Hi All, I have generated certificates and used the keys while entering the SNMP commands. I ran snmpd after entering the following lines in snmp.conf:
peerCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 localCert 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 where peerCert is the fingerprint of snmpd.crt and localCert in manager.crt. And in snmpd.conf, I have: [snmp] localCert 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 certSecName 10 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 --cn The snmpget dtlsudp:localhost:10161 sysContact.0 gives following debug messages: cert:util:init: init cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0 cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4 cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2 cert:index:add: dir /home/anjali/.snmp/tls/private at index 5 cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3 cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1 cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0 cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks good cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs cert:index:lookup: /usr/local/etc/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1 cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good cert:index:parse: added 2 certs from index cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private cert:index:lookup: /usr/local/etc/snmp/tls/private (2) /var/net-snmp/cert_indexes/2 cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good cert:key:struct:new: new key 0x0x9f81438 for manager.key cert:key:struct:new: new key 0x0x9f81388 for snmpd.key cert:index:parse: added 2 certs from index cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3) /var/net-snmp/cert_indexes/3 cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs cert:index:lookup: /home/anjali/.snmp/tls/certs (4) /var/net-snmp/cert_indexes/4 cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private cert:index:lookup: /home/anjali/.snmp/tls/private (5) /var/net-snmp/cert_indexes/5 cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good cert:partner: manager.crt match found! cert:partner: snmpd.crt match found! cert:key:read: Checking file snmpd.key cert:key:read: Checking file manager.key cert:dump: -------------------- Certificates ----------------- cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs cert:dump: type 1 flags 0x3 (identity+remote_peer) cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs cert:dump: type 1 flags 0x3 (identity+remote_peer) cert:dump: key manager.key in /usr/local/etc/snmp/tls/private cert:dump: type 4 flags 0x1 (identity) cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private cert:dump: type 4 flags 0x1 (identity) cert:dump: ------------------------ End ---------------------- cert:find:params: looking for identity(1) in DEFAULT(0x0), hint 0 cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 167466280 cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 167466280 cert:find:params: hint = 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3)) cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3)) cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0 cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 167493864 cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 167493864 cert:find:params: hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) cert:trust_ca: checking roots for 0x9f80f08 cert:trust: putting trusted cert 0x9f81f70 = 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x9fd36d0 cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 167598104 cert:find:params: hint = 8954990382e414a949d54638c05fb5b2b82771c6 cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for remote_peer(2) (uses=identity+remote_peer (3)) cert:find:params: looking for remote_peer(2) in DEFAULT(0x0), hint 0 cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 167493864 cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 167493864 cert:find:params: hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) The fingerprint from the remote side's certificate didn't match the expected got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 DTLSUDP: failed to verify ssl certificate (of the server) tsm: needed to free transport data The fingerprint from the remote side's certificate didn't match the expected got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 DTLSUDP: failed to verify ssl certificate (of the server) tsm: needed to free transport data The fingerprint from the remote side's certificate didn't match the expected got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 DTLSUDP: failed to verify ssl certificate (of the server) tsm: needed to free transport data The fingerprint from the remote side's certificate didn't match the expected got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 DTLSUDP: failed to verify ssl certificate (of the server) tsm: needed to free transport data The fingerprint from the remote side's certificate didn't match the expected got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 DTLSUDP: failed