How to get the right certificate when using nutcpc to connect to NuFW

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to get the right certificate when using nutcpc to connect to NuFW

Nguyen Anh Dung
Hi All,
I'm a newbie to NuFW and i'm trying to install NuFW from source code
in Trustix Linux 3.0.5 (kernel 2.6.19.7-3). After several days of
wrestling :P, i installed it successfully as guided in the handbook
2.2.
I do everything as guided in the handbook from step 3.5.1 to step
3.6.3 (with common name in certificate is 'right' (my hostname)).

However, when i used nutcpc to connect to NuFW, there are errors:

nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem
-K /etc/nufw/nufw-key.pem -H right
Error in client
   Connecting to NuFW gateway (right)
   Unable to initate connection to NuFW gateway
   Problem: Certificate authority verification failed: invalid, signer not found
   Authentication failed (check parameters)
Error in server
   ** Message: [7] TLS Handshaking (last error: 0)
   ** Message: [4] TLS handshake has failed (The peer did not send any
certificate.)
   ** Message: [4] Failed connection from client 127.0.0.1
   GNUTLS ERROR: Error in the push function
   Unable to setup connect

nutcpc -N -d -U root -H right (as in the guideline)
Error in client
    *******    WARNING   ******
    You are trying to connect to nuauth without configuring a
certificate authority (CA)
    You are vulnerable to attack like man-in-the-middle.
    Do you really want to do that? Type "yes" to continue: yes
    Connecting to NuFW gateway (127.0.0.1)
    TLS error: server request certificate, none configured
    Unable to initate connection to NuFW gateway
    Problem: Certificate authority verification failed: invalid,
signer not found
    Authentication failed (check parameters)
Error in server
   WARNING: you have not provided any certificate authority.
   nutcpc will *NOT* verify server certificate trust.
   Use the -A <cafile> option to setup CA.
   As certificate will not be trusted, disabling FQDN check.
   ** Message: [7] TLS Handshaking (last error: 0)
   ** Message: [4] TLS handshake has failed (The peer did not send any
certificate.)
   ** Message: [4] Failed connection from client 127.0.0.1
   GNUTLS ERROR: Error in the push function
   Unable to setup connect

I use "netstat -np" and confirm that nuauth has connected to NuFW.

BTW, nutcpc have 3 options, -C, -A, and -K. I can understand -K but
confuse about -A and -C. How can i distinguish them and create them?

P/S: Is there any one who only follow the instructions in the handbook
can make NuFW work?

Thank you so much.
Dzung Nguyen.


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

Re: How to get the right certificate when using nutcpc to connect to NuFW

Eric Leblond-2
Hi,

Le mercredi 28 octobre 2009 à 16:20 +0700, Nguyen Anh Dung a écrit :

> Hi All,
> I'm a newbie to NuFW and i'm trying to install NuFW from source code
> in Trustix Linux 3.0.5 (kernel 2.6.19.7-3). After several days of
> wrestling :P, i installed it successfully as guided in the handbook
> 2.2.
> I do everything as guided in the handbook from step 3.5.1 to step
> 3.6.3 (with common name in certificate is 'right' (my hostname)).
>
> However, when i used nutcpc to connect to NuFW, there are errors:
>
> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem
> -K /etc/nufw/nufw-key.pem -H right
> Error in client
>    Connecting to NuFW gateway (right)
>    Unable to initate connection to NuFW gateway
>    Problem: Certificate authority verification failed: invalid, signer not found
>    Authentication failed (check parameters)
> Error in server
>    ** Message: [7] TLS Handshaking (last error: 0)
>    ** Message: [4] TLS handshake has failed (The peer did not send any
> certificate.)
>    ** Message: [4] Failed connection from client 127.0.0.1
>    GNUTLS ERROR: Error in the push function
>    Unable to setup connect
This error is commonly found when client and server do not used the same
certificate authority. Please check that nuauth is using a certificate
provided by NuFW-cacert.pem. If this is not the case, nutcpc will not
send its certificate to the server because it has no certificate the
server can check.

