Plastic 5 on OS X Mavericks: authentication or decryption has failed

[alextxm]

Hello,
i'm trying to use PlasticSCM 5.x on OS X Mavericks but as soon as I start the client is gives me an "authentication or decryption has failed" error. Server in an SSL-based server exposed on port 8088 with a ComodoSSL certficate.
The same version of Plastic, with the same server, works fine in my windows-based pcs.

I've already tried uninstalling/reinstalling and also removing the .config folder then reconfiguring Plastic, but nothing worked.
Could someone please help me ?

Thank you in advance for your help

Alessandro

[calbzam]

Hi,

 

 

How are you generating the certificate?

 

Could you perform a test disabling SSL mode?  I think the issue is certificate related.

 

This post may help you to generate the certificate:  http://www.plasticscm.net/index.php?/topic/741-ssl-certificate-issues/#entry4191

 

Regards,

Carlos

[alextxm]

Hi Carlos,
i've done some tests: the non-SSL version works as expected, so I guess it should be a SSL-related issue.
As for the SSL cert, it is a Comodo generated 2048 bits certificate.
i've tried re-issuing the certificate creating the request in openssl, then building a pfx (PKCS12) for plastic with the private key, the comodo generated certificate and its certificate chain. It works fine with windows-based clients but plastic on mac-osx mavericks still gives me the "authentication or decryption has failed" error.

Is there any log I can enable/give to you to help me solving the problem?
Thank you,
Alessandro

[calbzam]

Hi,

 

I´ve performed a test using a Plastic server and client on Mac OK. If you run the command: "cm lrep IP:port"  are you getting a message to accept the certificate?

 

 

 

Could you check if your "remoting.conf" file contains a channel for ssl?  Also review the port and check if the client is configured for the SSL mode ("plastic --configure").

     <channel type="Codice.Channels.PlasticSecuredTcpChannel, plastictcpchannel" port="8088" sslPfxFile="ssl-certificate.pfx" sslPfxFilePassword="|SoC|2ogBDa8GmifTjC7UKp4KuoF0/jWYlXy2" name="secured">
                    <serverProviders>
                        <formatter type="Codice.Channels.PlasticBinaryServerFormatterSinkProvider, plastictcpchannel" typeFilterLevel="Full" Compression="sinklevel" SerializationObjectsAtSink="true" BufferPoolMax="10"/>
                        <provider type="Codice.CM.Server.ExceptionTracerSinkProvider, servercommon" />
                    </serverProviders>
                    <clientProviders>
                        <provider type="Codice.Channels.ClientSinkProvider, plastictcpchannel" />
                        <formatter ref="binary" />
                    </clientProviders>
                </channel>

 If the issue persists, could you enable the client log?  http://www.plasticscm.com/infocenter/technical-articles/kb-enabling-logging-for-plastic-scm-part-i.aspx

 

Regards,

Carlos

[alextxm]

Hi Carlos,
i've done some tests with your suggestions but i've not been able to make it work.
Btw, i've noticed the sme problems occours on Linux (tested on ubuntu 13.10).
Server is windows-based, clients: mac os X, ubuntu linux.
The same server works perfectly with the same configuration, same certs, etc with Windows-based clients (tested on 3 PCs).
The client log says "Threadpool worker Channel - Not accepting invalid non-self-signed cert" which surpise me a bit since the certificate is a valid SSL 2048bits certificate signed by Comodo. Should I regenerate the certificate one more time via openssl ? If so is there a guideline or a set of valid parameters to achieve such task ?

 

Thank you for your help
Alessandro

Here are the logs:

