certification authority.

tiian@ubuntu1004:~/flom_ssl/CA2$ ls -la cacert.pem private/cakey.pem
-rw-r--r-- 1 tiian tiian 1424 2016-03-30 21:57 cacert.pem
-rw-r--r-- 1 tiian tiian  963 2016-03-30 21:57 private/cakey.pem

Creating the first X.509 certificate

To implement a mutual authentication configuration a distinct certificate for every node is necessary.

Retrieving node/system unique ID

FLoM unique ID technology is based on a feature provided by D-Bus.

FLoM behaves like the command dbus-uuidgen --get:

tiian@ubuntu1004:~/flom_ssl/CA2$ flom --unique-id
91ed6d1ed76c5773c7503d285679b33b

From the above text, the unique ID of node1 is 91ed6d1ed76c5773c7503d285679b33b.
The unique ID must be passed to the openssl command when the Common Name associated to the certificate is asked.

Now you have to execute 4 commands:

  • the unique ID must be passed to the first command
  • the third command asks for a password: the same password used for the certification authority (see above).
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl req -nodes -new -x509 -keyout node1_key.pem -out node1_req.pem -days 3650 -config flom_openssl.conf
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl x509 -x509toreq -in node1_req.pem -signkey node1_key.pem -out tmp.pem
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl ca -config flom_openssl.conf -policy policy_anything -out node1_cert.pem -infiles tmp.pem
tiian@ubuntu1004:~/flom_ssl/CA2$ rm tmp.pem

The output should be something like this:

tiian@ubuntu1004:~/flom_ssl/CA2$ openssl req -nodes -new -x509 -keyout node1_key.pem -out node1_req.pem -days 3650 -config flom_openssl.conf
Generating a 1024 bit RSA private key
...................................++++++
........................................................................................................++++++
writing new private key to 'node1_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IT]:
State or Province Name (full name) [Treviso]:
Locality Name (eg, city) [Mogliano Veneto]:
Organization Name (eg, company) [FLoM Software Corporation]:
Organizational Unit Name (eg, section) [Development and Research]:
Common Name (eg, YOUR name) []:91ed6d1ed76c5773c7503d285679b33b
Email Address []:
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl x509 -x509toreq -in node1_req.pem -signkey node1_key.pem -out tmp.pem
Getting request Private Key
Generating certificate request
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl ca -config flom_openssl.conf -policy policy_anything -out node1_cert.pem -infiles tmp.pem
Using configuration from flom_openssl.conf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 30 20:12:38 2016 GMT
            Not After : Mar 30 20:12:38 2017 GMT
        Subject:
            countryName               = IT
            stateOrProvinceName       = Treviso
            localityName              = Mogliano Veneto
            organizationName          = FLoM Software Corporation
            organizationalUnitName    = Development and Research
            commonName                = 91ed6d1ed76c5773c7503d285679b33b
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                2A:A7:12:B2:7C:DC:B7:93:A9:89:C9:F1:1A:A7:6B:86:9D:99:12:7E
            X509v3 Authority Key Identifier: 
                keyid:B3:44:2B:D2:40:4D:FB:89:E5:F0:FF:A3:20:8A:F3:F5:9C:C5:89:A9

Certificate is to be certified until Mar 30 20:12:38 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
tiian@ubuntu1004:~/flom_ssl/CA2$ rm tmp.pem

If everything is fine, you must have two files: node1_cert.pem contains the X.509 certificate for node1 (ubuntu1004) and node1_key.pem contains the private key associated to the certicate:

tiian@ubuntu1004:~/flom_ssl/CA2$ ls -la node1_cert.pem node1_key.pem
-rw-r--r-- 1 tiian tiian 3433 2016-03-30 22:12 node1_cert.pem
-rw-r--r-- 1 tiian tiian  887 2016-03-30 22:11 node1_key.pem

Creating the second X.509 certificate

To implement a mutual authentication configuration a distinct certificate for every node is necessary.

Connect to node2 and retrieve the unique ID:

[tiian@centos71-64 ~]$ flom --unique-id
6046574205df4258aeb409bf377235e0

From the above text, the unique ID of node2 is 6046574205df4258aeb409bf377235e0.
The unique ID must be passed to the openssl command when the Common Name associated to the certificate is asked.

Connect to node1 and execute the 4 commands you need to generate the certificate for node2:

  • the unique ID must be passed to the first command
  • the third command asks for a password: the same password used for the certification authority (see above).
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl req -nodes -new -x509 -keyout node2_key.pem -out node2_req.pem -days 3650 -config flom_openssl.conf
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl x509 -x509toreq -in node2_req.pem -signkey node2_key.pem -out tmp.pem
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl ca -config flom_openssl.conf -policy policy_anything -out node2_cert.pem -infiles tmp.pem
tiian@ubuntu1004:~/flom_ssl/CA2$ rm tmp.pem

The output should be something like this:

tiian@ubuntu1004:~/flom_ssl/CA2$ openssl req -nodes -new -x509 -keyout node2_key.pem -out node2_req.pem -days 3650 -config flom_openssl.conf
Generating a 1024 bit RSA private key
....................................................................++++++
...++++++
writing new private key to 'node2_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IT]:
State or Province Name (full name) [Treviso]:
Locality Name (eg, city) [Mogliano Veneto]:
Organization Name (eg, company) [FLoM Software Corporation]:
Organizational Unit Name (eg, section) [Development and Research]:
Common Name (eg, YOUR name) []:6046574205df4258aeb409bf377235e0
Email Address []:
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl x509 -x509toreq -in node2_req.pem -signkey node2_key.pem -out tmp.pem
Getting request Private Key
Generating certificate request
tiian@ubuntu1004:~/flom_ssl/CA2$ openssl ca -config flom_openssl.conf -policy policy_anything -out node2_cert.pem -infiles tmp.pem
Using configuration from flom_openssl.conf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Mar 30 20:21:44 2016 GMT
            Not After : Mar 30 20:21:44 2017 GMT
        Subject:
            countryName               = IT
            stateOrProvinceName       = Treviso
            localityName              = Mogliano Veneto
            organizationName          = FLoM Software Corporation
            organizationalUnitName    = Development and Research
            commonName                = 6046574205df4258aeb409bf377235e0
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                D0:54:C2:2B:69:A1:DD:F1:61:0C:E0:DD:82:71:2B:50:73:9F:B4:0E
            X509v3 Authority Key Identifier: 
                keyid:B3:44:2B:D2:40:4D:FB:89:E5:F0:FF:A3:20:8A:F3:F5:9C:C5:89:A9