BR,

>
> nutcpc -N -d -U root -H right (as in the guideline)
> Error in client
>     *******    WARNING   ******
>     You are trying to connect to nuauth without configuring a
> certificate authority (CA)
>     You are vulnerable to attack like man-in-the-middle.
>     Do you really want to do that? Type "yes" to continue: yes
>     Connecting to NuFW gateway (127.0.0.1)
>     TLS error: server request certificate, none configured
>     Unable to initate connection to NuFW gateway
>     Problem: Certificate authority verification failed: invalid,
> signer not found
>     Authentication failed (check parameters)
> Error in server
>    WARNING: you have not provided any certificate authority.
>    nutcpc will *NOT* verify server certificate trust.
>    Use the -A <cafile> option to setup CA.
>    As certificate will not be trusted, disabling FQDN check.
>    ** Message: [7] TLS Handshaking (last error: 0)
>    ** Message: [4] TLS handshake has failed (The peer did not send any
> certificate.)
>    ** Message: [4] Failed connection from client 127.0.0.1
>    GNUTLS ERROR: Error in the push function
>    Unable to setup connect
>
> I use "netstat -np" and confirm that nuauth has connected to NuFW.
>
> BTW, nutcpc have 3 options, -C, -A, and -K. I can understand -K but
> confuse about -A and -C. How can i distinguish them and create them?
-A : certificate authority : the public certificate of the PKI
-K : the private key
-C : the certificate (corresponding to the private key)

>
> P/S: Is there any one who only follow the instructions in the handbook
> can make NuFW work?

Looks like some have succedeed ;)

BR,

>
> Thank you so much.
> Dzung Nguyen.
>
>
> _______________________________________________
> Nufw-users mailing list
> [hidden email]
> http://lists.nongnu.org/mailman/listinfo/nufw-users

_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users

signature.asc (204 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: How to get the right certificate when usingnutcpc to connect to NuFW

Nguyen Anh Dung
Hi Eric Leblond,
Thanks for your response, I did test it for 2 hours and got nothing :(
I tried to do another way: As in the guideline
        openssl  req  -new  -x509  -keyout  private/CAkey.pem  -out private/CAcert.pem
        You have to set a strong password here and keep it secret.
       
        Generating nufw and nuauth private keys:
        openssl  genrsa  -out  private/nufw-key.pem
        openssl  genrsa  -out  private/nuauth-key.pem
        Generating Certificate Signing Requests for both nufw and nuauth keys:
        openssl  req  -new  -key  private/nufw-key.pem  -out  nufw.csr
        openssl  req  -new  -key  private/nuauth-key.pem  -out  nuauth.csr
       
        Having our keys signed by the certificate authority we created:
        openssl  x509  -req  -days  365  -in  nufw.csr  -CA   private/CAcert.pem  \
        -CAkey  private/CAkey.pem  -CAcreateserial  -out  nufw-cert.pem
        openssl  x509  -req  -days  365  -in  nuauth.csr  -CA   private/CAcert.pem  \
        -CAkey  private/CAkey.pem  -CAcreateserial  -out  nuauth-cert.pem
       
        Copy the files where needed:
      For nufw:
        cp  private/nufw-key.pem  /etc/nufw/
        cp  nufw-cert.pem  /etc/nufw/
        For nuauth:
        cp  private/nuauth-key.pem  /etc/nufw/
        cp  nuauth-cert.pem  /etc/nufw/

I created the certificate authority (CAcert.pem) and I copid it to /etc/nufw/NuFW-cacert.pem.
Then I tried nutcpc again
nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem -K /etc/nufw/nufw-key.pem -H right
There are errors:

In client side:
Connecting to NuFW gateway (right)
Server Certificate OK
TLS session lost, check your certificate validity.
Unable to initate connection to NuFW gateway
Problem: Error in the certificate.
Authentication failed (check parameters)

In server side:
** Message: [7] TLS Handshaking (last error: 0)
** Message: [9] Peer provided 1 certificates
** Message: [9] module checks certificate
Unable to setup connect
** Message: [7] client didn't choose mechanism
** Message: Authentication error: SASL error: authentication process interupted.
** Message: Authentication error: user: (null) from 127.0.0.1 port (4819), protocol version 4

Thank you so much.
Dzung Nguyen.

