[Kea-users] HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake

Veronique.Lefebure at cern.ch Veronique.Lefebure at cern.ch
Wed Nov 24 13:35:35 UTC 2021


Well, I think I found the reason for my problem, in the doc:
"Either all the string parameters are specified and HTTP over TLS (HTTPS) is used, or none is specified and plain HTTP is used. Configuring only one or two string parameters results in an error."

Now I can see the exchange of heartbeats.

> On 24/11/2021 14:27 veronique.lefebure at cern.ch wrote:
> 
>  
> Dear Oscar,
> Thanks for helping.
> 
> https://kea.readthedocs.io/en/latest/arm/agent.html says "The Control Agent does not natively support secure HTTP connections, like SSL or TLS, before Kea 1.9.6."
> 
> 
> running curl manually, for example,
> 
>  curl -X POST -H "Content-Type: application/json" -d '{ "command": "status-get", "service": [ "dhcp4" ] }' --cert xx.cert --key xx.pem https://kea1:9099/
> 
> from the second server kea2, works well, and the reverse as well: querying kea1 from kea2: in both cases I get the process id, uptime etc.
> 
> [ { "arguments": { "high-availability": [ { "ha-mode": "load-balancing", "ha-servers": { "local": { "role": "secondary", "scopes": [ "kea1", "kea2" ], "state": "partner-down" }, "remote": { "age": 12991, "analyzed-packets": 0, "communication-interrupted": true, "connecting-clients": 0, "in-touch": true, "last-scopes": [  ], "last-state": "unavailable", "role": "primary", "unacked-clients": 0, "unacked-clients-left": 11 } } } ], "multi-threading-enabled": false, "pid": 12607, "reload": 12992, "uptime": 13028 }, "result": 0 } ]
> 
> There is this flag in /usr/local/etc/kea/kea-ctrl-agent.conf:   
> 
>  "cert-required": false,
> 
> But the same TLS error message is send whatever the value of "cert-required" (true or false)
> (https://kea.readthedocs.io/en/latest/arm/agent.html)
> 
> However, I see that there is nothing defined in that file for the "authentication" block
> 
> 
> 
> 
> 
> > On 24/11/2021 13:14 Oscar Carlsson <oscar at spindel.tax> wrote:
> > 
> >  
> > Veronique Lefebure <veronique.lefebure at cern.ch> writes:
> > 
> > > Hi,
> > >
> > > I am testing a high availibility setup for 2 KEA dhcp4 servers.
> > > I get these errors:
> > >
> > > 2021-11-24 11:33:41.962 DEBUG 
> > > [kea-ctrl-agent.http/8134.140201213065408] 
> > > HTTP_CONNECTION_HANDSHAKE_START start TLS handshake with 
> > > xx.xx.xx.252 with timeout 10
> > > 2021-11-24 11:33:42.963 INFO 
> > > [kea-ctrl-agent.http/8134.140201213065408] 
> > > HTTP_CONNECTION_HANDSHAKE_FAILED TLS handshake with xx.xx.xx.252 
> > > failed with wrong version number
> > > 2021-11-24 11:33:42.963 DEBUG 
> > > [kea-ctrl-agent.http/8134.140201213065408] HTTP_CONNECTION_STOP 
> > > stopping HTTP connection from xx.xx.xx.252
> > >
> > > Any idea how I can debug that ?
> > > Both servers are installed and configured the same way.
> > > And I see the same errors on both servers.
> > > Thanks,
> > > Veronique
> > >
> > > _______________________________________________
> > > ISC funds the development of this software with paid support 
> > > subscriptions. Contact us at https://www.isc.org/contact/ for 
> > > more information.
> > >
> > > To unsubscribe visit 
> > > https://lists.isc.org/mailman/listinfo/kea-users.
> > >
> > > Kea-users mailing list
> > > Kea-users at lists.isc.org
> > > https://lists.isc.org/mailman/listinfo/kea-users
> > 
> > Hi,
> > 
> > What happens when you try to connect manually (using curl et c) to 
> > the
> > address and port your respective control agent is listening to?
> > 
> > And judging by the documentation, there's no native support for 
> > TLS in
> > the control agent.  Why does the control agent try to connect 
> > using TLS?
> > 
> > 
> > Regards,
> > Oscar
> > _______________________________________________
> > ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> > 
> > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> > 
> > Kea-users mailing list
> > Kea-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/kea-users
> _______________________________________________
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users.
> 
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/kea-users


More information about the Kea-users mailing list