Curl failed with code 60 (SSL peer certificate or SSH remote key was not OK)

[chenchudhcs]

sysint@sjfw4-ubuntu-3:~/demo-server/libacvp$ ./app/acvp_app --verbose --aes

This is falling under openssl version < 3.0Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    /home/sysint/demo-server/libacvp/certs/mozzila_trust_anchors.pem
ACV_CERT_FILE:  /home/sysint/demo-server/libacvp/certs/SKDemo.cer
ACV_KEY_FILE:   /home/sysint/demo-server/libacvp/certs/SK.key

[ACVP]: HTTP User-Agent: libacvp/2.1.1;Linux;6.5.0-14-generic;x86_64;Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz;GCC/11.4.0

[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 60 (SSL peer certificate or SSH remote key was not OK)
[ACVP]: POST Login...
Status: 0
Url: https://demo.acvts.nist.gov:443/acvp/v1/login
Resp: Recieved

[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server

--------curl -v -----------------

sysint@sjfw4-ubuntu-3:~/demo-server/libacvp$ curl -V
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

[abkarcher]

Hello,

There can be several possible causes for this - if you have not already, searching through previous issues may shed some useful information.

In general, make sure the key/cert are in the right format, and have the right permissions. You could also try un-setting ACV_CA_FILE, or trying a different CA file. Additionally, if you are using the FIPS provider, ensure that OpenSSL has its default provider explicitly enabled in the config, as curl often seems to fail if only the FIPS provider is enabled.

Thanks,
Andrew

[chenchudhcs]

Hi Andrew,

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ ./app/acvp_app -v

ACVP library version: libacvp_oss-2.1.1
ACVP protocol version: 1.0

Compiled SSL version: OpenSSL 3.0.0 7 sep 2021
Linked SSL version: OpenSSL 3.0.2 15 Mar 2022

   FIPS requested: yes

ssl_OSSL_PROVIDER_num: 1
provider name:
provider version:
FIPS Provider Version: 3.0.0

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ ./app/acvp_app --aes --vector_req vectors.req

status of EVP_Q_DIGEST: 1md_len: 28Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    certs/acvp.nist.gov.crt
ACV_CERT_FILE:  certs/_Demo.cer
ACV_KEY_FILE:   certs/_Demo.key

[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 60 (SSL peer certificate or SSH remote key was not OK)
[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
hsm-pqc@hsm-pqc:~/CAVP/libacvp$

still i'm seeing same problem, can you please help out.

Thanks,
Chenchu.

[chenchudhcs]

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.0.2
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.2
status: active

in ACVP complied SSL version and linked SSL version not same, Any thoughts?

hsm-pqc@hsm-pqc:~/CAVP/libacvp$ ./app/acvp_app -v

ACVP library version: libacvp_oss-2.1.1
ACVP protocol version: 1.0

Compiled SSL version: OpenSSL 3.0.0 7 sep 2021
Linked SSL version: OpenSSL 3.0.2 15 Mar 2022

   FIPS requested: yes

ssl_OSSL_PROVIDER_num: 2
provider name:
provider version:
FIPS Provider Version: 3.0.2

[abkarcher]

Hi,

Yes, you typically always want to have the same compiled and linked version. Since you have multiple OpenSSL libraries on the device, you need to set the appropriate linux environment varaibles to make sure the version you want is linked.

Usually we set LD_LIBRARY_PATH to the directory containing the libcrypto.so we want to test, which bypasses the system's OpenSSL library.

Thanks,
Andrew

[jarnold01]

Hi @chenchudhcs , once you've gotten your FIPS provider version issues sorted, I have a few suggestions for you to check out with regard to the original certificate-related connectivity issue that you posted about...

1. Ensure your test platform operating system has time synchronization enabled and that it is successfully synced
2. For accessing Demo, go back to using the "mozzila_trust_anchors.pem" bundle for the ACV_CA_FILE env var
3. Ensure your test platform is not behind an enterprise-wide outbound proxy which unpacks TLS/SSL network traffic to inspect it, as this breaks ACVP authentication. If you don't know if a proxy is operational on your network, please check with your IT or IT Security department. If it turns out that there is an outbound proxy present, request an exemption from the TLS packet inspection so that the libacvp client connection is left intact from your test platform.
4. Ensure that your ACV_TOTP_SEED env var contains the value of the TOTP seed (without quotes), not the path to the file containing the TOTP seed value.

Hope this is helpful in your connectivity troubleshooting.

Thanks,
Jason

[chenchudhcs]

Hi

Fixed the FIPS provider version issues but still seeing same error.

hsm-pqc1@hsmpqc1-ThinkPad-P43s:~/Desktop/libacvp$ ./app/acvp_app -v

ACVP library version: libacvp_oss-2.1.1
ACVP protocol version: 1.0

Compiled SSL version: OpenSSL 3.0.2 15 Mar 2022
Linked SSL version: OpenSSL 3.0.2 15 Mar 2022

   FIPS requested: yes

FIPS Provider Version: 3.0.2

hsm-pqc1@hsmpqc1-ThinkPad-P43s:~/Desktop/libacvp$ ./app/acvp_app --aes --vector_req vectors.req

Using the following parameters:

ACV_SERVER:     demo.acvts.nist.gov
ACV_PORT:       443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE:    certs/mozzila_trust_anchors.pem
ACV_CERT_FILE:  certs/xxxxxxxxxxxxxDemo.cer
ACV_KEY_FILE:   certs/xxxxxxxxxxxx_Demo.key

[ACVP]: Logging in...
[ACVP][ERROR]: Curl failed with code 60 (SSL peer certificate or SSH remote key was not OK)
[ACVP][ERROR]: Received no response from server.
[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
hsm-pqc1@hsmpqc1-ThinkPad-P43s:~/Desktop/libacvp$

i am using "mozzila_trust_anchors.pem" cert

Thanks,
Chenchu.

[chenchudhcs]

----------------curl------------------

sm-pqc1@hsmpqc1-ThinkPad-P43s: /Desktop/libacvp$ curl -V
curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd
hsm-pqc1@hsmpqc1-ThinkPad-P43s:~/Desktop/libacvp$

hsm-pqc1@hsmpqc1-ThinkPad-P43s:~ /Desktop/libacvp$ ldd /usr/bin/curl | grep libcrypto
libcrypto.so.3 => /usr/lib/x86_64-linux-gnu/libcrypto.so.3 (0x000078150e200000)
hsm-pqc1@hsmpqc1-ThinkPad-P43s:~/Desktop/libacvp$ ldd /usr/bin/curl | grep libssl
libssl.so.3 => /usr/lib/x86_64-linux-gnu/libssl.so.3 (0x000070a45cadb000)

[jarnold01]

@chenchudhcs Good to hear about the change back to the correct PEM bundle. Please confirm the remaining points I listed to check out have also been addressed. Also, in future connectivity testing, please run the date command just prior to the libacvp command so that I have a timestamp with which to correlate to the demo server logs. Finally, if you could run libacvp in verbose mode (--verbose), I think that would also be helpful output to see while we are troubleshooting.