Stephanie Jakopec
2017-06-01 08:51:57 UTC
Hi,
I am trying to configure net-snmp over DTLS. The manager doesn't receive
the TRAP message when sending TRAPs over dtlsudp. Sending TRAPs over tlstcp
is successful. In wireshark I can see Client Hello, Hello Verify Request
and then an ICMP Destination unreachable (Port unreachable).
I think it is not a firewall or permission problem. I have checked
everything regarding this.
GET command works over DTLS.
Certificates are created with help of the Using DTLS TUT. Manager has
snmpdsteph.crt, agent has agent.crt and both are signed with
hostname.example.com.
Agent sends trap to manager:
./snmptrap -v 3 -T their_hostname=steph
-Dtls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san
dtlsudp:<ip_addr1>:10162 ""
NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification
netSnmpExampleHeartbeatRate i 123456
Bellow is the snmptrapd.log :
==========================================================================
dtlsudp: received 149 raw bytes on way to dtls
dtlsudp: starting a new connection
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 7980400
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 7980400
cert:find:params: hint =
47:B2:BB:BD:0F:D5:C6:3B:C3:B1:07:6F:8B:3E:97:0B:B8:E4:1C:3B
cert:find:found: using cert snmpdsteph.crt /
47b2bbbd0fd5c63bc3b1076f8b3e970bb8e41c3b for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpdsteph.crt /
47b2bbbd0fd5c63bc3b1076f8b3e970bb8e41c3b for identity(1)
(uses=identity+remote_peer (3))
sslctx_server: using public key: snmpdsteph.crt
sslctx_server: using private key: snmpdsteph.key
sslctx_client: Trying to load a trusted certificate:
28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
cert:find:params: looking for CA(8) in MULTIPLE(0x200), hint 7961792
cert:find:params: looking for CA(8) in FINGERPRINT(0x2), hint 7961792
cert:find:params: hint =
28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:trust_ca: checking roots for 0x7343a0
9:openssl:fingerprint: alg -1, cert nid 65 (2)
9:openssl:fingerprint: fingerprint 288187b3a913e003c4b4d61ff485fe12db6fdd28
cert:trust: putting trusted cert 0x734660 =
288187b3a913e003c4b4d61ff485fe12db6fdd28 in certstore 0x7928e0
dtlsudp:cookie: generating cookie...
dtlsudp: have 48 bytes to send
=============================================================================
Agent log:
=============================================================================
registered debug token tls, 1
registered debug token ssh, 1
registered debug token openssl, 1
registered debug token cert, 1
registered debug token dtlsudp, 1
registered debug token 9:openssl:fingerprint, 1
registered debug token 9:openssl:cert:san, 1
cert:util:init: init
cert:index:add: dir /home/snmp/share/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/snmp/share/snmp/tls/certs at index 1
cert:index:add: dir /home/snmp/share/snmp/tls/private at index 2
cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/ca-certs
cert:index:lookup: /home/snmp/share/snmp/tls/ca-certs (0)
/home/.snmp_persist/cert_indexes/0
cert:index:parse: The index for /home/snmp/share/snmp/tls/ca-certs looks
good
cert:index:parse: added 1 certs from index
cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/certs
cert:index:lookup: /home/snmp/share/snmp/tls/certs (1)
/home/.snmp_persist/cert_indexes/1
cert:index:parse: The index for /home/snmp/share/snmp/tls/certs looks good
cert:index:parse: added 1 certs from index
cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/private
cert:index:lookup: /home/snmp/share/snmp/tls/private (2)
/home/.snmp_persist/cert_indexes/2
cert:index:parse: The index for /home/snmp/share/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x628410 for hostname.example.com.key
cert:key:struct:new: new key 0x0x628a00 for agent.key
cert:index:parse: added 2 certs from index
cert:partner: hostname.example.com.crt match found!
cert:partner: agent.crt match found!
