[Csync2] SSL Handshake Problem
Mike Young
myoung at wildernessvoice.com
Fri Jan 13 08:17:40 CET 2012
On 1/12/12 9:21 PM, "Tim Serong" <tserong at suse.com> wrote:
>On 01/13/2012 04:16 AM, Mike Young wrote:
>> Hi,
>>
>> I am trying to configure csync2 on a couple of OpenSuse 12.1 nodes, but
>> I'm having a problem with respect to TLS handshaking. I've added an
>> entry to /etc/services as was required in the Csync paper (csync2
>> 30865/tcp # Csync2 service) and I've configured xinetd to enable the
>> service. The service appears to start without any issues, until I
>> actually perform a "csync2 xv" operation. Then I get the following
>>error:
>>
>> node1:/etc/csync2 # csync2 -xv
>> Connecting to host node2 (SSL) ...
>> WARNING: no socket to connect to
>> Received record packet of unknown type 87
>> SSL: handshake failed: An unexpected TLS packet was received.
>> (GNUTLS_E_UNEXPECTED_PACKET)
>
>Is this csync2 1.34 as shipped with openSUSE 12.1, or a newer one built
>from source manually?
This was the version that shipped with 12.1. I also tried to build up
v1.34, but it kept complaining about gnutls' config file that seemed to be
deprecated in newer versions.
>
>IIRC I had the exact same problem just prior to the 12.1 release,
>because the spec file had:
>
>Requires: xinetd libgnutls26 libgnutls-extra26 gnutls sqlite2 librsync
>libtasn1-3
>
>Removing the explicit lib requires and letting RPM sort out the mess
>fixed it for me, i.e. the above line was changed to:
>
>Requires: xinetd gnutls sqlite2
I'll give that a try. I appreciate the tip.
>
>>
>> I thought maybe my SSL certificates may have been malformed, so I
>> regenerated them using these steps :
>>
>> openssl genrsa \
>>
>> -out /etc/csync2_ssl_key.pem 1024
>>
>> openssl req -new \
>>
>> -key /etc/csync2_ssl_key.pem \
>>
>> -out /etc/csync2_ssl_cert.csr
>>
>> openssl x509 -req -days 600 \
>>
>> -in /etc/csync2_ssl_cert.csr \
>>
>> -signkey /etc/csync2_ssl_key.pem \
>>
>> -out /etc/csync2_ssl_cert.pem
>>
>>
>> But that also didn't fix the problem. And help is greatly appreciated.
>
>One other thing to check is that the SSL certificates on all nodes have
>the exact same details, i.e. same common name etc. IMO this is
>unbelievably dumb/broken, but seems to be necessary for some reason.
That was my assumption as well, so I regenerated the certs to ensure the
details were the same.
I'll take the rpm and tweak the spec file as you did. And I really
appreciate the suggestion.
Thanks,
Mike
>
>HTH,
>
>Tim
>--
>Tim Serong
>Senior Clustering Engineer
>SUSE
>tserong at suse.com
>_______________________________________________
>Csync2 mailing list
>Csync2 at lists.linbit.com
>http://lists.linbit.com/mailman/listinfo/csync2
More information about the Csync2
mailing list