-----Message d'origine-----
De : Eric Leblond [mailto:[hidden email]]
Envoyé : mercredi 28 octobre 2009 16:59
À : Nguyen Anh Dung
Cc : [hidden email]
Objet : Re: [Nufw-users] How to get the right certificate when usingnutcpc to connect to NuFW

Hi,

Le mercredi 28 octobre 2009 à 16:20 +0700, Nguyen Anh Dung a écrit :

> Hi All,
> I'm a newbie to NuFW and i'm trying to install NuFW from source code
> in Trustix Linux 3.0.5 (kernel 2.6.19.7-3). After several days of
> wrestling :P, i installed it successfully as guided in the handbook
> 2.2.
> I do everything as guided in the handbook from step 3.5.1 to step
> 3.6.3 (with common name in certificate is 'right' (my hostname)).
>
> However, when i used nutcpc to connect to NuFW, there are errors:
>
> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem
> -K /etc/nufw/nufw-key.pem -H right
> Error in client
>    Connecting to NuFW gateway (right)
>    Unable to initate connection to NuFW gateway
>    Problem: Certificate authority verification failed: invalid, signer not found
>    Authentication failed (check parameters)
> Error in server
>    ** Message: [7] TLS Handshaking (last error: 0)
>    ** Message: [4] TLS handshake has failed (The peer did not send any
> certificate.)
>    ** Message: [4] Failed connection from client 127.0.0.1
>    GNUTLS ERROR: Error in the push function
>    Unable to setup connect

This error is commonly found when client and server do not used the same
certificate authority. Please check that nuauth is using a certificate
provided by NuFW-cacert.pem. If this is not the case, nutcpc will not
send its certificate to the server because it has no certificate the
server can check.

BR,

>
> nutcpc -N -d -U root -H right (as in the guideline)
> Error in client
>     *******    WARNING   ******
>     You are trying to connect to nuauth without configuring a
> certificate authority (CA)
>     You are vulnerable to attack like man-in-the-middle.
>     Do you really want to do that? Type "yes" to continue: yes
>     Connecting to NuFW gateway (127.0.0.1)
>     TLS error: server request certificate, none configured
>     Unable to initate connection to NuFW gateway
>     Problem: Certificate authority verification failed: invalid,
> signer not found
>     Authentication failed (check parameters)
> Error in server
>    WARNING: you have not provided any certificate authority.
>    nutcpc will *NOT* verify server certificate trust.
>    Use the -A <cafile> option to setup CA.
>    As certificate will not be trusted, disabling FQDN check.
>    ** Message: [7] TLS Handshaking (last error: 0)
>    ** Message: [4] TLS handshake has failed (The peer did not send any
> certificate.)
>    ** Message: [4] Failed connection from client 127.0.0.1
>    GNUTLS ERROR: Error in the push function
>    Unable to setup connect
>
> I use "netstat -np" and confirm that nuauth has connected to NuFW.
>
> BTW, nutcpc have 3 options, -C, -A, and -K. I can understand -K but
> confuse about -A and -C. How can i distinguish them and create them?

-A : certificate authority : the public certificate of the PKI
-K : the private key
-C : the certificate (corresponding to the private key)

>
> P/S: Is there any one who only follow the instructions in the handbook
> can make NuFW work?

Looks like some have succedeed ;)

BR,

>
> Thank you so much.
> Dzung Nguyen.
>
>
> _______________________________________________
> Nufw-users mailing list
> [hidden email]
> http://lists.nongnu.org/mailman/listinfo/nufw-users



_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

RE: How to get the right certificate when usingnutcpc to connect to NuFW

Eric Leblond-5
Hi,

On Thu, 29 Oct 2009 06:57:03 +0700, "Nguyen Anh Dung" <[hidden email]>
wrote:

> Hi Eric Leblond,
> Thanks for your response, I did test it for 2 hours and got nothing :(
> I tried to do another way: As in the guideline
> openssl  req  -new  -x509  -keyout  private/CAkey.pem  -out
> private/CAcert.pem
> You have to set a strong password here and keep it secret.
>
> Generating nufw and nuauth private keys:
> openssl  genrsa  -out  private/nufw-key.pem
> openssl  genrsa  -out  private/nuauth-key.pem
> Generating Certificate Signing Requests for both nufw and nuauth keys:
> openssl  req  -new  -key  private/nufw-key.pem  -out  nufw.csr
> openssl  req  -new  -key  private/nuauth-key.pem  -out  nuauth.csr
>
> Having our keys signed by the certificate authority we created:
> openssl  x509  -req  -days  365  -in  nufw.csr  -CA   private/CAcert.pem

> \
> -CAkey  private/CAkey.pem  -CAcreateserial  -out  nufw-cert.pem
> openssl  x509  -req  -days  365  -in  nuauth.csr  -CA
        private/CAcert.pem