Server: (plastic.server.log)
3 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - 'sinklevel' compression mode set. all metadata will be serialized
2014-03-31 20:01:55,391 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - 'BufferPoolMax' is set to '10'. It sets the maximum number of available buffers for object data transfers
2014-03-31 20:01:55,391 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - 'SerializationObjectsAtSink' is set to 'True'. True means SerializationBase descendants are  directly written into the response buffer
2014-03-31 20:01:55,422 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - Start listening
2014-03-31 20:01:55,438 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - 'sinklevel' compression mode set. all metadata will be serialized
2014-03-31 20:01:55,438 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - 'BufferPoolMax' is set to '10'. It sets the maximum number of available buffers for object data transfers
2014-03-31 20:01:55,438 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - 'SerializationObjectsAtSink' is set to 'True'. True means SerializationBase descendants are  directly written into the response buffer
2014-03-31 20:01:55,485 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - Start listening
2014-03-31 20:01:56,514 89ed57be-419d-447f-ab52-b87ce9173fe5 NT AUTHORITY\SYSTEM at Server:WIN-ILQR8OKFK9K INFO  Transaction - Transaction timeout -> 120000ms
2014-03-31 20:02:22,769 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - ClientRef client count now 1
2014-03-31 20:02:22,925 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - conn        0. BeginReceive - setting callback
2014-03-31 20:02:22,925 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - conn        0. BeginReceive - callback set
2014-03-31 20:02:22,925 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - conn        0 awaked. total 1
2014-03-31 20:02:23,377 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - Tcp transport error. ReceiveMessageStatus The authentication or decryption has failed.
2014-03-31 20:02:23,486 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - Tcp transport error. ReceiveMessageStatus    at Mono.Security.Protocol.Tls.SslStreamBase.EndNegotiateHandshake(InternalAsyncResult asyncResult)
   at Mono.Security.Protocol.Tls.SslStreamBase.Read(Byte[] buffer, Int32 offset, Int32 count)
   at System.IO.BufferedStream.Read(Byte[] array, Int32 offset, Int32 count)
   at Codice.Channels.TcpMessageIO.StreamRead(Stream networkStream, Byte[] buffer, Int32 count)
   at Codice.Channels.TcpMessageIO.ReceiveMessageStatus(Stream networkStream, Byte[] buffer)
2014-03-31 20:02:23,486 (null) NT AUTHORITY\SYSTEM at (null) INFO  Channel - conn        0 Tcp transport error. The authentication or decryption has failed.
2014-03-31 20:02:23,486 (null) NT AUTHORITY\SYSTEM at (null) DEBUG Channel - ClientUnref client count down to 0

Client Linux: (cm.log.txt)
2014-03-31 13:02:23,022 INFO  -1616623744 cm - STARTING CLIENT
2014-03-31 13:02:23,076 DEBUG -1616623744 ClientConfig - Time loading client.conf (/home/alextxm/.plastic4/client.conf) 42 ms
2014-03-31 13:02:23,141 DEBUG -1616623744 UserInfo - Time retrieving CurrentUser 12 ms
2014-03-31 13:02:23,164 INFO  -1616623744 BufferPool - [sinkcompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers
2014-03-31 13:02:23,164 INFO  -1616623744 BufferPool - [uncompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers
2014-03-31 13:02:23,492 DEBUG -1616623744 Channel - Loaded System assembly: System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
2014-03-31 13:02:23,492 DEBUG -1616623744 Channel - Using built in certificate store support
2014-03-31 13:02:23,500 DEBUG -1616623744 Channel - Create conection 300 ms. (host:XXXXXXXXXXXXX port:8088 ssl:True)
2014-03-31 13:02:24,098 DEBUG Threadpool worker Channel - Got v3 cert serial 00C804808C774E9671C9F35DD6A1964708: Subject CN=XXXXXXXXXXXXX (old CN=XXXXXXXXXXXXX, OU=PositiveSSL, OU=Domain Control Validated)
2014-03-31 13:02:24,100 DEBUG Threadpool worker Channel - Issuer CN=PositiveSSL CA 2 (old CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB)
2014-03-31 13:02:24,101 DEBUG Threadpool worker Channel - Thumbprint 5CFA2F55387495C83B31E8C84A1761B3FED82594
2014-03-31 13:02:24,131 INFO  Threadpool worker Channel - Not accepting invalid non-self-signed cert
2014-03-31 13:02:24,134 ERROR -1616623744 CmProxy - Error invoking method [GetRepositoryList] [ssl://XXXXXXXXXXXXX:8088/RepositoryHandler] The authentication or decryption has failed.: XXXXXXXXXXXXX:8088
2014-03-31 13:02:24,147 ERROR -1616623744 cm - Plastic client version: 5.0.44.551
2014-03-31 13:02:24,147 ERROR -1616623744 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:8088
2014-03-31 13:02:24,151 DEBUG -1616623744 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:8088  at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke (System.Runtime.Remoting.Proxies.RealProxy rp, IMessage msg, System.Exception& exc, System.Object[]& out_args) [0x00000] in <filename unknown>:0

 

