#2630 net-snmp-5.7.3 SHA256 failed
net-snmp-5.7.3 SHA256 failed
The SNMPTLS with SHA1 certificate works fine in 5.7.3. I upgraded netsnmp to 5.7.3 for SHA256 support but the snmpd demon shows error
"error finding server identity keys"
Command :
snmpget -v 3 --defSecurityModel=tsm -u joecool -l authPriv -T our_identity=manager -T their_identity=snmpd tlstcp:192.168.1.125:10161 sysContact.0
tlstcp: failed to ssl_connect
snmpget: Unknown host (tlstcp:192.168.1.125:10161)
snmpd demon throws error :
TLSTCP: Failed to create a SSL BIO
The configuration in snmpd.conf is shown below :
master agentx
agentXTimeout 100
[snmp] localCert 0D:C1:CA:B7:2A:83:5E:43:42:1E:A1:0D:07:2C:97:2B:B5:75:20:2B
rwcommunity public
certSecName 10 9A:C9:59:BC:A8:C4:C1:01:4B:6F:0E:57:CB:3E:3E:6E:AD:08:E0:9E --cn
rwuser -s tsm "joecool"
The detailed error log is given below :
snmpd -f -Lo -C -c /usr/share/snmp/snmpd.conf -Dtsm,dtls,openssl,cert tlstcp:10161 dtlsudp:10161 udp:161
Turning on AgentX master support.
cert:util:config: parsing 10 9A:C9:59:BC:A8:C4:C1:01:4B:6F:0E:57:CB:3E:3E:6E:AD:08:E0:9E --cn
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 3196293592
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 3196293592
cert:find:params: hint = 9A:C9:59:BC:A8:C4:C1:01:4B:6F:0E:57:CB:3E:3E:6E:AD:08:E0:9E
cert:find:params: looking for remote_peer(2) in FILE(0x1), hint 3196293592
cert:find:params: hint = 9A:C9:59:BC:A8:C4:C1:01:4B:6F:0E:57:CB:3E:3E:6E:AD:08:E0:9E
cert:map:add: pri 10, fp 9ac959bca8c4c1014b6f0e57cb3e3e6ead08e09e
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 234144
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 234144
cert:find:params: hint = 0D:C1:CA:B7:2A:83:5E:43:42:1E:A1:0D:07:2C:97:2B:B5:75:20:2B
cert:find:params: looking for identity(1) in FILE(0x1), hint 234144
cert:find:params: hint = 0D:C1:CA:B7:2A:83:5E:43:42:1E:A1:0D:07:2C:97:2B:B5:75:20:2B
error finding server identity keys
dtlsudp: netsnmp_dtlsudp_transport(): transports/snmpDTLSUDPDomain.c, 1421:
A SNMP version other than 3 was requested with (D)TLS; using 3 anyways
tsm: TSM: Reached our session initialization callback
NET-SNMP version 5.7.3
See also bug https://sourceforge.net/p/net-snmp/bugs/2632/
(copied from 2632)
I just tried it, and it works for me in trunk. One thing I found was that net-snmp-cert dumps sha1 fingerprints, and apparently the code looks for a sha256 fingerprint. Run the agent with -Dcert,9:cert and it will dump all the certs found along with their fingerprints, which you can copy into your snmpd.conf. e.g.
cert:dump: -------------------- Certificates -----------------
cert:dump: cert snmpd.crt in /home/rs/.snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
9:cert:dump: subject: /C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=tp.int.futz.org/emailAddress=admin@net-snmp.org
9:cert:dump: issuer: self-signed
9:cert:dump: fingerprint: sha256(4):3ba2e6ba44d93c914b8f77b4a7cac6e2c15d5c8eda9704611f89ebb43b7e
9:cert:dump: 0: basicConstraints = CA:FALSE
9:cert:dump: 1: subjectKeyIdentifier = AD:EF:85:92:57:93:20:82:A2:3A:5B:08:80:5C:99:9F:61:F4:97:7E
9:cert:dump: 2: authorityKeyIdentifier = keyid:AD:EF:85:92:57:93:20:82:A2:3A:5B:08:80:5C:99:9F:61:F4:97:7E
9:cert:dump: DirName:/C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=tp.int.futz.org/emailAddress=admin@net-snmp.org
9:cert:dump: serial:B5:BB:E3:AF:D9:40:AA:CF
9:cert:dump: 3: subjectAltName = DNS:test.net-snmp.org
cert:dump: ------------------------ End ----------------------
tlstcp: listening on tlstcp port 0.0.0.0:10161
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 9932400
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 9932400
cert:find:params: hint = 3ba2e6ba44d93c914b8f77b4a7cac6e2c15d5c8eda9704611f89ebb43b7e
cert:find:found: using cert snmpd.crt / 3ba2e6ba44d93c914b8f77b4a7cac6e2c15d5c8eda9704611f89ebb43b7e for identity(1) (uses=identity+remote_peer (3))
cert:find:found: using cert snmpd.crt / 3ba2e6ba44d93c914b8f77b4a7cac6e2c15d5c8eda9704611f89ebb43b7e for identity(1) (uses=identity+remote_peer (3))
If that doesn't work for you, please re-open....
