[osiris] HELP! Hours of session key negotiation failure

Thu Nov 9 17:12:01 EST 2006

Sorry for the shout but it is for real.  We have an emergency
replacement server we're trying to put into production and, as a policy,
we always place our systems under Osiris before putting them into
production.

We have been hung up for hours trying to get Osiris on this emergency
host.  When we try to connect to the host, we get:
!! error: session key negotiation with remote host failed.

The time stamps are correct on both devices.  We have tried manually
placing the osiris root CA cert on the client and deleting it.  We've
wiped the client installation (it was copied from another server) and
recompiled and reinstalled.  We've recycled the management console.
We've tried different permissions on the /usr/local/osirisd and the CA
cert it contains.  I'm at my wit's end.  More details below.

Here is the sequence from the osirismd syslog:
[400][mail1dc1.atlas][info] received status request.
[600][mail1dc1.atlasgroup.net][err] daemon did not present session key.
[600][mail1dc1.atlasgroup.net][err] session key negotiation failed.

Here is the syslog on the client:
[info] using root directory: /usr/local/osiris
[err] loading root cert: /usr/local/osiris/osiris_root.pem.
[info] SSL server running.
[info] connection from: 192.168.26.2
[err] error with SSL negotiation.

If we manually copy in the root CA cert to /usr/local/osiris after
checking the hash to make sure it is the same root CA cert as on the
management console and with root ownership (-rw------- 1 root root 1338
Nov  9 16:49 osiris_root.pem), and restarting osirisd, the client syslog
looks like this:
[info] using root directory: /usr/local/osiris
[err] loading root cert: /usr/local/osiris/osiris_root.pem.
[info] SSL server running.
[info] server started on port: 2265.
[info] connection from: 192.168.26.2
[err] error with SSL negotiation.

The management syslog is the same as before.

If we change ownership of the root CA cert to osiris (-rw------- 1
osiris osiris 1338 Nov  9 16:49 osiris_root.pem), and restart osirisd,
we get:
[info] using root directory: /usr/local/osiris
[info] SSL server running.
[info] server started on port: 2265.
[info] connection from: 192.168.26.2
[err] error with SSL negotiation.

So the CA cert load error goes away but the communication with the
management console still fails.  The management syslog is the same as
before.

We have many other hosts that are working just fine.  There is one thing
different about this client.  The client is living on a Xen 2.0.7
virtual machine based upon fedora core 3.  All the other VMs are FC3
using openssl-0.9.7a-42.2.  This device required fedora core 5 even
though it is using the old Xen kernel.  Thus, udev is broken.  It is
using openssl-0.9.8a-5.4.

Just in case the agent compiled on the FC3 devices was linking to a
different set of libraries, e.g., libssl.so.4 instead of libssl.so.6, I
recompiled the agent on the new client and installed from scratch after
manually deleting all traces of the previous osiris installation.
Unfortunately, that did not fix the problem.

I running out of options and am facing a second all-nighter to fix this
emergency.  Any ideas on what to do to make this work? We are using
osiris 4.1.9.  Thanks VERY much - John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net