Client Mac OS X: (cm.log.txt)
2014-03-31 22:26:59,495 INFO  -1587465816 cm - STARTING CLIENT
2014-03-31 22:26:59,615 DEBUG -1587465816 ClientConfig - Time loading client.conf (/Users/Alextxm/.plastic4/client.conf) 102 ms
2014-03-31 22:26:59,936 DEBUG -1587465816 UserInfo - Time retrieving CurrentUser 18 ms
2014-03-31 22:27:00,404 INFO  -1587465816 BufferPool - [sinkcompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers
2014-03-31 22:27:00,404 INFO  -1587465816 BufferPool - [uncompressionPool] BufferPool created with 5.00 Mb size and 5 max buffers
2014-03-31 22:27:01,194 DEBUG -1587465816 Channel - Loaded System assembly: System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
2014-03-31 22:27:01,194 DEBUG -1587465816 Channel - Using built in certificate store support
2014-03-31 22:27:01,206 DEBUG -1587465816 Channel - Create conection 778 ms. (host:XXXXXXXXXXXXX port:8088 ssl:True)
2014-03-31 22:27:01,574 DEBUG -1337405440 Channel - Got v3 cert serial 00C804808C774E9671C9F35DD6A1964708: Subject CN=XXXXXXXXXXXXX (old CN=XXXXXXXXXXXXX, OU=PositiveSSL, OU=Domain Control Validated)
2014-03-31 22:27:01,574 DEBUG -1337405440 Channel - Issuer CN=PositiveSSL CA 2 (old CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB)
2014-03-31 22:27:01,576 DEBUG -1337405440 Channel - Thumbprint 5CFA2F55387495C83B31E8C84A1761B3FED82594
2014-03-31 22:27:01,611 INFO  -1337405440 Channel - Not accepting invalid non-self-signed cert
2014-03-31 22:27:01,613 ERROR -1587465816 CmProxy - Error invoking method [GetRepositoryList] [ssl://XXXXXXXXXXXXX:8088/RepositoryHandler] The authentication or decryption has failed.: XXXXXXXXXXXXX:8088
2014-03-31 22:27:01,645 ERROR -1587465816 cm - Plastic client version: 5.0.44.533

2014-03-31 22:27:01,645 ERROR -1587465816 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:8088
2014-03-31 22:27:01,646 DEBUG -1587465816 cm - The authentication or decryption has failed.: XXXXXXXXXXXXX:8088  at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke (System.Runtime.Remoting.Proxies.RealProxy rp, IMessage msg, System.Exception& exc, System.Object[]& out_args) [0x00000] in <filename unknown>:0

[alextxm]

Postilla: i've also checked both client and server config and SSL is correctly configured (indeed, windows clients works fine).

[manu]

Hi Alessandro,

 

I agree, seems to be an issue under unix while it reads the certificate, unfortunately I can't reproduce the issue with our valid certificate.

 

Do you thinks it's possible to share your certificate, under a NDA agreement, so we'll be able to reproduce the issue and eventually deliver a fix?

[manu]

If you want you can contact me here: mlucio at codicesoftware dot com

[alextxm]

Hi!

@manu, i've Sent you my SSL certificate last week but I've not received nor an acknowledgement neither a reply... did you receive it ? Is it all okay? Do you needs one time to investigate the issue ?

let me know if you need more info

 

thank you again for your help

kind regards

Alessandro

[alextxm]

Still no reply since 01 april... isn't it a bit too much ?
@manu, @Carlos, i know i'm using the CE edition of Plastic and that it is support-free but is there any chance to have at least a reply ? (there is a workaround? is the issue a bug which will get fixed sometimes in the future ? etc.)
Currently PSCM is unusable for us (me and my collegues) on both Mac and Linux... I was used to suggest PSCM to others due to the its strong capabilities and its support, btw both the these features looks somewhat skewed to me lately.

 

kind regards

Alessandro

[calbzam]

Hi,

 

Sorry for the delay. I´ve contacted you by mail.

 

Regards,

Carlos

[calbzam]

I update this post with the workaround steps after our mail conversation:

 

 

 

Here are the steps I followed as USER (not root) :

Step1: Import cert roots

mozroots --import -–syncIn case this doesn’t work (quite often), do the following:

wget http://mxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 –o certroots.dat

/path/to/mono/mozroots –-import –-sync –-file certroots.dat

Step2: convert PFX to P7B

From the PFX: openssl pkcs12 -in cert.pfx -out cert.p7b –nodes

Or, if you have the cert on a publicly accessible server, via the server itself:

echo | openssl s_client -showcerts -connect mysite.mydomain.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b

 Step3: import cert/path/to/mono/certmgr -add -c Trust ./cert.p7bOn my Ubuntu mahcine where I have the plasticscm’s own mono version (plasticscm-mono-* packages) /path/to/mono translates to /opt/plasticscm5/mono/bin, YMMVI still need to test it on Mac but it should be the same… as soon as I complete the test I’ll let you know and I’ll publish it on the forum.