It seems that this bug is valid - can you please re-open it?
Namely, I have tested this with several SHA256 certificates and consistently confirmed that Net-SNMP agent 5.7.3 does not work correctly with them (while SHA-1 certificates do work).
When the "9:cert" debug token is used, the agent sometimes truncates the 32-byte SHA-256 fingerprint to 30 byte output, and sometimes not, but in neither case the SNMP communication works.
It seems the agent cannot locate the certificate (joesha256.crt) from the SHA-256 fingerprint, as shown below. Openssl version on the system is: OpenSSL 1.0.1e-fips 11 Feb 2013
FULL DETAILS BELOW:
Running agent in debug mode: snmpd -f -Le -Dtsm,dtls,tls,openssl,cert,9:cert
....
9:cert:subset:found: 1 matches
cert:partner: snmpd.crt match found!
cert:key:read: Checking file snmpd.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert joesha256.crt in /usr/local/share/snmp/tls/certs
cert:dump: type 1 flags 0x2 (remote_peer)
9:cert:dump: subject: /CN=joesha256/OU=test/O=mytest.org/L=testcity/ST=ca/C=us
9:cert:dump: issuer: self-signed
9:cert:dump: fingerprint: sha256(4):255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a
9:cert:dump: 0: subjectKeyIdentifier = 43:B8:0B:DC:13:B5:B7:FB:C1:A8:A1:31:55:5C:CF:B2:36:BB:1B:38
cert:dump: cert snmpd.crt in /usr/local/share/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
9:cert:dump: subject: /C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=snmpd.mytest.org/emailAddress=admin@net-snmp.org
9:cert:dump: issuer: self-signed
9:cert:dump: fingerprint: sha1(2):62527d722da7d05b66c3560a04602e9775902677
9:cert:dump: 0: basicConstraints = CA:FALSE
9:cert:dump: 1: subjectKeyIdentifier = 77:F8:E4:8A:B6:5E:F4:84:09:B2:CF:05:30:7A:41:45:9B:01:36:F1
9:cert:dump: 2: authorityKeyIdentifier = keyid:77:F8:E4:8A:B6:5E:F4:84:09:B2:CF:05:30:7A:41:45:9B:01:36:F1
9:cert:dump: DirName:/C=US/ST=CA/L=Davis/O=Net-SNMP/OU=Development/CN=snmpd.mytest.org/emailAddress=admin@net-snmp.org
9:cert:dump: serial:DF:7F:EE:1B:86:4C:9A:1B
9:cert:dump: 3: subjectAltName = DNS:snmpd.mytest.org
cert:dump: key snmpd.key in /usr/local/share/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
cert:util:config: parsing 10 255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a --sn joesha256
cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 3217176600
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 3217176600
cert:find:params: hint = 255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a
cert:find:params: looking for remote_peer(2) in FILE(0x1), hint 3217176600
cert:find:params: hint = 255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a
9:cert:subset:found: 0 matches <------------------------!!!!!!!!NO CERTIFICATE FOUND!!!!!!!!-------------<
cert:map:add: pri 10, fp 255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a
tlstcp: listening on tlstcp port 0.0.0.0:10161
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: hint = client
cert:find:params: looking for identity(1) in FILE(0x1), hint 148467736
cert:find:params: hint = snmpd
9:cert:subset:found: 1 matches
cert:find:found: using cert snmpd.crt / 62527d722da7d05b66c3560a04602e9775902677 for identity(1) (uses=identity+remote_peer (3))
dtlsudp: netsnmp_dtlsudp_transport(): transports/snmpDTLSUDPDomain.c, 1421:
A SNMP version other than 3 was requested with (D)TLS; using 3 anyways
tsm: TSM: Reached our session initialization callback
NET-SNMP version 5.7.3
Agent output when queried via SNMPv3/TSM over DTLS/UDP:
dtlsudp: received 210 raw bytes on way to dtls
dtlsudp: starting a new connection
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: hint = client
cert:find:params: looking for identity(1) in FILE(0x1), hint 148467736
cert:find:params: hint = snmpd
9:cert:subset:found: 1 matches
cert:find:found: using cert snmpd.crt / 62527d722da7d05b66c3560a04602e9775902677 for identity(1) (uses=identity+remote_peer (3))
dtlsudp:cookie: generating cookie...