Certificate is to be certified until Mar 30 20:21:44 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
tiian@ubuntu1004:~/flom_ssl/CA2$ rm tmp.pem

If everything is fine, you must have two new files: node2_cert.pem contains the X.509 certificate for node2 (centos71-64) and node2_key.pem contains the private key associated to the certicate:

tiian@ubuntu1004:~/flom_ssl/CA2$ ls -la node2_cert.pem node2_key.pem
-rw-r--r-- 1 tiian tiian 3433 2016-03-30 22:21 node2_cert.pem
-rw-r--r-- 1 tiian tiian  891 2016-03-30 22:21 node2_key.pem

Certificate "installation"

Only 3 files are needed to FLoM process (flom):

  • node?_cert.pem
  • node?_key.pem
  • cacert.pem

copy them in a easy to use place on both systems.
Pay attention you have to copy different certificate and key to different systems.
Local copy:

tiian@ubuntu1004:~/flom_ssl/CA2$ mkdir /tmp/flom_ssl
tiian@ubuntu1004:~/flom_ssl/CA2$ cp cacert.pem node1_cert.pem node1_key.pem /tmp/flom_ssl/
tiian@ubuntu1004:~/flom_ssl/CA2$ ls -la /tmp/flom_ssl/
total 20
drwxr-xr-x 2 tiian tiian 4096 2016-03-30 22:25 .
drwxrwxrwt 5 root  root  4096 2016-03-30 22:25 ..
-rw-r--r-- 1 tiian tiian 1424 2016-03-30 22:25 cacert.pem
-rw-r--r-- 1 tiian tiian 3433 2016-03-30 22:25 node1_cert.pem
-rw-r--r-- 1 tiian tiian  887 2016-03-30 22:25 node1_key.pem

Remote copy (directory /tmp/flom_ssl/ on node2 must be created in advance):

tiian@ubuntu1004:~/flom_ssl/CA2$ scp -r cacert.pem node2_cert.pem node2_key.pem tiian@centos71-64.brenta.org:/tmp/flom_ssl/
Enter passphrase for key '/home/tiian/.ssh/id_rsa': 
cacert.pem                                    100% 1424     1.4KB/s   00:00    
node2_cert.pem                                100% 3433     3.4KB/s   00:00    
node2_key.pem                                 100%  891     0.9KB/s   00:00

Check the content in node2:

[tiian@centos71-64 ~]$ ls -la /tmp/flom_ssl/
total 16
drwxrwxr-x.  2 tiian tiian   64 30 mar 22.31 .
drwxrwxrwt. 10 root  root  4096 30 mar 22.31 ..
-rw-r--r--.  1 tiian tiian 1424 30 mar 22.31 cacert.pem
-rw-r--r--.  1 tiian tiian 3433 30 mar 22.31 node2_cert.pem
-rw-r--r--.  1 tiian tiian  891 30 mar 22.31 node2_key.pem

Using TLS (mutual authentication security level) with FLoM

Setting a trace mask to trace the messaged produced by flom_tls and flom_tcp modules can help to troubleshoot a possible issue.

This is the command to start a FLoM daemon (server) using TLS inside node1:

