Re: [OVSDB-TLS] Probe failed to OVSDB switch.


A Vamsikrishna
 

Hi Mohamed,

 

Thanks for your response J

 

Please find my answers inline.

 

 

Regards,

Vamsi

 

From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Friday, January 05, 2018 12:35 AM
To: A Vamsikrishna <a.vamsikrishna@...>
Cc: ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Vamsikrishna,

 

Glad that it works, for the cipher suite issue: 

 

  1. first you need to make sure that this cipher (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) is supported in both sides client/server. this cipher is only supported for TLS1.2 (SSLv3) and (JDK 1.8) 

[Vamsi]

 

On OVS Client:

 

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$ openssl version -v

OpenSSL 1.0.2g  1 Mar 2016

stack@ubuntu:/var/log/openvswitch$

 

stack@ubuntu:/var/log/openvswitch$ openssl ciphers -v | grep ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$ java -version

openjdk version "1.8.0_151"

OpenJDK Runtime Environment (build 1.8.0_151-8u151-b12-0ubuntu0.16.04.2-b12)

OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)

stack@ubuntu:/var/log/openvswitch$

 

On ODL side:

 

C:\Users\egjmnnq>java -version

java version "1.8.0_151"

Java(TM) SE Runtime Environment (build 1.8.0_151-b12)

Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode)

C:\Users\egjmnnq>

C:\Users\egjmnnq>

 

 

From above outputs, can we say that TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is supported by both OVS client and ODL server ??

 

2- I guess your problem in the sig-alg [0] that you use to generate the certificate. I'm not quit sure, but you may need to search for what are the supported cipher-suites for the Crypto Alg you used to generate your certificate.

 

[0] https://github.com/opendaylight/aaa/blob/master/aaa-cert/src/main/resources/initial/aaa-cert-config.xml#L12

 

[Vamsi]

 

https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication

 

Does below command from above wiki make use of RSA as a default algorithm ?

 

sudo ovs-pki req+sign sc switch

 

 

stack@ubuntu:/etc/openvswitch$

stack@ubuntu:/etc/openvswitch$ sudo ovs-pki --help | grep -i rsa

  -k, --key=rsa|dsa    Type of keys to use (default: rsa)

stack@ubuntu:/etc/openvswitch$

stack@ubuntu:/etc/openvswitch$ sudo ovs-pki --help | grep -i dsa

  -k, --key=rsa|dsa    Type of keys to use (default: rsa)

  -B, --bits=NBITS     Number of bits in keys (default: 2048).  For DSA keys,

  -D, --dsaparam=FILE  File with DSA parameters (DSA only)

                         (default: dsaparam.pem within PKI directory)

stack@ubuntu:/etc/openvswitch$

stack@ubuntu:/etc/openvswitch$

 

If yes, how to create certificates that makes use of ECDSA algorithm ?

 

And also what changes are required in aaa-cert-config.xml to make TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 work ?

 

BR

 

On Thu, Jan 4, 2018 at 1:14 PM, A Vamsikrishna <a.vamsikrishna@...> wrote:

Hi Mohamed,

 

Sorry!!! That’s a typo in previous email. It’s working after setting as <use-mdsal>false<use-mdsal>

 

Any idea about the non-working cipher issue ?

 

Thanks,

Vamsi

 

From: ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] On Behalf Of A Vamsikrishna
Sent: Thursday, January 04, 2018 11:40 PM
To: Mohamed El-Serngawy <m.elserngawy@...>
Cc: ovsdb-dev@...


Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Mohamed,

 

It worked after setting below tag to true J

 

<use-mdsal>false<use-mdsal>

 

 

I have attached all the steps that I have followed for reference.

 

After adding cipher suite it’s working for TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but not for TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

 

Below are the logs:

 

tack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log

2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640: connecting...

2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)

2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

stack@ubuntu:/var/log/openvswitch$

 

 

47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint

1/4/18 11:32 PM

Missing dependencies:

(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)

 

48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint

1/4/18 11:32 PM

Missing dependencies:

(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)

 

49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint

1/4/18 11:32 PM

Missing dependencies:

(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)

 

2018-01-04 23:32:59,622 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 - R:/192.168.56.102:44828]

2018-01-04 23:33:07,645 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 - R:/192.168.56.102:44830]

2018-01-04 23:33:15,663 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 - R:/192.168.56.102:44832]

2018-01-04 23:33:23,679 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 - R:/192.168.56.102:44834]

2018-01-04 23:33:31,694 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 - R:/192.168.56.102:44836]

2018-01-04 23:33:39,712 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

 

Any idea about this issue ?

 

Thanks,

Vamsi

 

From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 10:18 PM
To: A Vamsikrishna <a.vamsikrishna@...>
Cc: Jamo Luhrsen <jluhrsen@...>; ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Vamsikrishna,

 

- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in Mdsal not the jks file.

 

- also please confirm that you used the RPC in step 9 and you were able to see the certificate back

wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.

 

curl -X POST -u admin:admin -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
      "aaa-cert-rpc:input": {
        "aaa-cert-rpc:node-alias": "ovs1"
      }
    }'   "http://localhost:8181/restconf/operations/aaa-cert-rpc:getNodeCertifcate"

 

I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign certificate OR if you will use CA authority you should sign both OVS and ODL based on certificate request. 

 

BR

 

On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@...> wrote:

Hi Mohamed & Jamo,

 

Thanks for your response J

 

Also sometimes I see below errors in ODL and OVS logs:

 

D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]

-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService           | 380 - org.opendaylight.ovsdb.library - 1.6.0.SNAPSHOT | Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]

 

 

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log

2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640: connecting...

2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)

2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$

 

Please find my answers inline.

 

Regards,

Vamsi

 

From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>; ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Vamsikrishna,

 

So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be not confused with ur other emails).

[Vamsi] Yes

 

Let's do the troubleshooting:

 

  1. in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.

[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks) on OVS

 

  1. Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.

[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown

 

 

I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know

 

[Vamsi] I am using master.

 

 

 

Thank

 

-----

 

Thanks Jamo

 

 

On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...> wrote:

sending again with Mahamed's gmail address


On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>  
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>  
>>
>> https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>  
>>
>> I am seeing below error in ODL logs:
>>
>>  
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService           | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>  
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>  
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> *    Manager "ssl:192.168.56.1:6640"*
>>
>>     Bridge br-ex
>>
>>         Controller "ssl:192.168.56.1:6653"
>>
>>        Port br-ex
>>
>>             Interface br-ex
>>
>>                 type: internal
>>
>>     ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>  
>>
>> Can you please help me out in fixing this issue ?
>>
>>  
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>  
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@...
>> https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>

 

 

 

Join z.archive.ovsdb-dev@lists.opendaylight.org to automatically receive all group messages.