dtlsudp: have 48 bytes to send
dtlsudp: received 230 raw bytes on way to dtls
dtlsudp:cookie: verify cookie: 1
dtlsudp: have 1383 bytes to send
dtlsudp: received 1715 raw bytes on way to dtls
tls_x509:verify: Cert: /CN=joesha256/OU=test/O=mytest.org/L=testcity/ST=ca/C=us
tls_x509:verify: fp: 255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a
cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 149622920
cert:find:params: hint = 255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a
tls_x509:verify: no matching fp found <------------------------!!!!!!!!NO FINGERPRINT FOUND!!!!!!!!
tls verification failure: ok=0 ctx=0xbfc24da8 depth=0 err=18:self signed certificate
---- OpenSSL Related Errors: ----
TLS error: SSL_read: rc=-1, sslerror = 1 (SSL_ERROR_SSL)
TLS Error: no certificate returned
---- End of OpenSSL Errors ----
---- OpenSSL Related Errors: ----
TLS error: SSL_read: rc=-1, sslerror = 5 (SSL_ERROR_SYSCALL): system_error=0 (Success)
TLS Error: (null)
----------------------------------------------------------------------
[root@centos67-TM1 private]# snmpget -v 3 --defSecurityModel=tsm -u joesha256 -l authPriv -T our_identity=255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a953 -T their_identity=62:52:7D:72:2D:A7:D0:5B:66:C3:56:0A:04:60:2E:97:75:90:26:77 dtlsudp:localhost:10161 .1.3.6.1.2.1.1.4.0
tsm: needed to free transport data
tsm: needed to free transport data
tsm: needed to free transport data
tsm: needed to free transport data
tsm: needed to free transport data
failed rfc5343 contextEngineID probing
snmpget: Timeout (Success)
[root@centos67-TM1 private]#
CONFIGURATION:
[root@centos67-TM1 certs]# cat /usr/local/share/snmp/snmpd.conf
agentaddress udp:161,tcp:161,tlstcp:10161,dtlsudp:10161
rwuser -s usm joesha256
rwuser -s tsm joesha256
rwcommunity public default 1
certSecName 10 255033c1d7f2f59a32a90966ce88052b93e6997386e8d32764c68c77a9536e6a --sn joesha256
[root@centos67-TM1 certs]#
VERIFY FINGERPRINT WITH OPENSSL:
[root@centos67-TM1 certs]# ll /usr/local/share/snmp/tls/certs/
total 8
-rwxrw-rw-. 1 root root 1244 Feb 18 15:13 joesha256.crt
-rwxr-xr-x. 1 root root 1704 Feb 18 17:00 snmpd.crt
[root@centos67-TM1 certs]# openssl x509 -noout -in joesha256.crt -fingerprint -sha256
SHA256 Fingerprint=25:50:33:C1:D7:F2:F5:9A:32:A9:09:66:CE:88:05:2B:93:E6:99:73:86:E8:D3:27:64:C6:8C:77:A9:53:6E:6A
SHOW CERTIFICATE WITH OPENSSL:
[root@centos67-TM1 certs]# openssl x509 -in joesha256.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1455804689 (0x56c5d111)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=joesha256, OU=test, O=mytest.org, L=testcity, ST=ca, C=us
Validity
Not Before: Feb 18 14:11:29 2016 GMT
Not After : Feb 17 14:11:29 2017 GMT
Subject: CN=joesha256, OU=test, O=mytest.org, L=testcity, ST=ca, C=us