tiian@ubuntu1004:~$ export FLOM_TRACE_MASK=0x60000
tiian@ubuntu1004:~$ echo $FLOM_TRACE_MASK
0x60000
tiian@ubuntu1004:~$ flom -a ubuntu1004.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/node1_cert.pem --tls-private-key=/tmp/flom_ssl/node1_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=yes -d -1 -- true
2016-03-30 22:34:09.286663 [1325/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.286720 [1325/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.286723 [1325/0x1dd47e0] flom_tcp_connect
2016-03-30 22:34:09.286725 [1325/0x1dd47e0] flom_tcp_connect: connecting to address 'ubuntu1004.brenta.org' and port 28015
2016-03-30 22:34:09.287437 [1325/0x1dd47e0] flom_tcp_connect/getaddrinfo(): [ai_flags=2,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='ubuntu1004.brenta.org'] [ai_flags=2,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-30 22:34:09.287448 [1325/0x1dd47e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:34:09.287460 [1325/0x1dd47e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:34:09.287483 [1325/0x1dd47e0] flom_tcp_try_connect/connect(): errno=111 'Connection refused', skipping...
2016-03-30 22:34:09.287489 [1325/0x1dd47e0] flom_tcp_try_connect: sa addrlen=28; IPv6 address, sin6_port=28015, sin6_flowinfo=0x0, sin6_addr='fe80::5054:ff:feba:34b0', sin6_scope_id=0
2016-03-30 22:34:09.287499 [1325/0x1dd47e0] flom_tcp_try_connect: sa addrlen=28; IPv6 address, sin6_port=28015, sin6_flowinfo=0x0, sin6_addr='fe80::5054:ff:feba:34b0', sin6_scope_id=0
2016-03-30 22:34:09.287507 [1325/0x1dd47e0] flom_tcp_try_connect/connect(): errno=22 'Invalid argument', skipping...
2016-03-30 22:34:09.287512 [1325/0x1dd47e0] flom_tcp_connect/excp=1/ret_cod=7/errno=22
2016-03-30 22:34:09.288486 [1325/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.288494 [1325/0x1dd47e0] flom_tcp_connect
2016-03-30 22:34:09.288496 [1325/0x1dd47e0] flom_tcp_connect: connecting to address 'ubuntu1004.brenta.org' and port 28015
2016-03-30 22:34:09.288745 [1325/0x1dd47e0] flom_tcp_connect/getaddrinfo(): [ai_flags=2,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='ubuntu1004.brenta.org'] [ai_flags=2,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-30 22:34:09.288754 [1325/0x1dd47e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:34:09.288762 [1325/0x1dd47e0] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:34:09.288784 [1325/0x1dd47e0] flom_tcp_connect: domain=2, sockfd=3, socket_type=16, addrlen=0
2016-03-30 22:34:09.288787 [1325/0x1dd47e0] flom_tcp_connect: addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:34:09.288793 [1325/0x1dd47e0] flom_tcp_connect/excp=2/ret_cod=0/errno=22
2016-03-30 22:34:09.288797 [1325/0x1dd47e0] flom_tls_init: calling SSL_library_init()...
2016-03-30 22:34:09.288847 [1325/0x1dd47e0] flom_tls_init: calling SSL_load_error_strings()...
2016-03-30 22:34:09.289115 [1325/0x1dd47e0] flom_tls_init: calling OpenSSL_add_all_algorithms()...
2016-03-30 22:34:09.289161 [1325/0x1dd47e0] flom_tls_context
2016-03-30 22:34:09.289164 [1325/0x1dd47e0] flom_tls_context: setting TLS/SSL method to TLSv1_client_method()
2016-03-30 22:34:09.289254 [1325/0x1dd47e0] flom_tls_context: SSL_CTX_set_verify(0x1dfe1c0, 1, flom_tls_callback)
2016-03-30 22:34:09.289260 [1325/0x1dd47e0] flom_tls_context/excp=2/ret_cod=0/errno=22
2016-03-30 22:34:09.289263 [1325/0x1dd47e0] flom_tls_set_cert
2016-03-30 22:34:09.289265 [1325/0x1dd47e0] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/node1_cert.pem', SSL_FILETYPE_PEM)
2016-03-30 22:34:09.289354 [1325/0x1dd47e0] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/node1_key.pem', SSL_FILETYPE_PEM)
2016-03-30 22:34:09.289382 [1325/0x1dd47e0] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-30 22:34:09.289387 [1325/0x1dd47e0] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-30 22:34:09.289447 [1325/0x1dd47e0] flom_tls_set_cert/excp=4/ret_cod=0/errno=22
2016-03-30 22:34:09.289450 [1325/0x1dd47e0] flom_tls_connect
2016-03-30 22:34:09.289453 [1325/0x1dd47e0] flom_tls_prepare
2016-03-30 22:34:09.289464 [1325/0x1dd47e0] flom_tls_prepare/excp=3/ret_cod=0/errno=22
2016-03-30 22:34:09.290441 [1325/0x1dd47e0] flom_tls_callback: preverify_ok=1
2016-03-30 22:34:09.290446 [1325/0x1dd47e0] flom_tls_callback: ret_cod=1
2016-03-30 22:34:09.290490 [1325/0x1dd47e0] flom_tls_callback: preverify_ok=1
2016-03-30 22:34:09.290492 [1325/0x1dd47e0] flom_tls_callback: ret_cod=1
2016-03-30 22:34:09.291626 [1325/0x1dd47e0] flom_tls_connect: connection established with AES256-SHA encryption
2016-03-30 22:34:09.291631 [1325/0x1dd47e0] flom_tls_cert_parse
...
2016-03-30 22:34:09.291660 [1325/0x1dd47e0] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
...
2016-03-30 22:34:09.296613 [1325/0x1dd47e0] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=91ed6d1ed76c5773c7503d285679b33b
2016-03-30 22:34:09.296623 [1325/0x1dd47e0] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-30 22:34:09.296626 [1325/0x1dd47e0] flom_tls_connect/excp=3/ret_cod=0/errno=0
2016-03-30 22:34:09.296678 [1325/0x1dd47e0] flom_tls_send
2016-03-30 22:34:09.296694 [1325/0x1dd47e0] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-30 22:34:09.296700 [1325/0x1dd47e0] flom_tls_recv
2016-03-30 22:34:09.297061 [1325/0x1dd47e0] flom_tls_recv: received 147 of 1024 bytes
2016-03-30 22:34:09.297066 [1325/0x1dd47e0] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-30 22:34:09.297090 [1325/0x1dd47e0] flom_tls_cert_check
2016-03-30 22:34:09.297092 [1325/0x1dd47e0] flom_tls_cert_check: peer address='192.168.122.57/28015', CN='91ed6d1ed76c5773c7503d285679b33b', peer unique ID='91ed6d1ed76c5773c7503d285679b33b'
2016-03-30 22:34:09.297097 [1325/0x1dd47e0] flom_tls_cert_check/excp=2/ret_cod=0/errno=0
2016-03-30 22:34:09.298040 [1325/0x1dd47e0] flom_tls_send
2016-03-30 22:34:09.298063 [1325/0x1dd47e0] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-30 22:34:09.298183 [1325/0x1dd47e0] flom_tcp_close
2016-03-30 22:34:09.298190 [1325/0x1dd47e0] flom_tcp_close/excp=1/ret_cod=0/errno=107

This is the trace produced by FLoM daemon that runs in node 1:

tiian@ubuntu1004:~$ cat /tmp/flom-daemon.trc 
2016-03-30 22:34:09.287933 [1328/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.287966 [1328/0x1dd47e0] flom_tcp_listen
2016-03-30 22:34:09.287969 [1328/0x1dd47e0] flom_tcp_listen: binding address 'ubuntu1004.brenta.org' and port 28015
2016-03-30 22:34:09.288362 [1328/0x1dd47e0] flom_tcp_listen/getaddrinfo(): [ai_flags=1,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='{null}'] [ai_flags=1,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-30 22:34:09.288366 [1328/0x1dd47e0] flom_tcp_listen: ai_addr addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:34:09.288376 [1328/0x1dd47e0] flom_tcp_listen: bound!
2016-03-30 22:34:09.288389 [1328/0x1dd47e0] flom_tcp_listen/excp=3/ret_cod=0/errno=22
2016-03-30 22:34:09.288397 [1328/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.288400 [1328/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.289545 [1328/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.289551 [1328/0x1dd47e0] flom_tcp_init
2016-03-30 22:34:09.289553 [1328/0x1dd47e0] flom_tls_init: calling SSL_library_init()...
2016-03-30 22:34:09.289616 [1328/0x1dd47e0] flom_tls_init: calling SSL_load_error_strings()...
2016-03-30 22:34:09.289912 [1328/0x1dd47e0] flom_tls_init: calling OpenSSL_add_all_algorithms()...
2016-03-30 22:34:09.289976 [1328/0x1dd47e0] flom_tls_context
2016-03-30 22:34:09.289980 [1328/0x1dd47e0] flom_tls_context: setting TLS/SSL method to TLSv1_server_method()
2016-03-30 22:34:09.290094 [1328/0x1dd47e0] flom_tls_context: SSL_CTX_set_verify(0x1dfe890, 3, flom_tls_callback)
2016-03-30 22:34:09.290099 [1328/0x1dd47e0] flom_tls_context/excp=2/ret_cod=0/errno=22
2016-03-30 22:34:09.290102 [1328/0x1dd47e0] flom_tls_set_cert
2016-03-30 22:34:09.290113 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/node1_cert.pem', SSL_FILETYPE_PEM)
2016-03-30 22:34:09.290175 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/node1_key.pem', SSL_FILETYPE_PEM)
2016-03-30 22:34:09.290198 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-30 22:34:09.290202 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-30 22:34:09.290236 [1328/0x1dd47e0] flom_tls_set_cert/excp=4/ret_cod=0/errno=22
2016-03-30 22:34:09.290240 [1328/0x1dd47e0] flom_tls_accept
2016-03-30 22:34:09.290242 [1328/0x1dd47e0] flom_tls_prepare
2016-03-30 22:34:09.290250 [1328/0x1dd47e0] flom_tls_prepare/excp=3/ret_cod=0/errno=22
2016-03-30 22:34:09.291072 [1328/0x1dd47e0] flom_tls_callback: preverify_ok=1
2016-03-30 22:34:09.291077 [1328/0x1dd47e0] flom_tls_callback: ret_cod=1
2016-03-30 22:34:09.291116 [1328/0x1dd47e0] flom_tls_callback: preverify_ok=1
2016-03-30 22:34:09.291119 [1328/0x1dd47e0] flom_tls_callback: ret_cod=1
2016-03-30 22:34:09.291723 [1328/0x1dd47e0] flom_tls_accepted: connection accepted with AES256-SHA encryption
2016-03-30 22:34:09.291729 [1328/0x1dd47e0] flom_tls_cert_parse
...
2016-03-30 22:34:09.291757 [1328/0x1dd47e0] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
...
2016-03-30 22:34:09.291812 [1328/0x1dd47e0] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=91ed6d1ed76c5773c7503d285679b33b
2016-03-30 22:34:09.291835 [1328/0x1dd47e0] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-30 22:34:09.291838 [1328/0x1dd47e0] flom_tls_accept/excp=3/ret_cod=0/errno=0
2016-03-30 22:34:09.296746 [1328/0x1dd47e0] flom_tls_recv
2016-03-30 22:34:09.296768 [1328/0x1dd47e0] flom_tls_recv: received 203 of 512 bytes
2016-03-30 22:34:09.296770 [1328/0x1dd47e0] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-30 22:34:09.296845 [1328/0x1dd47e0] flom_tls_cert_check
2016-03-30 22:34:09.296848 [1328/0x1dd47e0] flom_tls_cert_check: peer address='192.168.122.57/34104', CN='91ed6d1ed76c5773c7503d285679b33b', peer unique ID='91ed6d1ed76c5773c7503d285679b33b'
2016-03-30 22:34:09.296874 [1328/0x1dd47e0] flom_tls_cert_check/excp=2/ret_cod=0/errno=0
2016-03-30 22:34:09.296964 [1328/0x1e16e80] flom_tcp_init
2016-03-30 22:34:09.296973 [1328/0x1e16e80] flom_tcp_init
2016-03-30 22:34:09.297011 [1328/0x1e16e80] flom_tls_send
2016-03-30 22:34:09.297038 [1328/0x1e16e80] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-30 22:34:09.298076 [1328/0x1e16e80] flom_tls_recv
2016-03-30 22:34:09.298095 [1328/0x1e16e80] flom_tls_recv: received 109 of 512 bytes