> \
> -CAkey  private/CAkey.pem  -CAcreateserial  -out  nuauth-cert.pem
>
> Copy the files where needed:
>       For nufw:
> cp  private/nufw-key.pem  /etc/nufw/
> cp  nufw-cert.pem  /etc/nufw/
> For nuauth:
> cp  private/nuauth-key.pem  /etc/nufw/
> cp  nuauth-cert.pem  /etc/nufw/
>
> I created the certificate authority (CAcert.pem) and I copid it to
> /etc/nufw/NuFW-cacert.pem.
> Then I tried nutcpc again
> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem -K
> /etc/nufw/nufw-key.pem -H right
> There are errors:
>
> In client side:
> Connecting to NuFW gateway (right)
> Server Certificate OK
> TLS session lost, check your certificate validity.
> Unable to initate connection to NuFW gateway
> Problem: Error in the certificate.
> Authentication failed (check parameters)
>
> In server side:
> ** Message: [7] TLS Handshaking (last error: 0)
> ** Message: [9] Peer provided 1 certificates

Hey, you've succedeed in having TLS working ! You are blocked at next step.

> ** Message: [9] module checks certificate
> Unable to setup connect
> ** Message: [7] client didn't choose mechanism

Here, you have a problem with the client at the very start of the sasl
negotiation.

What authentication method are you trying to use ?
Have you modified the variable nuauth_uses_fake_sasl in nuauth.conf ?

BR,


> ** Message: Authentication error: SASL error: authentication process
> interupted.
> ** Message: Authentication error: user: (null) from 127.0.0.1 port
(4819),

> protocol version 4
>
> Thank you so much.
> Dzung Nguyen.
>
> -----Message d'origine-----
> De : Eric Leblond [mailto:[hidden email]]
> Envoyé : mercredi 28 octobre 2009 16:59
> À : Nguyen Anh Dung
> Cc : [hidden email]
> Objet : Re: [Nufw-users] How to get the right certificate when
usingnutcpc

> to connect to NuFW
>
> Hi,
>
> Le mercredi 28 octobre 2009 à 16:20 +0700, Nguyen Anh Dung a écrit :
>> Hi All,
>> I'm a newbie to NuFW and i'm trying to install NuFW from source code
>> in Trustix Linux 3.0.5 (kernel 2.6.19.7-3). After several days of
>> wrestling :P, i installed it successfully as guided in the handbook
>> 2.2.
>> I do everything as guided in the handbook from step 3.5.1 to step
>> 3.6.3 (with common name in certificate is 'right' (my hostname)).
>>
>> However, when i used nutcpc to connect to NuFW, there are errors:
>>
>> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem
>> -K /etc/nufw/nufw-key.pem -H right
>> Error in client
>>    Connecting to NuFW gateway (right)
>>    Unable to initate connection to NuFW gateway
>>    Problem: Certificate authority verification failed: invalid, signer
>>    not found
>>    Authentication failed (check parameters)
>> Error in server
>>    ** Message: [7] TLS Handshaking (last error: 0)
>>    ** Message: [4] TLS handshake has failed (The peer did not send any
>> certificate.)
>>    ** Message: [4] Failed connection from client 127.0.0.1
>>    GNUTLS ERROR: Error in the push function
>>    Unable to setup connect
>
> This error is commonly found when client and server do not used the same
> certificate authority. Please check that nuauth is using a certificate
> provided by NuFW-cacert.pem. If this is not the case, nutcpc will not
> send its certificate to the server because it has no certificate the
> server can check.
>
> BR,
>
>>
>> nutcpc -N -d -U root -H right (as in the guideline)
>> Error in client
>>     *******    WARNING   ******
>>     You are trying to connect to nuauth without configuring a
>> certificate authority (CA)
>>     You are vulnerable to attack like man-in-the-middle.
>>     Do you really want to do that? Type "yes" to continue: yes
>>     Connecting to NuFW gateway (127.0.0.1)
>>     TLS error: server request certificate, none configured
>>     Unable to initate connection to NuFW gateway
>>     Problem: Certificate authority verification failed: invalid,
>> signer not found
>>     Authentication failed (check parameters)
>> Error in server
>>    WARNING: you have not provided any certificate authority.
>>    nutcpc will *NOT* verify server certificate trust.
>>    Use the -A <cafile> option to setup CA.
>>    As certificate will not be trusted, disabling FQDN check.
>>    ** Message: [7] TLS Handshaking (last error: 0)
>>    ** Message: [4] TLS handshake has failed (The peer did not send any
>> certificate.)
>>    ** Message: [4] Failed connection from client 127.0.0.1
>>    GNUTLS ERROR: Error in the push function
>>    Unable to setup connect
>>
>> I use "netstat -np" and confirm that nuauth has connected to NuFW.
>>
>> BTW, nutcpc have 3 options, -C, -A, and -K. I can understand -K but
>> confuse about -A and -C. How can i distinguish them and create them?
>
> -A : certificate authority : the public certificate of the PKI
> -K : the private key
> -C : the certificate (corresponding to the private key)
>
>>
>> P/S: Is there any one who only follow the instructions in the handbook
>> can make NuFW work?
>
> Looks like some have succedeed ;)
>
> BR,
>
>>
>> Thank you so much.
>> Dzung Nguyen.
>>
>>
>> _______________________________________________
>> Nufw-users mailing list
>> [hidden email]
>> http://lists.nongnu.org/mailman/listinfo/nufw-users
>
>
>
> _______________________________________________
> Nufw-users mailing list
> [hidden email]
> http://lists.nongnu.org/mailman/listinfo/nufw-users

