Mandos + CentOS 6

Nathanael D. Noblet nathanael at gnat.ca
Fri Apr 4 17:43:49 CEST 2014 

On Thu, 2014-04-03 at 21:41 +0200, Teddy Hogeborn wrote:
> "Nathanael d. Noblet" <nathanael at gnat.ca> writes:
> 
> > I have good news! I have a centos 6 machine using dracut and mandos
> > fully functional. At least it has been able to reboot unattended
> > multiple times. I've tested both dhcp and static ip address
> > assignment.
> >
> > Then the bad news. I started working on getting a Fedora 20 VM to do
> > the same. This is where I run into the odd problem that mandos running
> > on different versions of RPM based machines have issues.
> >
> > I thought this was solved previously by changing the priority string
> > on the server.
> 
> I still think this is the best bet to get it working.
> 
> > However that doesn't seem to work. There is something else going
> > on. To test I installed the mandos-server and client on the one F20
> > vm. From a terminal if I have the client contact the local server it
> > gets the password back. If I have it contact the Centos 6 server it
> > never gets a response. The server spits out an error about a "TLS
> > packet with unexpected length was received".
> 
> Yeah, that's the GnuTLS standard message for "something unexpected
> happened and I'm not going to tell you what it is".
> 
> > Any thoughts on how to debug this?  Once I have this working I'll post
> > the needed bits for a Centos/RHEL client and a Fedora/systemd client.
> 
> Use the "gnutls-cli" and "gnutls-serv" commands to debug straight GnuTLS
> without any Mandos complications.  Note that the Mandos server should
> run the gnutls-cli command, and the Mandos client should run the
> gnutls-serv command, and you'll therefore have to connect from the
> Mandos server system to the Mandos client system using the gnutls-cli
> and gnutls-serv tools.

So I emailed the fedora @devel ml. I've been told the following:

"Does it really use TLS with openpgp certificates? If yes, I doubt you
could make 2.8.5 interoperate with gnutls 3.1.20. GnuTLS was modified in
3.1.x to adhere with RFC6091 which was incompatible the previous attempt
to have openpgp keys to TLS." 

In talking with them it looks like there is no way around it. As such
any machine running mandos with gnutls 3.1.x won't work with a machine
running gnutls 2.8.x or probably <= 3.0 I would imagine.

Any thoughts on how to proceed? Are there alternate implementations of
the communication protocols you're using? OpenSSL or something like that
that could be compiled against instead of gnutls (as an optional
configure argument or something? )

-- 
Nathanael

More information about the Mandos-Dev mailing list