2016-03-30 22:34:09.298098 [1328/0x1e16e80] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-30 22:34:09.298111 [1328/0x1e16e80] flom_tls_recv
2016-03-30 22:34:09.298116 [1328/0x1e16e80] flom_tls_recv/SSL_read: SSL error=5 (SSL_ERROR_SYSCALL)
2016-03-30 22:34:09.298119 [1328/0x1e16e80] flom_tls_recv/excp=0/ret_cod=-409/errno=0
2016-03-30 22:34:09.298122 [1328/0x1e16e80] flom_tcp_close
2016-03-30 22:34:09.298130 [1328/0x1e16e80] flom_tcp_close/excp=1/ret_cod=0/errno=0
2016-03-30 22:35:20.850504 [1328/0x1dd47e0] flom_tcp_init
2016-03-30 22:35:20.850549 [1328/0x1dd47e0] flom_tcp_init
2016-03-30 22:35:20.850563 [1328/0x1dd47e0] flom_tls_context
2016-03-30 22:35:20.850569 [1328/0x1dd47e0] flom_tls_context: setting TLS/SSL method to TLSv1_server_method()
2016-03-30 22:35:20.850633 [1328/0x1dd47e0] flom_tls_context: SSL_CTX_set_verify(0x1e005b0, 3, flom_tls_callback)
2016-03-30 22:35:20.850642 [1328/0x1dd47e0] flom_tls_context/excp=2/ret_cod=0/errno=0
2016-03-30 22:35:20.850649 [1328/0x1dd47e0] flom_tls_set_cert
2016-03-30 22:35:20.850655 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/node1_cert.pem', SSL_FILETYPE_PEM)
2016-03-30 22:35:20.850821 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/node1_key.pem', SSL_FILETYPE_PEM)
2016-03-30 22:35:20.850883 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-30 22:35:20.850894 [1328/0x1dd47e0] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-30 22:35:20.850992 [1328/0x1dd47e0] flom_tls_set_cert/excp=4/ret_cod=0/errno=0
2016-03-30 22:35:20.851012 [1328/0x1dd47e0] flom_tls_accept
2016-03-30 22:35:20.851018 [1328/0x1dd47e0] flom_tls_prepare
2016-03-30 22:35:20.851032 [1328/0x1dd47e0] flom_tls_prepare/excp=3/ret_cod=0/errno=0
2016-03-30 22:35:20.857662 [1328/0x1dd47e0] flom_tls_callback: preverify_ok=1
2016-03-30 22:35:20.857685 [1328/0x1dd47e0] flom_tls_callback: ret_cod=1
2016-03-30 22:35:20.857799 [1328/0x1dd47e0] flom_tls_callback: preverify_ok=1
2016-03-30 22:35:20.857806 [1328/0x1dd47e0] flom_tls_callback: ret_cod=1
2016-03-30 22:35:20.859250 [1328/0x1dd47e0] flom_tls_accepted: connection accepted with AES256-SHA encryption
2016-03-30 22:35:20.859269 [1328/0x1dd47e0] flom_tls_cert_parse
...
2016-03-30 22:35:20.859348 [1328/0x1dd47e0] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
...
2016-03-30 22:35:20.859565 [1328/0x1dd47e0] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=6046574205df4258aeb409bf377235e0
2016-03-30 22:35:20.859698 [1328/0x1dd47e0] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-30 22:35:20.859714 [1328/0x1dd47e0] flom_tls_accept/excp=3/ret_cod=0/errno=0
2016-03-30 22:35:20.859733 [1328/0x1e16e80] flom_tcp_close
2016-03-30 22:35:20.859746 [1328/0x1e16e80] flom_tcp_close/excp=1/ret_cod=0/errno=0
2016-03-30 22:35:20.861834 [1328/0x1dd47e0] flom_tls_recv
2016-03-30 22:35:20.861901 [1328/0x1dd47e0] flom_tls_recv: received 203 of 512 bytes
2016-03-30 22:35:20.861912 [1328/0x1dd47e0] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-30 22:35:20.862027 [1328/0x1dd47e0] flom_tls_cert_check
2016-03-30 22:35:20.862041 [1328/0x1dd47e0] flom_tls_cert_check: peer address='192.168.122.12/46047', CN='6046574205df4258aeb409bf377235e0', peer unique ID='6046574205df4258aeb409bf377235e0'
2016-03-30 22:35:20.862083 [1328/0x1dd47e0] flom_tls_cert_check/excp=2/ret_cod=0/errno=0
2016-03-30 22:35:20.862185 [1328/0x1e1aa20] flom_tcp_init
2016-03-30 22:35:20.862208 [1328/0x1e1aa20] flom_tcp_init
2016-03-30 22:35:20.862243 [1328/0x1e1aa20] flom_tls_send
2016-03-30 22:35:20.862277 [1328/0x1e1aa20] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-30 22:35:20.868052 [1328/0x1e1aa20] flom_tls_recv
2016-03-30 22:35:20.868105 [1328/0x1e1aa20] flom_tls_recv: received 109 of 512 bytes
2016-03-30 22:35:20.868110 [1328/0x1e1aa20] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-30 22:35:20.868131 [1328/0x1e1aa20] flom_tls_recv
2016-03-30 22:35:20.868139 [1328/0x1e1aa20] flom_tls_recv/SSL_read: SSL error=5 (SSL_ERROR_SYSCALL)
2016-03-30 22:35:20.868143 [1328/0x1e1aa20] flom_tls_recv/excp=0/ret_cod=-409/errno=0
2016-03-30 22:35:20.868147 [1328/0x1e1aa20] flom_tcp_close
2016-03-30 22:35:20.868176 [1328/0x1e1aa20] flom_tcp_close/excp=1/ret_cod=0/errno=0