--
Eric Leblond
http://www.inl.fr  -  http://www.edenwall.com


_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users
Reply | Threaded
Open this post in threaded view
|

RE: How to get the right certificate when usingnutcpc to connect to NuFW

Nguyen Anh Dung
Hi,
I tried to set nuauth_uses_fake_sasl to 0 and 1 then test it but things are the same. I did install kerberos too.

Thanks,
Dzung Nguyen.

-----Message d'origine-----
De : Eric Leblond [mailto:[hidden email]]
Envoyé : jeudi 29 octobre 2009 14:20
À : Nguyen Anh Dung
Cc : [hidden email]
Objet : RE: [Nufw-users] How to get the right certificate when usingnutcpc to connect to NuFW

Hi,

On Thu, 29 Oct 2009 06:57:03 +0700, "Nguyen Anh Dung" <[hidden email]>
wrote:

> Hi Eric Leblond,
> Thanks for your response, I did test it for 2 hours and got nothing :(
> I tried to do another way: As in the guideline
> openssl  req  -new  -x509  -keyout  private/CAkey.pem  -out
> private/CAcert.pem
> You have to set a strong password here and keep it secret.
>
> Generating nufw and nuauth private keys:
> openssl  genrsa  -out  private/nufw-key.pem
> openssl  genrsa  -out  private/nuauth-key.pem
> Generating Certificate Signing Requests for both nufw and nuauth keys:
> openssl  req  -new  -key  private/nufw-key.pem  -out  nufw.csr
> openssl  req  -new  -key  private/nuauth-key.pem  -out  nuauth.csr
>
> Having our keys signed by the certificate authority we created:
> openssl  x509  -req  -days  365  -in  nufw.csr  -CA   private/CAcert.pem

> \
> -CAkey  private/CAkey.pem  -CAcreateserial  -out  nufw-cert.pem
> openssl  x509  -req  -days  365  -in  nuauth.csr  -CA
        private/CAcert.pem

> \
> -CAkey  private/CAkey.pem  -CAcreateserial  -out  nuauth-cert.pem
>
> Copy the files where needed:
>       For nufw:
> cp  private/nufw-key.pem  /etc/nufw/
> cp  nufw-cert.pem  /etc/nufw/
> For nuauth:
> cp  private/nuauth-key.pem  /etc/nufw/
> cp  nuauth-cert.pem  /etc/nufw/
>
> I created the certificate authority (CAcert.pem) and I copid it to
> /etc/nufw/NuFW-cacert.pem.
> Then I tried nutcpc again
> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem -K
> /etc/nufw/nufw-key.pem -H right
> There are errors:
>
> In client side:
> Connecting to NuFW gateway (right)
> Server Certificate OK
> TLS session lost, check your certificate validity.
> Unable to initate connection to NuFW gateway
> Problem: Error in the certificate.
> Authentication failed (check parameters)
>
> In server side:
> ** Message: [7] TLS Handshaking (last error: 0)
> ** Message: [9] Peer provided 1 certificates

Hey, you've succedeed in having TLS working ! You are blocked at next step.

> ** Message: [9] module checks certificate
> Unable to setup connect
> ** Message: [7] client didn't choose mechanism

Here, you have a problem with the client at the very start of the sasl
negotiation.

What authentication method are you trying to use ?
Have you modified the variable nuauth_uses_fake_sasl in nuauth.conf ?

