TLS callhome : Getting error as "server certificate not set"

[RSowndarya]

Hi Team,

We are testing TLS callhome feature with netopeer2-server 2.1.42 & netopeer2-cli 2.0.68.
While pushing tls_listen we are facing issue as below

[INF]: LN: Listening on 0.0.0.0:6513 for TLS connections.
[ERR]: LN: nc_server_tls_endpt_set_server_cert: invalid argument (endpt_name).
[ERR]: LN: nc_server_tls_add_trusted_cert_list: invalid argument (name).
[INF]: SR: Successful processing of "done" event with ID 1 priority 0 (remaining 0 subscribers).
[INF]: SR: Successful processing of "rpc" event with ID 3 priority 0 (remaining 0 subscribers).
[INF]: SR: Event "rpc" with ID 3 priority 0 succeeded.
[INF]: NP: Session 1: thread 2 event new RPC.

we are using yang 2.0 version and we have modified the example configurations of tls_listen configuration according to our yang.
we have added container "certificate" additionally. And configuration was successful

                <server-identity>
                  <certificate>
                        <keystore-reference>
                        <asymmetric-key>cgserverkey</asymmetric-key>
                        <certificate>cgservercert</certificate>
                    </keystore-reference>
                    </certificate>
                </server-identity>

In code, for subscription part xpath was coming with container as below:

xpath = "/ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/server-identity/certificate/keystore-reference";
SR_CONFIG_SUBSCR(mod_name, xpath, np2srv_endpt_tls_servercert_cb);

But in callback function, xpath mentioned without container (certificate):

/* /ietf-netconf-server:netconf-server/listen/endpoint/tls/tls-server-parameters/server-identity/keystore-reference */
int
np2srv_endpt_tls_servercert_cb(sr_session_ctx_t *session, uint32_t UNUSED(sub_id), const char *UNUSED(module_name),
const char *xpath, sr_event_t UNUSED(event), uint32_t UNUSED(request_id), void *UNUSED(private_data))
{

we are suspecting that if additional container was added then the value of child will get changed and cannot fetch the endpoint name. Hence the error was observed as invalid argument for endpoint name.

code snippet:
/* find name */
endpt_name = lyd_get_value(node->parent->parent->parent->parent->parent->child);

could you please confirm how the code was handled, whether with container (certificate) or without that container?
Attached the configs for reference.

tls_listen.odt

[michalvasko]

You must not change the YANG modules, obviously. If you want to use netopeer2, you must use the YANG revisions shipped with it. We are working on a major update that is using the ietf-netconf-server YANG module and associated ones from the current drafts.

[RSowndarya]

Hi michal,

we didn't changed the yang, we are using the revision 2020-08-20.
According to that we just modified the configurations scripts.

In example_configuration, after server-identity node certificate is not present as below.

                       <server-identity>
                            <keystore-reference>
                                <asymmetric-key>serverkey</asymmetric-key>
                                <certificate>servercert</certificate>
                            </keystore-reference>
                        </server-identity>

so we added in our scripts and configured. we are facing issue in fetching endpoint name as mentioned earlier.
while TLS connection establishment, it is throwing error as "server certificate not set".

could you please let us know, is the attached configurations was fine or not and is the same was handled in code also?

[michalvasko]

we didn't changed the yang, we are using the revision 2020-08-20.

Yes, you did, netopeer2 uses ietf-netconf-server@2019-07-02. You cannot simply update the modules and expect everything is going to work as before even when the YANG structure changes, it is not, I have nothing else to add.

[RSowndarya]

Hi Michal,

. We are working on a major update that is using the ietf-netconf-server YANG module and associated ones from the current drafts.

Could you please let us know when this update will be available?

[michalvasko]

Based on how the work has been progressing, it should be merged into devel of libnetconf2 and netopeer2 quite soon, next week probably.

[RSowndarya]

Hi Michal,

is the major update merged into libnetconf2 and netopeer2?

[michalvasko]

Unfortunately, there were several final changes required so not yet and I cannot tell you when it will.

[RSowndarya]

Hi Michal,

Please let us know once the major update merged into libnetconf2 and netopeer2.

[michalvasko]

Actually, it has been merged on Friday into devel branches of the 2 projects. There are still some minor things to fix but it should generally work correctly so you are free to try it yourself.

[RSowndarya]

Hi Michal,

we tried to build devel branch of netopeer2 and observed below error:

libyang error: Unsatisfied pattern - "" does not conform to "$0$.|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}". (Data location "/ietf-netconf-server:netconf-server/listen/endpoint[name='default-ssh']/ssh/ssh-server-parameters/client-authentication/users/user[name='root']/password", line number 27.)
sysrepocfg error: Data parsing failed

Could you please share your comments on this?

[Roytak]

Hi,

there is currently an issue with the install script. However, calling $ sudo make install as a non-root should (probably) work instead of calling # make install as a root if you get me. The script tries to obtain the username of the user who invoked sudo and then search for his hashed password in /etc/shadow. It seems like in your case the user, who invoked sudo is called 'root', but his password couldn't be determined (or is empty). Should be fixed soon though. Anyways, thank you for pointing this out.

[Roytak]

Hi, should be fixed in the latest devel of netopeer2.

[RSowndarya]

Hi,

When the major yang update will be available in master branch

[michalvasko]

Once we feel it is tested and stable enough. Will be at least a few weeks.

[RSowndarya]

Hi Michal,

we are trying to use libnetconf2 devel branch. During build we are observed below errors.

../libnetconf2.so.4.0.1: undefined reference to EVP_PKEY_get_utf8_string_param' ../libnetconf2.so.4.0.1: undefined reference to EVP_PKEY_is_a'
../libnetconf2.so.4.0.1: undefined reference to `EVP_PKEY_get_bn_param'
collect2: error: ld returned 1 exit status
examples/CMakeFiles/server.dir/build.make:102: recipe for target 'examples/server' failed
make[6]: *** [examples/server] Error 1

Could you please help us to fix these errors.

[michalvasko]

Please remove all your files in build and run cmake again, the required versions of libraries have changed. In this case you need OpenSSL 3.0.0.

[RSowndarya]

Yes we are using openssl-3.0.0,libssh-0.9.5 and curl -7.38.0.

[michalvasko]

That is strange, can you provide the output of # ldconfig -p | grep libssl?

[RSowndarya]

Hi Michal,

Please find the output of ldconfig -p | grep libssl

    libssl3.so (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libssl3.so
    libssl.so.1.0.0 (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
    libssl.so (libc6,x86-64) => /usr/lib/x86_64-linux-gnu/libssl.so

[michalvasko]

Yes, you seem to have both versions 3 and 1 installed and libnetconf2 was probably linked with the wrong one. I suggest removing the old version or force usage of the version 3 using CMake variables.

[RSowndarya]

Hi Michal,

Once we feel it is tested and stable enough. Will be at least a few weeks.

When the latest yang update will be available in master branch

[michalvasko]

I am hoping we will make it still this year, otherwise early next year.

[RSowndarya]

Hi Michal,

could you please let us know the approximate timeline for latest yang updates in master branch.

[michalvasko]

Well, there are a few things left to do that should make it into the release, in a few-weeks-time probably.

[RSowndarya]

Hi Michal,

Is that yang updates are released in master branch?

[michalvasko]

Yes, the latest release includes them.