ocserv 0.9.0.1 not doing TLS handshake

Lemon Lam alemonmk at gmail.com
Mon Jan 26 10:48:31 PST 2015


於 2015/1/27 上午 02:34, Nikos Mavrogiannopoulos 提到:
> On Tue, 2015-01-27 at 02:25 +0800, Lemon Lam wrote:
>> 於 2015/1/27 上午 02:03, Nikos Mavrogiannopoulos 提到:
>>> On Tue, 2015-01-27 at 01:21 +0800, Lemon Lam wrote:
>>>> (snip)
>>>
>>> Check for some firewall terminating the connection; there is no
>>> handshake occurring there, the session is terminated before it starts.
>> My iptables-based firewall should not be the problem as it just need one
>> more INPUT rules to let this handshake stuff through like a web server
>> and another one for the DTLS tunnel.
> 
> Try connecting from localhost first. Then you'll know whether it is a
> firewall issue.
> 
> regards,
> Nikos
> 
> 

I tried that:
> $ openssl s_client -connect localhost:8443
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---
> $ gnutls-cli localhost -p 8443
> Processed 147 CA certificate(s).
> Resolving 'localhost'...
> Connecting to '127.0.0.1:8443'...
> *** Fatal error: Error in the pull function.
> *** Handshake has failed
> GnuTLS error: Error in the pull function.

Meanwhile, at ocserv log:
> # ocserv -f -d 9999
> listening (TCP) on 0.0.0.0:8443...
> listening (TCP) on [::]:8443...
> listening (UNIX) on /var/run/ocserv-conn.socket...
> listening (UDP) on 0.0.0.0:8443...
> listening (UDP) on [::]:8443...
> ocserv[2007]: main: initializing control unix socket: /var/run/occtl.socket
> ocserv[2007]: main: initialized ocserv 0.9.0
> ocserv[2008]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.2007)
> ocserv[2007]: TLS[<3>]: ASSERT: common.c:1041
> ocserv[2008]: sec-mod: received request from pid 2007 and uid 0
> ocserv[2008]: sec-mod: cmd [size=55] sm: sign
> ocserv[2010]: worker: 127.0.0.1:59879 accepted connection
> ocserv[2010]: TLS[<5>]: REC[0x9aadf28]: Allocating epoch #0
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_constate.c:586
> ocserv[2010]: TLS[<5>]: REC[0x9aadf28]: Allocating epoch #1
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:1139
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:224
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:333
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:574
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_record.c:1058
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_record.c:1179
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:1392
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_handshake.c:1428
> ocserv[2010]: TLS[<3>]: ASSERT: gnutls_handshake.c:3092
> ocserv[2010]: GnuTLS error (at worker-vpn.c:349): Error in the push function.
> ocserv[2007]: main: 127.0.0.1:59879 main-misc.c:501: command socket closed
> ocserv[2007]: main: 127.0.0.1:59879 removing client '' with id '2010'
> *repeat*

regards,
Lam




More information about the openconnect-devel mailing list