BR,


> ** Message: Authentication error: SASL error: authentication process
> interupted.
> ** Message: Authentication error: user: (null) from 127.0.0.1 port
(4819),

> protocol version 4
>
> Thank you so much.
> Dzung Nguyen.
>
> -----Message d'origine-----
> De : Eric Leblond [mailto:[hidden email]]
> Envoyé : mercredi 28 octobre 2009 16:59
> À : Nguyen Anh Dung
> Cc : [hidden email]
> Objet : Re: [Nufw-users] How to get the right certificate when
usingnutcpc

> to connect to NuFW
>
> Hi,
>
> Le mercredi 28 octobre 2009 à 16:20 +0700, Nguyen Anh Dung a écrit :
>> Hi All,
>> I'm a newbie to NuFW and i'm trying to install NuFW from source code
>> in Trustix Linux 3.0.5 (kernel 2.6.19.7-3). After several days of
>> wrestling :P, i installed it successfully as guided in the handbook
>> 2.2.
>> I do everything as guided in the handbook from step 3.5.1 to step
>> 3.6.3 (with common name in certificate is 'right' (my hostname)).
>>
>> However, when i used nutcpc to connect to NuFW, there are errors:
>>
>> nutcpc -N -d -C /etc/nufw/nufw-cert.pem -A /etc/nufw/NuFW-cacert.pem
>> -K /etc/nufw/nufw-key.pem -H right
>> Error in client
>>    Connecting to NuFW gateway (right)
>>    Unable to initate connection to NuFW gateway
>>    Problem: Certificate authority verification failed: invalid, signer
>>    not found
>>    Authentication failed (check parameters)
>> Error in server
>>    ** Message: [7] TLS Handshaking (last error: 0)
>>    ** Message: [4] TLS handshake has failed (The peer did not send any
>> certificate.)
>>    ** Message: [4] Failed connection from client 127.0.0.1
>>    GNUTLS ERROR: Error in the push function
>>    Unable to setup connect
>
> This error is commonly found when client and server do not used the same
> certificate authority. Please check that nuauth is using a certificate
> provided by NuFW-cacert.pem. If this is not the case, nutcpc will not
> send its certificate to the server because it has no certificate the
> server can check.
>
> BR,
>
>>
>> nutcpc -N -d -U root -H right (as in the guideline)
>> Error in client
>>     *******    WARNING   ******
>>     You are trying to connect to nuauth without configuring a
>> certificate authority (CA)
>>     You are vulnerable to attack like man-in-the-middle.
>>     Do you really want to do that? Type "yes" to continue: yes
>>     Connecting to NuFW gateway (127.0.0.1)
>>     TLS error: server request certificate, none configured
>>     Unable to initate connection to NuFW gateway
>>     Problem: Certificate authority verification failed: invalid,
>> signer not found
>>     Authentication failed (check parameters)
>> Error in server
>>    WARNING: you have not provided any certificate authority.
>>    nutcpc will *NOT* verify server certificate trust.
>>    Use the -A <cafile> option to setup CA.
>>    As certificate will not be trusted, disabling FQDN check.
>>    ** Message: [7] TLS Handshaking (last error: 0)
>>    ** Message: [4] TLS handshake has failed (The peer did not send any
>> certificate.)
>>    ** Message: [4] Failed connection from client 127.0.0.1
>>    GNUTLS ERROR: Error in the push function
>>    Unable to setup connect
>>
>> I use "netstat -np" and confirm that nuauth has connected to NuFW.
>>
>> BTW, nutcpc have 3 options, -C, -A, and -K. I can understand -K but
>> confuse about -A and -C. How can i distinguish them and create them?
>
> -A : certificate authority : the public certificate of the PKI
> -K : the private key
> -C : the certificate (corresponding to the private key)
>
>>
>> P/S: Is there any one who only follow the instructions in the handbook
>> can make NuFW work?
>
> Looks like some have succedeed ;)
>
> BR,
>
>>
>> Thank you so much.
>> Dzung Nguyen.
>>
>>
>> _______________________________________________
>> Nufw-users mailing list
>> [hidden email]
>> http://lists.nongnu.org/mailman/listinfo/nufw-users
>
>
>
> _______________________________________________
> Nufw-users mailing list
> [hidden email]
> http://lists.nongnu.org/mailman/listinfo/nufw-users

--
Eric Leblond
http://www.inl.fr  -  http://www.edenwall.com



_______________________________________________
Nufw-users mailing list
[hidden email]
http://lists.nongnu.org/mailman/listinfo/nufw-users