This is the command to start a FLoM client using TLS inside node2:

[tiian@centos71-64 ~]$ export FLOM_TRACE_MASK=0x60000
[tiian@centos71-64 ~]$ echo $FLOM_TRACE_MASK
0x60000
[tiian@centos71-64 ~]$ flom -a ubuntu1004.brenta.org --tls-certificate=/tmp/flom_ssl/node2_cert.pem --tls-private-key=/tmp/flom_ssl/node2_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=yes -- echo 'Hello world!'
2016-03-30 22:35:20.437307 [2128/0x10f7400] flom_tcp_init
2016-03-30 22:35:20.437516 [2128/0x10f7400] flom_tcp_init
2016-03-30 22:35:20.437526 [2128/0x10f7400] flom_tcp_connect
2016-03-30 22:35:20.437531 [2128/0x10f7400] flom_tcp_connect: connecting to address 'ubuntu1004.brenta.org' and port 28015
2016-03-30 22:35:20.440578 [2128/0x10f7400] flom_tcp_connect/getaddrinfo(): [ai_flags=2,ai_family=2,ai_socktype=1,ai_protocol=6,ai_addrlen=16,ai_canonname='ubuntu1004.brenta.org'] [ai_flags=2,ai_family=10,ai_socktype=1,ai_protocol=6,ai_addrlen=28,ai_canonname='{null}'] 
2016-03-30 22:35:20.440609 [2128/0x10f7400] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:35:20.441464 [2128/0x10f7400] flom_tcp_try_connect: sa addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:35:20.442064 [2128/0x10f7400] flom_tcp_connect: domain=2, sockfd=3, socket_type=16, addrlen=0
2016-03-30 22:35:20.442085 [2128/0x10f7400] flom_tcp_connect: addrlen=16; IPv4 address, sin_port=28015, sin_addr='192.168.122.57'
2016-03-30 22:35:20.442113 [2128/0x10f7400] flom_tcp_connect/excp=2/ret_cod=0/errno=22
2016-03-30 22:35:20.442132 [2128/0x10f7400] flom_tls_init: calling SSL_library_init()...
2016-03-30 22:35:20.442360 [2128/0x10f7400] flom_tls_init: calling SSL_load_error_strings()...
2016-03-30 22:35:20.444896 [2128/0x10f7400] flom_tls_init: calling OpenSSL_add_all_algorithms()...
2016-03-30 22:35:20.445041 [2128/0x10f7400] flom_tls_context
2016-03-30 22:35:20.445046 [2128/0x10f7400] flom_tls_context: setting TLS/SSL method to TLSv1_client_method()
2016-03-30 22:35:20.445448 [2128/0x10f7400] flom_tls_context: SSL_CTX_set_verify(0x1117210, 1, flom_tls_callback)
2016-03-30 22:35:20.445466 [2128/0x10f7400] flom_tls_context/excp=2/ret_cod=0/errno=22
2016-03-30 22:35:20.445473 [2128/0x10f7400] flom_tls_set_cert
2016-03-30 22:35:20.445478 [2128/0x10f7400] flom_tls_set_cert: SSL_CTX_use_certificate_file(obj->ctx, '/tmp/flom_ssl/node2_cert.pem', SSL_FILETYPE_PEM)
2016-03-30 22:35:20.445765 [2128/0x10f7400] flom_tls_set_cert: SSL_CTX_use_PrivateKey_file(obj->ctx, '/tmp/flom_ssl/node2_key.pem', SSL_FILETYPE_PEM)
2016-03-30 22:35:20.445865 [2128/0x10f7400] flom_tls_set_cert: SSL_CTX_check_private_key(obj->ctx)
2016-03-30 22:35:20.445879 [2128/0x10f7400] flom_tls_set_cert: SSL_CTX_load_verify_locations(obj->ctx, '/tmp/flom_ssl/cacert.pem', NULL)
2016-03-30 22:35:20.446031 [2128/0x10f7400] flom_tls_set_cert/excp=4/ret_cod=0/errno=22
2016-03-30 22:35:20.446042 [2128/0x10f7400] flom_tls_connect
2016-03-30 22:35:20.446047 [2128/0x10f7400] flom_tls_prepare
2016-03-30 22:35:20.446077 [2128/0x10f7400] flom_tls_prepare/excp=3/ret_cod=0/errno=22
2016-03-30 22:35:20.447251 [2128/0x10f7400] flom_tls_callback: preverify_ok=1
2016-03-30 22:35:20.447271 [2128/0x10f7400] flom_tls_callback: ret_cod=1
2016-03-30 22:35:20.447397 [2128/0x10f7400] flom_tls_callback: preverify_ok=1
2016-03-30 22:35:20.447404 [2128/0x10f7400] flom_tls_callback: ret_cod=1
2016-03-30 22:35:20.451310 [2128/0x10f7400] flom_tls_connect: connection established with AES256-SHA encryption
2016-03-30 22:35:20.451332 [2128/0x10f7400] flom_tls_cert_parse
...
2016-03-30 22:35:20.451409 [2128/0x10f7400] flom_tls_cert_parse: issuer fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
...
2016-03-30 22:35:20.452848 [2128/0x10f7400] flom_tls_cert_parse: subject fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=91ed6d1ed76c5773c7503d285679b33b
2016-03-30 22:35:20.452881 [2128/0x10f7400] flom_tls_cert_parse/excp=4/ret_cod=0/errno=0
2016-03-30 22:35:20.452888 [2128/0x10f7400] flom_tls_connect/excp=3/ret_cod=0/errno=0
2016-03-30 22:35:20.453484 [2128/0x10f7400] flom_tls_send
2016-03-30 22:35:20.453520 [2128/0x10f7400] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-30 22:35:20.453529 [2128/0x10f7400] flom_tls_recv
2016-03-30 22:35:20.454197 [2128/0x10f7400] flom_tls_recv: received 147 of 1024 bytes
2016-03-30 22:35:20.454211 [2128/0x10f7400] flom_tls_recv/excp=1/ret_cod=0/errno=0
2016-03-30 22:35:20.454274 [2128/0x10f7400] flom_tls_cert_check
2016-03-30 22:35:20.454278 [2128/0x10f7400] flom_tls_cert_check: peer address='192.168.122.57/28015', CN='91ed6d1ed76c5773c7503d285679b33b', peer unique ID='91ed6d1ed76c5773c7503d285679b33b'
2016-03-30 22:35:20.454287 [2128/0x10f7400] flom_tls_cert_check/excp=2/ret_cod=0/errno=0
Hello world!
2016-03-30 22:35:20.459688 [2128/0x10f7400] flom_tls_send
2016-03-30 22:35:20.459727 [2128/0x10f7400] flom_tls_send/excp=2/ret_cod=0/errno=0
2016-03-30 22:35:20.460018 [2128/0x10f7400] flom_tcp_close
2016-03-30 22:35:20.460037 [2128/0x10f7400] flom_tcp_close/excp=1/ret_cod=0/errno=107

Remove trace mask and the old daemon, then restart the daemon on node1:

tiian@ubuntu1004:~$ pkill flom
tiian@ubuntu1004:~$ pgrep flom
tiian@ubuntu1004:~$ unset FLOM_TRACE_MASK
tiian@ubuntu1004:~$ flom -a ubuntu1004.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/node1_cert.pem --tls-private-key=/tmp/flom_ssl/node1_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=yes -d -1 -- true
tiian@ubuntu1004:~$ pgrep flom
1382

Remove trace mask, then restart the client on node2:

[tiian@centos71-64 ~]$ unset FLOM_TRACE_MASK
[tiian@centos71-64 ~]$ flom -a ubuntu1004.brenta.org --tls-certificate=/tmp/flom_ssl/node2_cert.pem --tls-private-key=/tmp/flom_ssl/node2_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=yes -- echo 'Hello world!'
Hello world!

