[osiris] Re: HELP! Hours of session key negotiation failure

John A. Sullivan III jsullivan at opensourcedevel.com
Thu Nov 9 17:55:08 EST 2006 

We do actually use very granular and restrictive security.  Promoting,
using and developing the ISCS network security management project to
create multi-layered, compartmentalized networks to prevent the
escalation of privileges in the eventuality of an internal attack
(http://iscs.sourceforge.net). However, the monitoring station presents
an X.509 cert that gives it unlimited access to the entire security
cloud so that it can run both Osiris and Nessus scans.

I did run tcpdump on the client and and management console and could see
the packet exchange.  If I telnet on port 2265, it connects but then
immediately disconnects.  Other clients stay connected and return some
characters.  I assume that is because they have a memory resident key
whereas the new client does not.

Thanks for the thought though - John

On Thu, 2006-11-09 at 17:44 -0500, Justis Peters wrote:
> John,
> 
> My guess here is a total shot in the dark, but you've tried just about
> everything one can imagine.  I feel for you.
> 
> Is it possible that you have extremely tight firewalling enabled that is
> blocking outgoing communication from the host back to the server?  The
> messages in the logs look like they could be exactly this.  Maybe the
> "error with SSL negotiation" is that it never manages to send its
> session key, even though it has one.  It is the "daemon did not present
> session key" message on the osirismd side that makes me suspect this.
> 
> Whatever the solution is, I wish you good luck.  I hope you get to sleep
> tonight.
> 
> Kind regards,
> Justis Peters
> Total Home Integration
> www.totalhomeintegration.com
> 
> John A. Sullivan III wrote:
> > Sorry for the shout but it is for real.  We have an emergency
> > replacement server we're trying to put into production and, as a policy,
> > we always place our systems under Osiris before putting them into
> > production.
> >
> > We have been hung up for hours trying to get Osiris on this emergency
> > host.  When we try to connect to the host, we get:
> > !! error: session key negotiation with remote host failed.
> >
> > The time stamps are correct on both devices.  We have tried manually
> > placing the osiris root CA cert on the client and deleting it.  We've
> > wiped the client installation (it was copied from another server) and
> > recompiled and reinstalled.  We've recycled the management console.
> > We've tried different permissions on the /usr/local/osirisd and the CA
> > cert it contains.  I'm at my wit's end.  More details below.
> >
> > Here is the sequence from the osirismd syslog:
> > [400][mail1dc1.atlas][info] received status request.
> > [600][mail1dc1.atlasgroup.net][err] daemon did not present session key.
> > [600][mail1dc1.atlasgroup.net][err] session key negotiation failed.
> >
> > Here is the syslog on the client:
> > [info] using root directory: /usr/local/osiris
> > [err] loading root cert: /usr/local/osiris/osiris_root.pem.
> > [info] SSL server running.
> > [info] connection from: 192.168.26.2
> > [err] error with SSL negotiation.
> >
> > If we manually copy in the root CA cert to /usr/local/osiris after
> > checking the hash to make sure it is the same root CA cert as on the
> > management console and with root ownership (-rw------- 1 root root 1338
> > Nov  9 16:49 osiris_root.pem), and restarting osirisd, the client syslog
> > looks like this:
> > [info] using root directory: /usr/local/osiris
> > [err] loading root cert: /usr/local/osiris/osiris_root.pem.
> > [info] SSL server running.
> > [info] server started on port: 2265.
> > [info] connection from: 192.168.26.2
> > [err] error with SSL negotiation.
> >
> > The management syslog is the same as before.
> >
> > If we change ownership of the root CA cert to osiris (-rw------- 1
> > osiris osiris 1338 Nov  9 16:49 osiris_root.pem), and restart osirisd,
> > we get:
> > [info] using root directory: /usr/local/osiris
> > [info] SSL server running.
> > [info] server started on port: 2265.
> > [info] connection from: 192.168.26.2
> > [err] error with SSL negotiation.
> >
> > So the CA cert load error goes away but the communication with the
> > management console still fails.  The management syslog is the same as
> > before.
> >
> > We have many other hosts that are working just fine.  There is one thing
> > different about this client.  The client is living on a Xen 2.0.7
> > virtual machine based upon fedora core 3.  All the other VMs are FC3
> > using openssl-0.9.7a-42.2.  This device required fedora core 5 even
> > though it is using the old Xen kernel.  Thus, udev is broken.  It is
> > using openssl-0.9.8a-5.4.
> >
> > Just in case the agent compiled on the FC3 devices was linking to a
> > different set of libraries, e.g., libssl.so.4 instead of libssl.so.6, I
> > recompiled the agent on the new client and installed from scratch after
> > manually deleting all traces of the previous osiris installation.
> > Unfortunately, that did not fix the problem.
> >
> > I running out of options and am facing a second all-nighter to fix this
> > emergency.  Any ideas on what to do to make this work? We are using
> > osiris 4.1.9.  Thanks VERY much - John
> >
> >   
> 
> _______________________________________________
> osiris mailing list
> osiris at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the osiris mailing list