alextxm Posted March 10, 2014 Report Share Posted March 10, 2014 Hello,i'm trying to use PlasticSCM 5.x on OS X Mavericks but as soon as I start the client is gives me an "authentication or decryption has failed" error. Server in an SSL-based server exposed on port 8088 with a ComodoSSL certficate.The same version of Plastic, with the same server, works fine in my windows-based pcs. I've already tried uninstalling/reinstalling and also removing the .config folder then reconfiguring Plastic, but nothing worked.Could someone please help me ? Thank you in advance for your help Alessandro Link to comment Share on other sites More sharing options...
calbzam Posted March 14, 2014 Report Share Posted March 14, 2014 Hi, How are you generating the certificate? Could you perform a test disabling SSL mode? I think the issue is certificate related. This post may help you to generate the certificate: http://www.plasticscm.net/index.php?/topic/741-ssl-certificate-issues/#entry4191 Regards, Carlos Link to comment Share on other sites More sharing options...
alextxm Posted March 15, 2014 Author Report Share Posted March 15, 2014 Hi Carlos,i've done some tests: the non-SSL version works as expected, so I guess it should be a SSL-related issue.As for the SSL cert, it is a Comodo generated 2048 bits certificate.i've tried re-issuing the certificate creating the request in openssl, then building a pfx (PKCS12) for plastic with the private key, the comodo generated certificate and its certificate chain. It works fine with windows-based clients but plastic on mac-osx mavericks still gives me the "authentication or decryption has failed" error. Is there any log I can enable/give to you to help me solving the problem?Thank you,Alessandro Link to comment Share on other sites More sharing options...
calbzam Posted March 28, 2014 Report Share Posted March 28, 2014 Hi, I´ve performed a test using a Plastic server and client on Mac OK. If you run the command: "cm lrep IP:port" are you getting a message to accept the certificate? Could you check if your "remoting.conf" file contains a channel for ssl? Also review the port and check if the client is configured for the SSL mode ("plastic --configure"). <channel type="Codice.Channels.PlasticSecuredTcpChannel, plastictcpchannel" port="8088" sslPfxFile="ssl-certificate.pfx" sslPfxFilePassword="|SoC|2ogBDa8GmifTjC7UKp4KuoF0/jWYlXy2" name="secured"> <serverProviders> <formatter type="Codice.Channels.PlasticBinaryServerFormatterSinkProvider, plastictcpchannel" typeFilterLevel="Full" Compression="sinklevel" SerializationObjectsAtSink="true" BufferPoolMax="10"/> <provider type="Codice.CM.Server.ExceptionTracerSinkProvider, servercommon" /> </serverProviders> <clientProviders> <provider type="Codice.Channels.ClientSinkProvider, plastictcpchannel" /> <formatter ref="binary" /> </clientProviders> </channel> If the issue persists, could you enable the client log? http://www.plasticscm.com/infocenter/technical-articles/kb-enabling-logging-for-plastic-scm-part-i.aspx Regards, Carlos Link to comment Share on other sites More sharing options...
alextxm Posted March 31, 2014 Author Report Share Posted March 31, 2014 Hi Carlos,i've done some tests with your suggestions but i've not been able to make it work.Btw, i've noticed the sme problems occours on Linux (tested on ubuntu 13.10).Server is windows-based, clients: mac os X, ubuntu linux.The same server works perfectly with the same configuration, same certs, etc with Windows-based clients (tested on 3 PCs).The client log says "Threadpool worker Channel - Not accepting invalid non-self-signed cert" which surpise me a bit since the certificate is a valid SSL 2048bits certificate signed by Comodo. Should I regenerate the certificate one more time via openssl ? If so is there a guideline or a set of valid parameters to achieve such task ? Thank you for your helpAlessandroHere are the logs: Server: (plastic.server.log)3 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - 'sinklevel' compression mode set. all metadata will be serialized2014-03-31 20:01:55,391 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - 'BufferPoolMax' is set to '10'. It sets the maximum number of available buffers for object data transfers2014-03-31 20:01:55,391 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - 'SerializationObjectsAtSink' is set to 'True'. True means SerializationBase descendants are directly written into the response buffer2014-03-31 20:01:55,422 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - Start listening2014-03-31 20:01:55,438 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - 'sinklevel' compression mode set. all metadata will be serialized2014-03-31 20:01:55,438 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - 'BufferPoolMax' is