Configuration hint

A more convenient way to setup all the TLS parameters is to use a FLoM [Configuration] file: these are the keys you have to customize:

[TLS]
# Name of the file that contains the X.509 certificate assigned to this peer
# (Uncomment below row if necessary)
#TlsCertificate=cert.pem
# Name of the file that contains the private key of this peer
# (Uncomment below row if necessary)
#TlsPrivateKey=priv_key.pem
# Name of the file that contains the X.509 certificate of the certification
# authority used to sign the certificate of this peer
# (Uncomment below row if necessary)
#TlsCaCertificate=ca_cert.pem
# Check if the CommonName (CN) of the peer certificate matches the peer unique
# identifier; valid values are "yes" and "no" (case insensitive)
# (Uncomment below row if necessary)
#TlsCheckPeerId=yes

System message logging

Both client and server writes logging messages on the system log.

On the server side (node1):

tiian@ubuntu1004:~$ sudo tail /var/log/syslog 
Mar 30 22:41:06 ubuntu1004 flom[1382]: FLM014I peer '192.168.122.57/34106' with unique ID '91ed6d1ed76c5773c7503d285679b33b' was authenticated using CN field '91ed6d1ed76c5773c7503d285679b33b' inside the presented X.509 certificate
Mar 30 22:41:06 ubuntu1004 flom: FLM016I the serving peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 16
Mar 30 22:41:06 ubuntu1004 flom: FLM014I peer '192.168.122.57/28015' with unique ID '91ed6d1ed76c5773c7503d285679b33b' was authenticated using CN field '91ed6d1ed76c5773c7503d285679b33b' inside the presented X.509 certificate
Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=6046574205df4258aeb409bf377235e0
Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM015I a connecting peer sent id '6046574205df4258aeb409bf377235e0' for verb 1 and step 8
Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM014I peer '192.168.122.12/46048' with unique ID '6046574205df4258aeb409bf377235e0' was authenticated using CN field '6046574205df4258aeb409bf377235e0' inside the presented X.509 certificate

These messages are related to the connection incoming from node2:

Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=6046574205df4258aeb409bf377235e0
Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM015I a connecting peer sent id '6046574205df4258aeb409bf377235e0' for verb 1 and step 8
Mar 30 22:41:37 ubuntu1004 flom[1382]: FLM014I peer '192.168.122.12/46048' with unique ID '6046574205df4258aeb409bf377235e0' was authenticated using CN field '6046574205df4258aeb409bf377235e0' inside the presented X.509 certificate

On the client side (node2), these are the corresponding messages:

[tiian@centos71-64 ~]$ sudo tail /var/log/messages
[sudo] password for tiian: 
Mar 30 22:41:36 centos71-64 flom: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 22:41:36 centos71-64 flom: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=91ed6d1ed76c5773c7503d285679b33b
Mar 30 22:41:36 centos71-64 flom: FLM016I the serving peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 16
Mar 30 22:41:36 centos71-64 flom: FLM014I peer '192.168.122.57/28015' with unique ID '91ed6d1ed76c5773c7503d285679b33b' was authenticated using CN field '91ed6d1ed76c5773c7503d285679b33b' inside the presented X.509 certificate

FLoM peer unique ID

From the above logs:

  • node2 (client) sends ID 6046574205df4258aeb409bf377235e0 to node1 (server)
  • node1 (send) sends back ID 91ed6d1ed76c5773c7503d285679b33b to node2 (client)

both nodes sent their own identity, and identity is verified due to command line option --tls-check-peer-id=yes.

Using a wrong X.509 certificates (server side)

To see what happens when a peer uses a wrong certificate, make a local copy of node2's certificate in node1:

tiian@ubuntu1004:~/flom_ssl/CA2$ cp node2_cert.pem node2_key.pem /tmp/flom_ssl/
tiian@ubuntu1004:~/flom_ssl/CA2$ ls -la /tmp/flom_ssl/
total 28
drwxr-xr-x 2 tiian tiian 4096 2016-03-30 22:49 .
drwxrwxrwt 5 root  root  4096 2016-03-30 22:34 ..
-rw-r--r-- 1 tiian tiian 1424 2016-03-30 22:25 cacert.pem
-rw-r--r-- 1 tiian tiian 3433 2016-03-30 22:25 node1_cert.pem
-rw-r--r-- 1 tiian tiian  887 2016-03-30 22:25 node1_key.pem
-rw-r--r-- 1 tiian tiian 3433 2016-03-30 22:49 node2_cert.pem
-rw-r--r-- 1 tiian tiian  891 2016-03-30 22:49 node2_key.pem

Restart the server on node1 using the wrong certicate:

tiian@ubuntu1004:~/flom_ssl/CA2$ pkill flom
tiian@ubuntu1004:~/flom_ssl/CA2$ pgrep flom
tiian@ubuntu1004:~/flom_ssl/CA2$ flom -a ubuntu1004.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/node2_cert.pem --tls-private-key=/tmp/flom_ssl/node2_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=yes -d -1 -- true
flom_client_lock: ret_cod=-409 (ERROR: 'OpenSSL SSL_read' function returned an error)
tiian@ubuntu1004:~/flom_ssl/CA2$ pgrep flom
1562

Check the syslog content:

tiian@ubuntu1004:~/flom_ssl/CA2$ sudo tail /var/log/syslog Mar 30 22:41:38 ubuntu1004 Mar 30 22:50:36 ubuntu1004 flom[1562]: FLM001I this process is activating a network FLoM daemon listening TCP/IP socket ubuntu1004.brenta.org/28015
Mar 30 22:50:36 ubuntu1004 flom[1562]: FLM003N FLoM daemon is ready to serve incoming requests
Mar 30 22:50:36 ubuntu1004 flom: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 22:50:36 ubuntu1004 flom: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=6046574205df4258aeb409bf377235e0
Mar 30 22:50:36 ubuntu1004 flom[1562]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 22:50:36 ubuntu1004 flom[1562]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=6046574205df4258aeb409bf377235e0
Mar 30 22:50:36 ubuntu1004 flom[1562]: FLM015I a connecting peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 8
Mar 30 22:50:36 ubuntu1004 flom[1562]: FLM013E peer '192.168.122.57/34108' sent unique ID '91ed6d1ed76c5773c7503d285679b33b' that does not match che CN field '6046574205df4258aeb409bf377235e0' inside the presented X.509 certificate