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:8b:4b:00:ce:4a:ef:87:8a:6c:ce:89:b2:e7:27:
83:94:22:79:40:b1:65:52:30:9e:d0:2e:63:0e:86:
3a:36:94:81:93:bb:13:01:65:22:be:65:84:9d:03:
55:8d:6e:af:e8:69:41:b4:a8:ca:18:25:67:38:87:
28:0e:b2:c0:98:c5:71:47:eb:3c:12:b0:11:90:48:
00:87:c3:da:37:cc:18:07:5f:5c:ad:ab:3e:28:c2:
a5:ed:1a:a1:04:29:60:cd:1e:89:df:39:a0:ae:cd:
a8:44:93:ca:c1:e9:c1:52:19:dc:6e:cc:81:ed:3b:
ad:09:ba:b9:0a:e3:fa:3b:9b:1b:f6:6d:8a:67:49:
70:b0:0e:27:9a:d3:89:58:6c:08:10:2e:f7:14:34:
10:d5:96:2a:9e:4d:c3:76:f2:33:65:0a:d2:6e:6a:
f0:5e:fe:3d:e7:43:6d:8b:49:a1:e6:d2:71:0c:19:
df:bf:04:2b:42:d3:3d:54:6f:70:be:dc:63:fb:99:
9b:89:17:13:54:b0:76:b1:0a:52:b6:59:a4:ae:a0:
41:ec:78:1a:2b:06:bc:5d:c8:3b:cf:d4:49:87:86:
ca:55:7f:07:8a:f7:80:2a:a7:14:0b:85:62:62:85:
46:a8:37:3b:82:b0:c8:5d:78:e0:75:77:e4:43:dd:
a8:5b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
43:B8:0B:DC:13:B5:B7:FB:C1:A8:A1:31:55:5C:CF:B2:36:BB:1B:38
Signature Algorithm: sha256WithRSAEncryption
6b:2d:14:99:19:db:e1:1a:66:a8:af:71:80:45:31:96:14:fd:
7a:4e:ad:29:19:70:b0:2d:b2:b2:2d:1e:0a:a4:09:74:a0:9b:
dc:df:09:18:7e:25:aa:28:07:2e:cd:08:f3:d2:fa:3c:f6:d6:
b9:75:1b:ef:82:f2:ed:5b:e3:df:6f:8f:c5:d1:75:15:a6:67:
7f:a0:90:a7:82:23:55:e7:0a:1c:1f:f4:7b:13:0b:28:bb:a6:
50:83:03:a1:eb:64:7e:69:54:35:30:18:1f:6c:b9:45:ee:02:
6b:7b:3e:07:05:ed:f7:82:f6:e8:d3:3e:9d:3d:b3:a0:2a:14:
6d:e0:1f:27:8d:bc:21:63:f9:fc:d7:52:0e:1e:d6:85:3d:73:
e5:b5:37:70:32:02:57:4d:51:bb:23:bb:65:fb:5d:67:ec:fc:
1b:6c:21:c6:e4:b3:29:47:c4:a5:b3:57:4d:68:be:f4:43:cc:
95:a6:4c:46:14:54:33:c6:38:8f:ba:9f:34:47:65:9b:56:9f:
06:d4:27:f5:60:c7:54:e8:f9:a1:95:b1:d3:a5:dc:0e:d7:6c:
59:8f:13:64:32:97:73:0e:7e:f3:6b:ee:26:dc:40:01:21:77:
aa:e8:9e:73:83:e0:6e:08:45:e2:61:fc:61:82:38:47:1b:06:
75:7f:a2:07
[root@centos67-TM1 certs]#
I can provide the above certificates for testing.
Br.
Hi I'm also seeing the similar issue .With SHA-1 certs ,I'm able to see the queries are working fine with net-snmp 5.7.3 but when I'm switching over to the SHA-256 certs ,requests are not even reaching to the remote snmpd agent .I'm getting below error :
snmpwalk -OQ -v 3 -t 3 --defSecurityModel=tsm -u SNMPV3-NMS -l authPriv -T our_identity=xx:xx -T their_identity=xx:xx dtlsudp6:[ip_v6]:10161 .1.3.6.1.4.1.17270.50.2.2.2.1.1.3.10101
error finding client identity keys
failed to create the SSL session structure
failed to open a new dtls connection
failed rfc5343 contextEngineID probing
snmpwalk: Failure in sendto (Permission denied)
I have verified my fingerprints using openssl commands.
It more looks to me a issue with the certs which I have created ,Could you please share the steps of how to create the SHA-256 certs for testing
Last edit: rishi sharma 2017-12-12
See https://sourceforge.net/p/net-snmp/bugs/2818/ for fixes