cert:key:read: Checking file hostname.example.com.key
cert:key:read: Checking file agent.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert hostname.example.com.crt in
/home/snmp/share/snmp/tls/ca-certs
cert:dump: type 1 flags 0xb (CA+identity+remote_peer)
cert:dump: cert agent.crt in /home/snmp/share/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: key hostname.example.com.key in /home/snmp/share/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: key agent.key in /home/snmp/share/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
dtlsudp: netsnmp_dtlsudp_transport(): transports/snmpDTLSUDPDomain.c, 1421:
dtlsudp: sending 131 bytes
dtlsudp: starting a new connection
dtlsudp: starting a new connection as a client to sock: 3
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 6795536
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 6795536
cert:find:params: hint =
BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
cert:find:found: using cert agent.crt /
bfad00cc9d616c2c5f6d3f1a05e8276ec82ac9a0 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert agent.crt /
bfad00cc9d616c2c5f6d3f1a05e8276ec82ac9a0 for identity(1)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for CA(8) in MULTIPLE(0x200), hint 6876544
cert:find:params: looking for CA(8) in FINGERPRINT(0x2), hint 6876544
cert:find:params: hint =
28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:trust_ca: checking roots for 0x628490
9:openssl:fingerprint: alg -1, cert nid 65 (2)
9:openssl:fingerprint: fingerprint 288187b3a913e003c4b4d61ff485fe12db6fdd28
cert:trust: putting trusted cert 0x628670 =
288187b3a913e003c4b4d61ff485fe12db6fdd28 in certstore 0x6bbd60
dtlsudp: have 149 bytes to send
dtlsudp:close: closing dtlsudp transport 0x6bf990
dtlsudp:close: 131 bytes remain in write_cache
dtlsudp:close: dumping 131 bytes from write_cache
dtlsudp:close: closing SSL socket
tlsbase: Freeing TLS Base data for a session
cert:util:shutdown: shutdown
cert:key:struct:free: freeing key 0x0x628410, hostname.example.com.key
cert:key:struct:free: freeing key 0x0x628a00, agent.key
==========================================================================
Agent snmp.conf:
==========================================================================
defSecurityModel tsm
defSecurityLevel authPriv
localCert BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
persistentDir /home/.snmp_persist
Manager snmpd.conf
==========================================================================
rwuser -s tsm "traptest"
rouser NoAuthUser
rouser MD5User
rwuser MD5DESUser
createUser NoAuthUser
createUser MD5User MD5 "The Net-SNMP Demo Password"
createUser MD5DESUser MD5 "The Net-SNMP Demo Password" DES
rocommunity public localhost
agentXSocket tcp:localhost:705,udp:localhost:705
master agentx
[snmp] localCert 47:B2:BB:BD:0F:D5:C6:3B:C3:B1:07:6F:8B:3E:97:0B:B8:E4:1C:3B
[snmp] trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
certSecName 20 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
--sn "traptest"
agentaddress udp:161,tcp:161,dtlsudp:10161,tlstcp:10161
=========================================================================
Manager snmptrapd.conf
=========================================================================
authCommunity log,execute,net public
snmpTrapdAddr dtlsudp:10162,tlstcp:10162
createUser -e 0x8000000001020304 traptest SHA mypassword AES
authuser log traptest
authUser log "steph"
disableAuthorization yes
[snmp] localCert 47:B2:BB:BD:0F:D5:C6:3B:C3:B1:07:6F:8B:3E:97:0B:B8:E4:1C:3B
[snmp] trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
certSecName 20 BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
--sn traptest
=========================================================================
I would really appreciate your help.
Regards,
Steph
I am trying to configure net-snmp over DTLS. The manager doesn't receive
the TRAP message when sending TRAPs over dtlsudp. Sending TRAPs over tlstcp
is successful. In wireshark I can see Client Hello, Hello Verify Request
and then an ICMP Destination unreachable (Port unreachable).
I think it is not a firewall or permission problem. I have checked
everything regarding this.
GET command works over DTLS.
Certificates are created with help of the Using DTLS TUT. Manager has
snmpdsteph.crt, agent has agent.crt and both are signed with
hostname.example.com.
