[Kea-users] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake
Veronique.Lefebure at cern.ch
Veronique.Lefebure at cern.ch
Wed Nov 24 13:27:04 UTC 2021
Dear Oscar,
Thanks for helping.
https://kea.readthedocs.io/en/latest/arm/agent.html says "The Control Agent does not natively support secure HTTP connections, like SSL or TLS, before Kea 1.9.6."
running curl manually, for example,
curl -X POST -H "Content-Type: application/json" -d '{ "command": "status-get", "service": [ "dhcp4" ] }' --cert xx.cert --key xx.pem https://kea1:9099/
from the second server kea2, works well, and the reverse as well: querying kea1 from kea2: in both cases I get the process id, uptime etc.
[ { "arguments": { "high-availability": [ { "ha-mode": "load-balancing", "ha-servers": { "local": { "role": "secondary", "scopes": [ "kea1", "kea2" ], "state": "partner-down" }, "remote": { "age": 12991, "analyzed-packets": 0, "communication-interrupted": true, "connecting-clients": 0, "in-touch": true, "last-scopes": [ ], "last-state": "unavailable", "role": "primary", "unacked-clients": 0, "unacked-clients-left": 11 } } } ], "multi-threading-enabled": false, "pid": 12607, "reload": 12992, "uptime": 13028 }, "result": 0 } ]
There is this flag in /usr/local/etc/kea/kea-ctrl-agent.conf:
"cert-required": false,
But the same TLS error message is send whatever the value of "cert-required" (true or false)
(https://kea.readthedocs.io/en/latest/arm/agent.html)
However, I see that there is nothing defined in that file for the "authentication" block
> On 24/11/2021 13:14 Oscar Carlsson <oscar at spindel.tax> wrote:
>
>
> Veronique Lefebure <veronique.lefebure at cern.ch> writes:
>
> > Hi,
> >
> > I am testing a high availibility setup for 2 KEA dhcp4 servers.
> > I get these errors:
> >
> > 2021-11-24 11:33:41.962 DEBUG
> > [kea-ctrl-agent.http/8134.140201213065408]
> > HTTP_CONNECTION_HANDSHAKE_START start TLS handshake with
> > xx.xx.xx.252 with timeout 10
> > 2021-11-24 11:33:42.963 INFO
> > [kea-ctrl-agent.http/8134.140201213065408]
> > HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with xx.xx.xx.252
> > failed with wrong version number
> > 2021-11-24 11:33:42.963 DEBUG
> > [kea-ctrl-agent.http/8134.140201213065408] HTTP_CONNECTION_STOP
> > stopping HTTP connection from xx.xx.xx.252
> >
> > Any idea how I can debug that ?
> > Both servers are installed and configured the same way.
> > And I see the same errors on both servers.
> > Thanks,
> > Veronique
> >
> > _______________________________________________
> > ISC funds the development of this software with paid support
> > subscriptions. Contact us at https://www.isc.org/contact/ for
> > more information.
> >
> > To unsubscribe visit
> > https://lists.isc.org/mailman/listinfo/kea-users.
> >
> > Kea-users mailing list
> > Kea-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/kea-users
>
> Hi,
>
> What happens when you try to connect manually (using curl et c) to
> the
> address and port your respective control agent is listening to?
>
> And judging by the documentation, there's no native support for
> TLS in
> the control agent. Why does the control agent try to connect
> using TLS?
>
>
> Regards,
> Oscar
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users
More information about the Kea-users
mailing list