[Csync2] SSL Handshake Problem

Mike Young myoung at wildernessvoice.com
Fri Jan 13 08:17:40 CET 2012 


On 1/12/12 9:21 PM, "Tim Serong" <tserong at suse.com> wrote:

>On 01/13/2012 04:16 AM, Mike Young wrote:
>> Hi,
>>
>> I am trying to configure csync2 on a couple of OpenSuse 12.1 nodes, but
>> I'm having a problem with respect to TLS handshaking. I've added an
>> entry to /etc/services as was required in the Csync paper (csync2
>> 30865/tcp # Csync2 service) and I've configured xinetd to enable the
>> service. The service appears to start without any issues, until I
>> actually perform a "csync2 ­xv" operation. Then I get the following
>>error:
>>
>>     node1:/etc/csync2 # csync2 -xv
>>     Connecting to host node2 (SSL) ...
>>     WARNING: no socket to connect to
>>     Received record packet of unknown type 87
>>     SSL: handshake failed: An unexpected TLS packet was received.
>>     (GNUTLS_E_UNEXPECTED_PACKET)
>
>Is this csync2 1.34 as shipped with openSUSE 12.1, or a newer one built
>from source manually?
This was the version that shipped with 12.1. I also tried to build up
v1.34, but it kept complaining about gnutls' config file that seemed to be
deprecated in newer versions.
>
>IIRC I had the exact same problem just prior to the 12.1 release,
>because the spec file had:
>
>Requires: xinetd libgnutls26 libgnutls-extra26 gnutls sqlite2 librsync
>libtasn1-3
>
>Removing the explicit lib requires and letting RPM sort out the mess
>fixed it for me, i.e. the above line was changed to:
>
>Requires: xinetd gnutls sqlite2

I'll give that a try. I appreciate the tip.
>
>>
>> I thought maybe my SSL certificates may have been malformed, so I
>> regenerated them using these steps :
>>
>>     openssl genrsa \
>>
>>     -out /etc/csync2_ssl_key.pem 1024
>>
>>     openssl req -new \
>>
>>     -key /etc/csync2_ssl_key.pem \
>>
>>     -out /etc/csync2_ssl_cert.csr
>>
>>     openssl x509 -req -days 600 \
>>
>>     -in /etc/csync2_ssl_cert.csr \
>>
>>     -signkey /etc/csync2_ssl_key.pem \
>>
>>     -out /etc/csync2_ssl_cert.pem
>>
>>
>> But that also didn't fix the problem. And help is greatly appreciated.
>
>One other thing to check is that the SSL certificates on all nodes have
>the exact same details, i.e. same common name etc.  IMO this is
>unbelievably dumb/broken, but seems to be necessary for some reason.

That was my assumption as well, so I regenerated the certs to ensure the
details were the same.

I'll take the rpm and tweak the spec file as you did. And I really
appreciate the suggestion.

Thanks,

Mike
>
>HTH,
>
>Tim
>-- 
>Tim Serong
>Senior Clustering Engineer
>SUSE
>tserong at suse.com
>_______________________________________________
>Csync2 mailing list
>Csync2 at lists.linbit.com
>http://lists.linbit.com/mailman/listinfo/csync2

More information about the Csync2 mailing list