Agent sends trap to manager:
./snmptrap -v 3 -T their_hostname=steph
-Dtls,ssh,openssl,cert,dtlsudp,9:openssl:fingerprint,9:openssl:cert:san
dtlsudp:<ip_addr1>:10162 ""
NET-SNMP-EXAMPLES-MIB::netSnmpExampleHeartbeatNotification
netSnmpExampleHeartbeatRate i 123456
Bellow is the snmptrapd.log :
==========================================================================
dtlsudp: received 149 raw bytes on way to dtls
dtlsudp: starting a new connection
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 7980400
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 7980400
cert:find:params: hint =
47:B2:BB:BD:0F:D5:C6:3B:C3:B1:07:6F:8B:3E:97:0B:B8:E4:1C:3B
cert:find:found: using cert snmpdsteph.crt /
47b2bbbd0fd5c63bc3b1076f8b3e970bb8e41c3b for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert snmpdsteph.crt /
47b2bbbd0fd5c63bc3b1076f8b3e970bb8e41c3b for identity(1)
(uses=identity+remote_peer (3))
sslctx_server: using public key: snmpdsteph.crt
sslctx_server: using private key: snmpdsteph.key
sslctx_client: Trying to load a trusted certificate:
28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
cert:find:params: looking for CA(8) in MULTIPLE(0x200), hint 7961792
cert:find:params: looking for CA(8) in FINGERPRINT(0x2), hint 7961792
cert:find:params: hint =
28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:trust_ca: checking roots for 0x7343a0
9:openssl:fingerprint: alg -1, cert nid 65 (2)
9:openssl:fingerprint: fingerprint 288187b3a913e003c4b4d61ff485fe12db6fdd28
cert:trust: putting trusted cert 0x734660 =
288187b3a913e003c4b4d61ff485fe12db6fdd28 in certstore 0x7928e0
dtlsudp:cookie: generating cookie...
dtlsudp: have 48 bytes to send
=============================================================================
Agent log:
=============================================================================
registered debug token tls, 1
registered debug token ssh, 1
registered debug token openssl, 1
registered debug token cert, 1
registered debug token dtlsudp, 1
registered debug token 9:openssl:fingerprint, 1
registered debug token 9:openssl:cert:san, 1
cert:util:init: init
cert:index:add: dir /home/snmp/share/snmp/tls/ca-certs at index 0
cert:index:add: dir /home/snmp/share/snmp/tls/certs at index 1
cert:index:add: dir /home/snmp/share/snmp/tls/private at index 2
cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/ca-certs
cert:index:lookup: /home/snmp/share/snmp/tls/ca-certs (0)
/home/.snmp_persist/cert_indexes/0
cert:index:parse: The index for /home/snmp/share/snmp/tls/ca-certs looks
good
cert:index:parse: added 1 certs from index
cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/certs
cert:index:lookup: /home/snmp/share/snmp/tls/certs (1)
/home/.snmp_persist/cert_indexes/1
cert:index:parse: The index for /home/snmp/share/snmp/tls/certs looks good
cert:index:parse: added 1 certs from index
cert:index:dir: Scanning directory /home/snmp/share/snmp/tls/private
cert:index:lookup: /home/snmp/share/snmp/tls/private (2)
/home/.snmp_persist/cert_indexes/2
cert:index:parse: The index for /home/snmp/share/snmp/tls/private looks good
cert:key:struct:new: new key 0x0x628410 for hostname.example.com.key
cert:key:struct:new: new key 0x0x628a00 for agent.key
cert:index:parse: added 2 certs from index
cert:partner: hostname.example.com.crt match found!
cert:partner: agent.crt match found!