The result is a running server with process ID 1562, but no client would accept its services because the certificate does not match the node unique ID:

Mar 30 22:50:36 ubuntu1004 flom[1562]: FLM013E peer '192.168.122.57/34108' sent unique ID '91ed6d1ed76c5773c7503d285679b33b' that does not match che CN field '6046574205df4258aeb409bf377235e0' inside the presented X.509 certificate

Hint

A FLoM daemon is activated inside the process to create a dummy lock:

tiian@ubuntu1004:~/flom_ssl/CA2$ flom -a ubuntu1004.brenta.org ... -d -1 -- true

means:

  • create a daemon process -d -1
  • for address ubuntu1004.brenta.org
  • lock the default resource and execute the dummy command true

This type of daemon activation is useful to check if the daemon can be reached or not.

Using a wrong X.509 certificates (client side)

Copy the certificate of node1 on node2:

tiian@ubuntu1004:~/flom_ssl/CA2$ scp node1_cert.pem node1_key.pem tiian@centos71-64.brenta.org:/tmp/flom_ssl/
Enter passphrase for key '/home/tiian/.ssh/id_rsa': 
node1_cert.pem                                100% 3433     3.4KB/s   00:00    
node1_key.pem                                 100%  887     0.9KB/s   00:00

Restart the server on node1, with the right certificate:

tiian@ubuntu1004:~/flom_ssl/CA2$ pkill flom
tiian@ubuntu1004:~/flom_ssl/CA2$ pgrep flom
tiian@ubuntu1004:~/flom_ssl/CA2$ flom -a ubuntu1004.brenta.org --daemon-trace-file=/tmp/flom-daemon.trc --tls-certificate=/tmp/flom_ssl/node1_cert.pem --tls-private-key=/tmp/flom_ssl/node1_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=yes -d -1 -- true
tiian@ubuntu1004:~/flom_ssl/CA2$ pgrep flom
1667

Activate the client on node2, with the wrong certificate:

[tiian@centos71-64 ~]$ flom -a ubuntu1004.brenta.org --tls-certificate=/tmp/flom_ssl/node1_cert.pem --tls-private-key=/tmp/flom_ssl/node1_key.pem --tls-ca-certificate=/tmp/flom_ssl/cacert.pem --tls-check-peer-id=yes -- echo 'Hello world!'
flom_client_lock: ret_cod=-409 (ERROR: 'OpenSSL SSL_read' function returned an error)

This is the content of the syslog of node1 (server):

tiian@ubuntu1004:~/flom_ssl/CA2$ sudo tail /var/log/syslog 
Mar 30 23:01:04 ubuntu1004 flom[1667]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 23:01:04 ubuntu1004 flom[1667]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=91ed6d1ed76c5773c7503d285679b33b
Mar 30 23:01:04 ubuntu1004 flom[1667]: FLM015I a connecting peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 8
Mar 30 23:01:04 ubuntu1004 flom[1667]: FLM014I peer '192.168.122.57/34111' with unique ID '91ed6d1ed76c5773c7503d285679b33b' was authenticated using CN field '91ed6d1ed76c5773c7503d285679b33b' inside the presented X.509 certificate
Mar 30 23:01:04 ubuntu1004 flom: FLM016I the serving peer sent id '91ed6d1ed76c5773c7503d285679b33b' for verb 1 and step 16
Mar 30 23:01:04 ubuntu1004 flom: FLM014I peer '192.168.122.57/28015' with unique ID '91ed6d1ed76c5773c7503d285679b33b' was authenticated using CN field '91ed6d1ed76c5773c7503d285679b33b' inside the presented X.509 certificate
Mar 30 23:01:56 ubuntu1004 flom[1667]: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 23:01:56 ubuntu1004 flom[1667]: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=91ed6d1ed76c5773c7503d285679b33b
Mar 30 23:01:56 ubuntu1004 flom[1667]: FLM015I a connecting peer sent id '6046574205df4258aeb409bf377235e0' for verb 1 and step 8
Mar 30 23:01:56 ubuntu1004 flom[1667]: FLM013E peer '192.168.122.12/46049' sent unique ID '6046574205df4258aeb409bf377235e0' that does not match che CN field '91ed6d1ed76c5773c7503d285679b33b' inside the presented X.509 certificate

This message is the symptom of a client side certificate issue:

Mar 30 23:01:56 ubuntu1004 flom[1667]: FLM013E peer '192.168.122.12/46049' sent unique ID '6046574205df4258aeb409bf377235e0' that does not match che CN field '91ed6d1ed76c5773c7503d285679b33b' inside the presented X.509 certificate

This is the content of the syslog of node2 (client):

[tiian@centos71-64 ~]$ sudo tail /var/log/messagesMar 30 23:02:01 centos71-64 Mar 30 23:03:45 centos71-64 flom: FLM011I X.509 CA certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=CA for FLoM Mutual Authentication
Mar 30 23:03:45 centos71-64 flom: FLM012I X.509 peer certificate fields are C=IT/ST=Treviso/L=Mogliano Veneto/O=FLoM Software Corporation/OU=Development and Research/emailAddress={null}/CN=91ed6d1ed76c5773c7503d285679b33b

Conclusions

With mutual authentication you can set a network of FLoM nodes that:

  • communicate each other using the encryption algorithms provided by the TLS layer
  • authenticate each other using the CN (Common Name) field of the X.509 certificates

Mutual Authentication configuration requires, for every node:

  • executing the command flom --unique-id to retrieve the unique ID associated by FLoM to every node
  • generating a dedicated X.509 certificate that contains the unique ID

Related

Wiki: Channel Encryption
Wiki: Configuration
Wiki: Mutual Authentication Debug
Wiki: Security

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.