set to '10'. It sets the maximum number of available buffers for object data transfers2014-03-31 20:01:55,438 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - 'SerializationObjectsAtSink' is set to 'True'. True means SerializationBase descendants are directly written into the response buffer2014-03-31 20:01:55,485 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - Start listening2014-03-31 20:01:56,514 89ed57be-419d-447f-ab52-b87ce9173fe5 NT AUTHORITY\SYSTEM at Server:WIN-ILQR8OKFK9K INFO Transaction - Transaction timeout -> 120000ms2014-03-31 20:02:22,769 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - ClientRef client count now 12014-03-31 20:02:22,925 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - conn 0. BeginReceive - setting callback2014-03-31 20:02:22,925 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - conn 0. BeginReceive - callback set2014-03-31 20:02:22,925 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - conn 0 awaked. total 12014-03-31 20:02:23,377 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - Tcp transport error. ReceiveMessageStatus The authentication or decryption has failed.2014-03-31 20:02:23,486 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - Tcp transport error. ReceiveMessageStatus at Mono.Security.Protocol.Tls.SslStreamBase.EndNegotiateHandshake(InternalAsyncResult asyncResult) at Mono.Security.Protocol.Tls.SslStreamBase.Read(Byte[] buffer, Int32 offset, Int32 count) at System.IO.BufferedStream.Read(Byte[] array, Int32 offset, Int32 count) at Codice.Channels.TcpMessageIO.StreamRead(Stream networkStream, Byte[] buffer, Int32 count) at Codice.Channels.TcpMessageIO.ReceiveMessageStatus(Stream networkStream, Byte[] buffer)2014-03-31 20:02:23,486 (null) NT AUTHORITY\SYSTEM at (null) INFO Channel - conn 0 Tcp transport error. The authentication or decryption has failed.2014-03-31 20:02:23,486 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - ClientUnref client count down to 0Client Linux: (cm.log.txt)2014-03-31 13:02:23,022 INFO -1616623744 cm - STARTING CLIENT2014-03-31 13:02:23,076 DEBUG -1616623744 ClientConfig - Time loading client.conf (/home/alextxm/.plastic4/client.conf) 42 ms2014-03-31 13:02:23,141 DEBUG -1616623744 UserInfo - Time retrieving CurrentUser 12 ms2014-03-31 13:02:23,164 INFO -1616623744 BufferPool - [sinkcompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers2014-03-31 13:02:23,164 INFO -1616623744 BufferPool - [uncompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers2014-03-31 13:02:23,492 DEBUG -1616623744 Channel - Loaded System assembly: System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0892014-03-31 13:02:23,492 DEBUG -1616623744 Channel - Using built in certificate store support2014-03-31 13:02:23,500 DEBUG -1616623744 Channel - Create conection 300 ms. (host:XXXXXXXXXXXXX port:8088 ssl:True)2014-03-31 13:02:24,098 DEBUG Threadpool worker Channel - Got v3 cert serial 00C804808C774E9671C9F35DD6A1964708: Subject CN=XXXXXXXXXXXXX (old CN=XXXXXXXXXXXXX, OU=PositiveSSL, OU=Domain Control Validated)2014-03-31 13:02:24,100 DEBUG Threadpool worker Channel - Issuer CN=PositiveSSL CA 2 (old CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB)2014-03-31 13:02:24,101 DEBUG Threadpool worker Channel - Thumbprint 5CFA2F55387495C83B31E8C84A1761B3FED825942014-03-31 13:02:24,131 INFO Threadpool worker Channel - Not accepting invalid non-self-signed cert2014-03-31 13:02:24,134 ERROR -1616623744 CmProxy - Error invoking method [GetRepositoryList] [ssl://XXXXXXXXXXXXX:8088/RepositoryHandler] The authentication or decryption has failed.: XXXXXXXXXXXXX:80882014-03-31 13:02:24,147 ERROR -1616623744 cm - Plastic client version: 5.0.44.5512014-03-31 13:02:24,147 ERROR -1616623744 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:80882014-03-31 13:02:24,151 DEBUG -1616623744 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:8088 at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke (System.Runtime.Remoting.Proxies.RealProxy rp, IMessage msg, System.Exception& exc, System.Object[]& out_args) [0x00000] in <filename unknown>:0 Client Mac OS X: (cm.log.txt)2014-03-31 22:26:59,495 INFO -1587465816 cm - STARTING CLIENT2014-03-31 22:26:59,615 DEBUG -1587465816 ClientConfig - Time loading client.conf (/Users/Alextxm/.plastic4/client.conf) 102 ms2014-03-31 22:26:59,936 DEBUG -1587465816 UserInfo - Time retrieving CurrentUser 18 ms2014-03-31 22:27:00,404 INFO -1587465816 BufferPool - [sinkcompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers2014-03-31 22:27:00,404 INFO -1587465816 BufferPool - [uncompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers2014-03-31 22:27:01,194 DEBUG -1587465816 Channel - Loaded System assembly: System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e0892014-03-31 