cert:key:read: Checking file hostname.example.com.key
cert:key:read: Checking file agent.key
cert:dump: -------------------- Certificates -----------------
cert:dump: cert hostname.example.com.crt in
/home/snmp/share/snmp/tls/ca-certs
cert:dump: type 1 flags 0xb (CA+identity+remote_peer)
cert:dump: cert agent.crt in /home/snmp/share/snmp/tls/certs
cert:dump: type 1 flags 0x3 (identity+remote_peer)
cert:dump: key hostname.example.com.key in /home/snmp/share/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: key agent.key in /home/snmp/share/snmp/tls/private
cert:dump: type 4 flags 0x1 (identity)
cert:dump: ------------------------ End ----------------------
dtlsudp: netsnmp_dtlsudp_transport(): transports/snmpDTLSUDPDomain.c, 1421:
dtlsudp: sending 131 bytes
dtlsudp: starting a new connection
dtlsudp: starting a new connection as a client to sock: 3
cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0
cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 6795536
cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 6795536
cert:find:params: hint =
BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
cert:find:found: using cert agent.crt /
bfad00cc9d616c2c5f6d3f1a05e8276ec82ac9a0 for identity(1)
(uses=identity+remote_peer (3))
cert:find:found: using cert agent.crt /
bfad00cc9d616c2c5f6d3f1a05e8276ec82ac9a0 for identity(1)
(uses=identity+remote_peer (3))
cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0
cert:find:params: looking for CA(8) in MULTIPLE(0x200), hint 6876544
cert:find:params: looking for CA(8) in FINGERPRINT(0x2), hint 6876544
cert:find:params: hint =
28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:find:found: using cert hostname.example.com.crt /
288187b3a913e003c4b4d61ff485fe12db6fdd28 for CA(8)
(uses=CA+identity+remote_peer (11))
cert:trust_ca: checking roots for 0x628490
9:openssl:fingerprint: alg -1, cert nid 65 (2)
9:openssl:fingerprint: fingerprint 288187b3a913e003c4b4d61ff485fe12db6fdd28
cert:trust: putting trusted cert 0x628670 =
288187b3a913e003c4b4d61ff485fe12db6fdd28 in certstore 0x6bbd60
dtlsudp: have 149 bytes to send
dtlsudp:close: closing dtlsudp transport 0x6bf990
dtlsudp:close: 131 bytes remain in write_cache
dtlsudp:close: dumping 131 bytes from write_cache
dtlsudp:close: closing SSL socket
tlsbase: Freeing TLS Base data for a session
cert:util:shutdown: shutdown
cert:key:struct:free: freeing key 0x0x628410, hostname.example.com.key
cert:key:struct:free: freeing key 0x0x628a00, agent.key
==========================================================================
Agent snmp.conf:
==========================================================================
defSecurityModel tsm
defSecurityLevel authPriv
localCert BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
persistentDir /home/.snmp_persist
Manager snmpd.conf
==========================================================================
rwuser -s tsm "traptest"
rouser NoAuthUser
rouser MD5User
rwuser MD5DESUser
createUser NoAuthUser
createUser MD5User MD5 "The Net-SNMP Demo Password"
createUser MD5DESUser MD5 "The Net-SNMP Demo Password" DES
rocommunity public localhost
agentXSocket tcp:localhost:705,udp:localhost:705
master agentx
[snmp] localCert 47:B2:BB:BD:0F:D5:C6:3B:C3:B1:07:6F:8B:3E:97:0B:B8:E4:1C:3B
[snmp] trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
certSecName 20 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
--sn "traptest"
agentaddress udp:161,tcp:161,dtlsudp:10161,tlstcp:10161
=========================================================================
Manager snmptrapd.conf
=========================================================================
authCommunity log,execute,net public
snmpTrapdAddr dtlsudp:10162,tlstcp:10162
createUser -e 0x8000000001020304 traptest SHA mypassword AES
authuser log traptest
authUser log "steph"
disableAuthorization yes
[snmp] localCert 47:B2:BB:BD:0F:D5:C6:3B:C3:B1:07:6F:8B:3E:97:0B:B8:E4:1C:3B
[snmp] trustCert 28:81:87:B3:A9:13:E0:03:C4:B4:D6:1F:F4:85:FE:12:DB:6F:DD:28
certSecName 20 BF:AD:00:CC:9D:61:6C:2C:5F:6D:3F:1A:05:E8:27:6E:C8:2A:C9:A0
--sn traptest
=========================================================================
I would really appreciate your help.
Regards,
Steph