Mandos on Fedora/RHEL

Nathanael Noblet nathanael at gnat.ca
Thu Oct 24 07:28:03 CEST 2013 

Hmm seems I spoke too soon. I can get a mandos client on RHEL/Fedora 
based systems working. However regardless of version I try, I cannot for 
the life of me get a successful test connection when either CentOS 6.x 
or Fedora (f18/f19) are used as the server.

I'm constantly getting the following on a F18 and CentOS and F19 server. 
Always some packet of unexpected length.  I've even tried expressly 
matching the versions in my vagrant ubuntu test boxes however it still 
fails to work. Any suggestions would be very much welcome. Erik if you 
are reading this and you've managed to get mandos server running on 
either fedora or rhel I'd love to know what you did...

2013-10-24 06:04:04,592 root [3485]: WARNING: No clients defined
2013-10-24 06:04:04,595 root [3485]: INFO: Now listening on address 
'::', port 55055, flowinfo 0, scope_id 0
2013-10-24 06:04:04,598 root [3485]: DEBUG: Avahi server state change: 2
2013-10-24 06:04:04,600 root [3485]: DEBUG: Adding Zeroconf service 
'Mandos' of type '_mandos._tcp' ...
2013-10-24 06:04:04,602 root [3485]: DEBUG: Starting main loop
2013-10-24 06:04:04,603 root [3485]: DEBUG: Avahi entry group state 
change: 1
2013-10-24 06:04:04,604 root [3485]: DEBUG: Avahi entry group state 
change: 2
2013-10-24 06:04:04,606 root [3485]: DEBUG: Zeroconf service established.
2013-10-24 06:04:14,203 root [3491]: INFO: TCP connection from: 
('::ffff:192.168.56.152', 34572, 0, 0)
2013-10-24 06:04:14,204 root [3491]: DEBUG: Pipe FD: 15
2013-10-24 06:04:14,205 root [3491]: DEBUG: GnuTLS: REC[0x91c3c08]: 
Allocating epoch #0
2013-10-24 06:04:14,206 root [3491]: DEBUG: Protocol version: '1\r\n'
2013-10-24 06:04:14,207 root [3491]: DEBUG: GnuTLS: ASSERT: 
gnutls_constate.c:695
2013-10-24 06:04:14,208 root [3491]: DEBUG: GnuTLS: REC[0x91c3c08]: 
Allocating epoch #1
2013-10-24 06:04:14,208 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
2013-10-24 06:04:14,210 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
2013-10-24 06:04:14,211 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
2013-10-24 06:04:14,212 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
2013-10-24 06:04:14,213 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
2013-10-24 06:04:14,213 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
2013-10-24 06:04:14,215 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
2013-10-24 06:04:14,216 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
2013-10-24 06:04:14,217 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
2013-10-24 06:04:14,218 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
2013-10-24 06:04:14,218 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
2013-10-24 06:04:14,220 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
2013-10-24 06:04:14,221 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
2013-10-24 06:04:14,222 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
2013-10-24 06:04:14,223 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
2013-10-24 06:04:14,223 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_AES_256_CBC_SHA256
2013-10-24 06:04:14,225 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_AES_256_CBC_SHA1
2013-10-24 06:04:14,226 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
2013-10-24 06:04:14,227 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_AES_128_CBC_SHA256
2013-10-24 06:04:14,228 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_AES_128_CBC_SHA1
2013-10-24 06:04:14,228 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
2013-10-24 06:04:14,229 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
2013-10-24 06:04:14,230 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
Keeping ciphersuite: RSA_ARCFOUR_SHA1
2013-10-24 06:04:14,232 root [3491]: DEBUG: GnuTLS: EXT[0x91c3c08]: 
Sending extension CERT TYPE (2 bytes)
2013-10-24 06:04:14,233 root [3491]: DEBUG: GnuTLS: EXT[0x91c3c08]: 
Sending extension SAFE RENEGOTIATION (1 bytes)
2013-10-24 06:04:14,234 root [3491]: DEBUG: GnuTLS: EXT[SIGA]: sent 
signature algo (4.2) DSA-SHA256
2013-10-24 06:04:14,234 root [3491]: DEBUG: GnuTLS: EXT[0x91c3c08]: 
Sending extension SIGNATURE ALGORITHMS (4 bytes)
2013-10-24 06:04:14,236 root [3491]: DEBUG: GnuTLS: HSK[0x91c3c08]: 
CLIENT HELLO was sent [110 bytes]
2013-10-24 06:04:14,236 root [3491]: DEBUG: GnuTLS: BUF[HSK]: Inserted 
110 bytes of Data
2013-10-24 06:04:14,237 root [3491]: DEBUG: GnuTLS: HWRITE: enqueued 
110. Total 110 bytes.
2013-10-24 06:04:14,238 root [3491]: DEBUG: GnuTLS: HWRITE FLUSH: 110 
bytes in buffer.
2013-10-24 06:04:14,239 root [3491]: DEBUG: GnuTLS: REC[0x91c3c08]: 
Sending Packet[0] Handshake(22) with length: 110
2013-10-24 06:04:14,239 root [3491]: DEBUG: GnuTLS: WRITE: enqueued 115 
bytes for 0xb. Total 115 bytes.
2013-10-24 06:04:14,240 root [3491]: DEBUG: GnuTLS: REC[0x91c3c08]: Sent 
Packet[1] Handshake(22) with length: 115
2013-10-24 06:04:14,240 root [3491]: DEBUG: GnuTLS: HWRITE: wrote 110 
bytes, 0 bytes left.
2013-10-24 06:04:14,240 root [3491]: DEBUG: GnuTLS: WRITE FLUSH: 115 
bytes in buffer.
2013-10-24 06:04:14,241 root [3491]: DEBUG: GnuTLS: WRITE: wrote 115 
bytes, 0 bytes left.
2013-10-24 06:04:14,251 root [3491]: DEBUG: GnuTLS: READ: Got 0 bytes 
from 0xb
2013-10-24 06:04:14,251 root [3491]: DEBUG: GnuTLS: READ: read 0 bytes 
from 0xb
2013-10-24 06:04:14,251 root [3491]: DEBUG: GnuTLS: ASSERT: 
gnutls_buffers.c:640
2013-10-24 06:04:14,251 root [3491]: DEBUG: GnuTLS: ASSERT: 
gnutls_record.c:969
2013-10-24 06:04:14,251 root [3491]: DEBUG: GnuTLS: ASSERT: 
gnutls_handshake.c:2762
2013-10-24 06:04:14,251 root [3491]: DEBUG: GnuTLS: BUF[HSK]: Cleared 
Data from buffer
2013-10-24 06:04:14,251 root [3491]: WARNING: Handshake failed: A TLS 
packet with unexpected length was received.
2013-10-24 06:04:14,252 root [3491]: DEBUG: GnuTLS: BUF[HSK]: Cleared 
Data from buffer
2013-10-24 06:04:14,252 root [3491]: DEBUG: GnuTLS: REC[0x91c3c08]: 
Epoch #0 freed
2013-10-24 06:04:14,253 root [3491]: DEBUG: GnuTLS: REC[0x91c3c08]: 
Epoch #1 freed




