[Csync2] SSL Handshake Problem

[Tim Serong]

On 01/13/2012 04:16 AM, Mike Young wrote:
> Hi,
>
> I am trying to configure csync2 on a couple of OpenSuse 12.1 nodes, but
> I'm having a problem with respect to TLS handshaking. I've added an
> entry to /etc/services as was required in the Csync paper (csync2
> 30865/tcp # Csync2 service) and I've configured xinetd to enable the
> service. The service appears to start without any issues, until I
> actually perform a "csync2 –xv" operation. Then I get the following error:
>
>     node1:/etc/csync2 # csync2 -xv
>     Connecting to host node2 (SSL) ...
>     WARNING: no socket to connect to
>     Received record packet of unknown type 87
>     SSL: handshake failed: An unexpected TLS packet was received.
>     (GNUTLS_E_UNEXPECTED_PACKET)

Is this csync2 1.34 as shipped with openSUSE 12.1, or a newer one built 
from source manually?

IIRC I had the exact same problem just prior to the 12.1 release, 
because the spec file had:

Requires: xinetd libgnutls26 libgnutls-extra26 gnutls sqlite2 librsync 
libtasn1-3

Removing the explicit lib requires and letting RPM sort out the mess 
fixed it for me, i.e. the above line was changed to:

Requires: xinetd gnutls sqlite2

>
> I thought maybe my SSL certificates may have been malformed, so I
> regenerated them using these steps :
>
>     openssl genrsa \
>
>     -out /etc/csync2_ssl_key.pem 1024
>
>     openssl req -new \
>
>     -key /etc/csync2_ssl_key.pem \
>
>     -out /etc/csync2_ssl_cert.csr
>
>     openssl x509 -req -days 600 \
>
>     -in /etc/csync2_ssl_cert.csr \
>
>     -signkey /etc/csync2_ssl_key.pem \
>
>     -out /etc/csync2_ssl_cert.pem
>
>
> But that also didn't fix the problem. And help is greatly appreciated.

One other thing to check is that the SSL certificates on all nodes have 
the exact same details, i.e. same common name etc.  IMO this is 
unbelievably dumb/broken, but seems to be necessary for some reason.

HTH,

Tim
-- 
Tim Serong
Senior Clustering Engineer
SUSE
tserong at suse.com