to verify ssl certificate (of the server) tsm: needed to free transport data The fingerprint from the remote side's certificate didn't match the expected got 8954990382e414a949d54638c05fb5b2b82771c6, expected 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 DTLSUDP: failed to verify ssl certificate (of the server) failed rfc5343 contextEngineID probing snmpwalk: Timeout (Success) But if i comment peerCert and localCert and run snmpd with fingerprints entered in command line, I get the output. snmpget -v 3 -u final --defSecurityModel=tsm -T our_identity=89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 -T their_identity=09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 dtlsudp:localhost:10161 sysContact.0 -Dcert output: cert:util:init: init cert:index:add: dir /usr/local/etc/snmp/tls/ca-certs at index 0 cert:index:add: dir /home/anjali/.snmp/tls/certs at index 4 cert:index:add: dir /usr/local/etc/snmp/tls/private at index 2 cert:index:add: dir /home/anjali/.snmp/tls/private at index 5 cert:index:add: dir /home/anjali/.snmp/tls/ca-certs at index 3 cert:index:add: dir /usr/local/etc/snmp/tls/certs at index 1 cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/ca-certs cert:index:lookup: /usr/local/etc/snmp/tls/ca-certs (0) /var/net-snmp/cert_indexes/0 cert:index:parse: The index for /usr/local/etc/snmp/tls/ca-certs looks good cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/certs cert:index:lookup: /usr/local/etc/snmp/tls/certs (1) /var/net-snmp/cert_indexes/1 cert:index:parse: The index for /usr/local/etc/snmp/tls/certs looks good cert:index:parse: added 2 certs from index cert:index:dir: Scanning directory /usr/local/etc/snmp/tls/private cert:index:lookup: /usr/local/etc/snmp/tls/private (2) /var/net-snmp/cert_indexes/2 cert:index:parse: The index for /usr/local/etc/snmp/tls/private looks good cert:key:struct:new: new key 0x0x97b6218 for manager.key cert:key:struct:new: new key 0x0x97b6168 for snmpd.key cert:index:parse: added 2 certs from index cert:index:dir: Scanning directory /home/anjali/.snmp/tls/ca-certs cert:index:lookup: /home/anjali/.snmp/tls/ca-certs (3) /var/net-snmp/cert_indexes/3 cert:index:parse: The index for /home/anjali/.snmp/tls/ca-certs looks good cert:index:dir: Scanning directory /home/anjali/.snmp/tls/certs cert:index:lookup: /home/anjali/.snmp/tls/certs (4) /var/net-snmp/cert_indexes/4 cert:index:parse: The index for /home/anjali/.snmp/tls/certs looks good cert:index:dir: Scanning directory /home/anjali/.snmp/tls/private cert:index:lookup: /home/anjali/.snmp/tls/private (5) /var/net-snmp/cert_indexes/5 cert:index:parse: The index for /home/anjali/.snmp/tls/private looks good cert:partner: manager.crt match found! cert:partner: snmpd.crt match found! cert:key:read: Checking file snmpd.key cert:key:read: Checking file manager.key cert:dump: -------------------- Certificates ----------------- cert:dump: cert snmpd.crt in /usr/local/etc/snmp/tls/certs cert:dump: type 1 flags 0x3 (identity+remote_peer) cert:dump: cert manager.crt in /usr/local/etc/snmp/tls/certs cert:dump: type 1 flags 0x3 (identity+remote_peer) cert:dump: key manager.key in /usr/local/etc/snmp/tls/private cert:dump: type 4 flags 0x1 (identity) cert:dump: key snmpd.key in /usr/local/etc/snmp/tls/private cert:dump: type 4 flags 0x1 (identity) cert:dump: ------------------------ End ---------------------- cert:find:params: looking for identity(1) in MULTIPLE(0x200), hint 159287896 cert:find:params: looking for identity(1) in FINGERPRINT(0x2), hint 159287896 cert:find:params: hint = 89:54:99:03:82:E4:14:A9:49:D5:46:38:C0:5F:B5:B2:B8:27:71:C6 cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3)) cert:find:found: using cert manager.crt / 8954990382e414a949d54638c05fb5b2b82771c6 for identity(1) (uses=identity+remote_peer (3)) cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 159374304 cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 159374304 cert:find:params: hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) cert:trust_ca: checking roots for 0x97b5ce0 cert:trust: putting trusted cert 0x97b6d50 = 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 in certstore 0x980f408 cert:find:params: looking for remote_peer(2) in MULTIPLE(0x200), hint 159374304 cert:find:params: looking for remote_peer(2) in FINGERPRINT(0x2), hint 159374304 cert:find:params: hint = 09:38:B0:8C:98:43:A0:19:0C:E7:D3:A8:9D:2D:05:76:B8:C1:AF:A0 cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) cert:find:found: using cert snmpd.crt / 0938b08c9843a0190ce7d3a89d2d0576b8c1afa0 for remote_peer(2) (uses=identity+remote_peer (3)) SNMPv2-MIB::sysContact.0 = STRING: Me <m...@example.org> After this i uncomment peerCert and localCert in snmp.conf, and I am able to get the output using just snmpget dtlsudp:localhost:10161 sysContact.0 Can anyone help me in understanding what makes it read while modifying snmp.conf when snmpd is running and it doesnt read the fingerprints as required with initial configuration????
------------------------------------------------------------------------------
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