On 10/22/2013 11:37 AM, Nathanael D. Noblet wrote:
> As a side note, I've been able to get it working on RHEL and have a 
> working initscript for that so I may try to contact Erik who 
> originally submitted this to the fedora devel list to see if he wants 
> to work together on getting this working for Redhat based OS's. 
> Getting it in Fedora would be great however I need to know what's 
> going on with that gnutls pgp init function error.
>
> On 10/22/2013 09:38 AM, Nathanael D. Noblet wrote:
>> Hello,
>>
>>   I suddenly have need for a solution such as mandos. I came across
>> Erik's posts on the fedora mailing list and this one. I've taken his
>> initial package and started to work on it so I could evaluate the
>> software. I've got a client and server running however when attempting
>> to test the client without a reboot I'm getting an error on the server.
>> This seems to be a python error obviously however the code is not
>> something I'm overly familiar with particularly what seems like very odd
>> syntax...
>>
>>   In any case here's what is happening. I run
>>
>> /usr/lib/mandos/plugins.d/mandos-client
>> --pubkey=/etc/keys/mandos/pubkey.txt
>> --seckey=/etc/keys/mandos/seckey.txt -c 192.168.56.1:55055
>>
>> and the output on the server is:
>>
>> ----------------------------------------
>> Exception happened during processing of request from
>> ('::ffff:192.168.56.12', 49561, 0, 0)
>> Traceback (most recent call last):
>>    File "/sbin/mandos", line 1861, in sub_process_main
>>      self.finish_request(request, address)
>>    File "/usr/lib64/python2.7/SocketServer.py", line 334, in 
>> finish_request
>>      self.RequestHandlerClass(request, client_address, self)
>>    File "/usr/lib64/python2.7/SocketServer.py", line 649, in __init__
>>      self.handle()
>>    File "/sbin/mandos", line 1696, in handle
>>      (session))
>>    File "/sbin/mandos", line 1825, in fingerprint
>>      (gnutls.library.functions
>> AttributeError: 'module' object has no attribute 
>> 'gnutls_openpgp_crt_init'
>> ----------------------------------------
>>
>> Which attempts over and over but never succeeds obviously. Any idea what
>> could cause that issue?
>>
>>
>
>

More information about the Mandos-Dev mailing list