22:27:01,194 DEBUG -1587465816 Channel - Using built in certificate store support2014-03-31 22:27:01,206 DEBUG -1587465816 Channel - Create conection 778 ms. (host:XXXXXXXXXXXXX port:8088 ssl:True)2014-03-31 22:27:01,574 DEBUG -1337405440 Channel - Got v3 cert serial 00C804808C774E9671C9F35DD6A1964708: Subject CN=XXXXXXXXXXXXX (old CN=XXXXXXXXXXXXX, OU=PositiveSSL, OU=Domain Control Validated)2014-03-31 22:27:01,574 DEBUG -1337405440 Channel - Issuer CN=PositiveSSL CA 2 (old CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB)2014-03-31 22:27:01,576 DEBUG -1337405440 Channel - Thumbprint 5CFA2F55387495C83B31E8C84A1761B3FED825942014-03-31 22:27:01,611 INFO -1337405440 Channel - Not accepting invalid non-self-signed cert2014-03-31 22:27:01,613 ERROR -1587465816 CmProxy - Error invoking method [GetRepositoryList] [ssl://XXXXXXXXXXXXX:8088/RepositoryHandler] The authentication or decryption has failed.: XXXXXXXXXXXXX:80882014-03-31 22:27:01,645 ERROR -1587465816 cm - Plastic client version: 5.0.44.533 2014-03-31 22:27:01,645 ERROR -1587465816 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:80882014-03-31 22:27:01,646 DEBUG -1587465816 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:8088 at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke (System.Runtime.Remoting.Proxies.RealProxy rp, IMessage msg, System.Exception& exc, System.Object[]& out_args) [0x00000] in <filename unknown>:0 Link to comment Share on other sites More sharing options...
alextxm Posted March 31, 2014 Author Report Share Posted March 31, 2014 Postilla: i've also checked both client and server config and SSL is correctly configured (indeed, windows clients works fine). Link to comment Share on other sites More sharing options...
manu Posted April 1, 2014 Report Share Posted April 1, 2014 Hi Alessandro, I agree, seems to be an issue under unix while it reads the certificate, unfortunately I can't reproduce the issue with our valid certificate. Do you thinks it's possible to share your certificate, under a NDA agreement, so we'll be able to reproduce the issue and eventually deliver a fix? Link to comment Share on other sites More sharing options...
manu Posted April 1, 2014 Report Share Posted April 1, 2014 If you want you can contact me here: mlucio at codicesoftware dot com Link to comment Share on other sites More sharing options...
alextxm Posted April 7, 2014 Author Report Share Posted April 7, 2014 Hi! @manu, i've Sent you my SSL certificate last week but I've not received nor an acknowledgement neither a reply... did you receive it ? Is it all okay? Do you needs one time to investigate the issue ? let me know if you need more info thank you again for your help kind regards Alessandro Link to comment Share on other sites More sharing options...
alextxm Posted April 15, 2014 Author Report Share Posted April 15, 2014 Still no reply since 01 april... isn't it a bit too much ?@manu, @Carlos, i know i'm using the CE edition of Plastic and that it is support-free but is there any chance to have at least a reply ? (there is a workaround? is the issue a bug which will get fixed sometimes in the future ? etc.)Currently PSCM is unusable for us (me and my collegues) on both Mac and Linux... I was used to suggest PSCM to others due to the its strong capabilities and its support, btw both the these features looks somewhat skewed to me lately. kind regards Alessandro Link to comment Share on other sites More sharing options...
calbzam Posted April 28, 2014 Report Share Posted April 28, 2014 Hi, Sorry for the delay. I´ve contacted you by mail. Regards, Carlos Link to comment Share on other sites More sharing options...
calbzam Posted July 3, 2014 Report Share Posted July 3, 2014 I update this post with the workaround steps after our mail conversation: Here are the steps I followed as USER (not root) : Step1: Import cert roots mozroots --import -–syncIn case this doesn’t work (quite often), do the following: wget http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 –o certroots.dat /path/to/mono/mozroots –-import –-sync –-file certroots.dat Step2: convert PFX to P7B From the PFX: openssl pkcs12 -in cert.pfx -out cert.p7b –nodes Or, if you have the cert on a publicly accessible server, via the server itself: echo | openssl s_client -showcerts -connect mysite.mydomain.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b Step3: import cert/path/to/mono/certmgr -add -c Trust ./cert.p7bOn my Ubuntu mahcine where I have the plasticscm’s own mono version (plasticscm-mono-* packages) /path/to/mono translates to /opt/plasticscm5/mono/bin, YMMVI still need to test it on Mac but it should be the same… as soon as I complete the test I’ll let you know and I’ll publish it on the forum. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.