Date: Mon, 30 Dec 2002 07:55:44 -0500 (EST)
From: "George A. Theall" <[EMAIL PROTECTED]>
On Mon, 30 Dec 2002 [EMAIL PROTECTED] wrote:
> Hi. I recently installed nessus, and got nessusd to run without
> problems, but my attempts to log in to nessus fail with an "SSL
> error":
>
> # nessus
> SSL_CTX_load_verify_locations[18486]: error:06065064:digital envelope
> routines:EVP_DecryptFinal:bad decrypt
^^^^^^^^^^^ here's where problem starts
(BTW, many thanks for your help!)
> My ~/.nessusrc file is:
>
> cert_file=/root/ssl/clientcert.pem
> key_file=/root/ssl/clientkey.pem
> ssl_version=SSLv3
> trusted_ca=/usr/local/openssl/private/cacert.pem
> nessusd_host=localhost
> nessusd_user=root
> paranoia_level=3
>
> ...and the relevant portion of nessusd.conf is:
>
> admin_user = root
> cert_file=/usr/local/com/nessus/CA/servercert.pem
> key_file=/usr/local/var/nessus/CA/serverkey.pem
> ca_file=/usr/local/openssl/private/cacert.pem
> ssl_version=SSLv3
> pem_password=...
> force_pubkey_auth = yes
Looks like a problem with the passphrase with your server's private key.
Are you sure you specified it properly in setting pem_password in
nessusd.conf?
I think so. In fact, at first I couldn't get nessusd to run without
error messages, and the reason was that I had the wrong value for
pem_password in nessusd.conf. When I corrected it, nessusd ran
without errors. This is what makes me think that I have the correct
passphrase for the server's key.
What happens if you run " openssl s_client -connect
localhost:1241 -ssl3 -cert /root/ssl/clientcert.pem -CAfile
/usr/local/openssl/private/cacert.pem" from a commandline to connect to
nessusd directly?
This is what I get (along with the output of additional commands):
luna:~# nessusd -D
luna:~# netstat -tap | grep nessusd
tcp 0 0 *:1241 *:* LISTEN
19211/nessusd
luna:~# openssl s_client -connect localhost:1241 -ssl3 -cert /root/ssl/clientcert.pem
-CAfile /usr/local/openssl/private/cacert.pem
unable to get private key from '/root/ssl/clientcert.pem'
19212:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:666:Expecting:
ANY PRIVATE KEY
19212:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1
eos:ssl_rsa.c:707:
luna:~# cat /root/ssl/clientcert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=New York, L=New York, O=Kynn Jones, CN=Kynn
[EMAIL PROTECTED]
Validity
Not Before: Dec 29 23:43:16 2002 GMT
Not After : Dec 29 23:43:16 2003 GMT
Subject: C=US, ST=New York, O=Kynn Jones, CN=nessus [EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:98:ef:02:48:3c:80:90:78:14:ae:cf:46:b4:92:
ec:b4:a6:f9:46:5b:61:20:f3:64:1b:d4:05:c9:59:
17:bf:78:28:14:02:ed:ae:15:79:b3:eb:23:a4:ff:
d9:91:a9:03:b8:83:2a:56:d5:b4:ec:0b:63:a7:d3:
6f:3e:0e:b8:e4:15:e9:ce:3f:fd:c7:b2:63:30:75:
23:1f:57:51:88:5d:62:2d:49:d1:8e:8b:cf:44:66:
68:ac:be:8b:d8:1c:01:fc:9a:54:78:c6:2e:c3:41:
07:df:0a:72:76:96:fb:0a:81:b1:a0:19:51:e8:44:
96:9d:9a:e1:1e:f7:7f:5b:1d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
65:F8:B2:7A:7C:F1:2D:E8:56:EB:F2:2F:2B:D0:0E:F6:05:68:A7:E3
X509v3 Authority Key Identifier:
keyid:71:BB:AB:07:8B:74:6D:D3:26:8B:59:4E:85:5B:B0:DC:CF:39:76:46
DirName:/C=US/ST=New York/L=New York/O=Kynn Jones/CN=Kynn
[EMAIL PROTECTED]
serial:00
Signature Algorithm: md5WithRSAEncryption
74:54:dd:8f:05:6f:8a:c6:e1:06:09:6b:c1:81:94:ae:eb:e7:
14:78:c9:f3:3c:75:d6:1d:0a:9a:3a:5b:41:17:d0:cc:5b:40:
73:5c:44:10:16:e2:42:ea:14:dc:2c:cc:64:ad:32:fb:8f:54:
bd:6a:76:a5:6f:03:ba:16:b3:8b:71:c6:41:3d:47:3f:5f:56:
2c:64:4a:74:dc:aa:1b:ac:4b:f0:43:3c:4d:ff:1c:04:d1:5f:
83:15:4b:03:56:c0:05:59:82:5c:b2:0d:ed:fa:83:fa:46:f0:
e4:63:fb:8e:de:2a:e0:3b:dd:c0:85:2d:68:2d:0c:09:12:e6:
eb:03
-----BEGIN CERTIFICATE-----
MIIDuTCCAyKgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBmTELMAkGA1UEBhMCVVMx
FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEaMBgG
A1UEChMRR2FicmllbCBGLiBCZXJyaXoxGjAYBgNVBAMTEUdhYnJpZWwgRi4gQmVy
cml6MSYwJAYJKoZIhvcNAQkBFhdnYmVycml6QGhtcy5oYXJ2YXJkLmVkdTAeFw0w
MjEyMjkyMzQzMTZaFw0wMzEyMjkyMzQzMTZaMIGBMQswCQYDVQQGEwJVUzEWMBQG
A1UECBMNTWFzc2FjaHVzZXR0czEaMBgGA1UEChMRR2FicmllbCBGLiBCZXJyaXox
FjAUBgNVBAMTDW5lc3N1cyBjbGllbnQxJjAkBgkqhkiG9w0BCQEWF2diZXJyaXpA
aG1zLmhhcnZhcmQuZWR1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCY7wJI
PICQeBSuz0a0kuy0pvlGW2Eg82Qb1AXJWRe/eCgUAu2uFXmz6yOk/9mRqQO4gypW
1bTsC2On028+DrjkFenOP/3HsmMwdSMfV1GIXWItSdGOi89EZmisvovYHAH8mlR4
xi7DQQffCnJ2lvsKgbGgGVHoRJadmuEe939bHQIDAQABo4IBJTCCASEwCQYDVR0T
BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFGX4snp88S3oVuvyLyvQDvYFaKfjMIHGBgNVHSMEgb4wgbuA
FHG7qweLdG3TJotZToVbsNzPOXZGoYGfpIGcMIGZMQswCQYDVQQGEwJVUzEWMBQG
A1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMRowGAYDVQQK
ExFHYWJyaWVsIEYuIEJlcnJpejEaMBgGA1UEAxMRR2FicmllbCBGLiBCZXJyaXox
JjAkBgkqhkiG9w0BCQEWF2diZXJyaXpAaG1zLmhhcnZhcmQuZWR1ggEAMA0GCSqG
SIb3DQEBBAUAA4GBAHRU3Y8Fb4rG4QYJa8GBlK7r5xR4yfM8ddYdCpo6W0EX0Mxb
QHNcRBAW4kLqFNwszGStMvuPVL1qdqVvA7oWs4txxkE9Rz9fVixkSnTcqhusS/BD
PE3/HATRX4MVSwNWwAVZglyyDe36g/pG8ORj+47eKuA73cCFLWgtDAkS5usD
-----END CERTIFICATE-----
Thanks!
kj
-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.
