I’ve upgraded all my clients to run version 3.1.4. My MPS have been chilling
on 3.0.5p1. This setup works, although, I have to bounce cf-serverd daily
because of memory leaks.
When I upgrade my MPS to 3.1.4, I start running into OpenSSL errors. Here’s a
client trying to pull down new configs.
# /var/cfengine/bin/cf-agent -I -K -f failsafe.cf
decryption FAILED at final of 59: error:0606506D:digital envelope
routines:EVP_DecryptFinal:wrong final block length
!! Transmission refused or failed statting
/var/cfengine/masterfiles/generic_cf-agent_policies/config-solaris/n??8?&ĚE?<_?I
????:A??N?آx?
?վ??G?Ԏ????IsǿG?i?Rut)
Got:
Transmission failed/refused talking to
ech3-cfe-dmz-zone-v753.prod.linkedin.com:/var/cfengine/masterfiles/generic_cf-agent_policies/verify_hardware_health.cf
in stat
!!! System reports error for send: "Broken pipe"
Googing against this error, it seems to be a generic OpenSSL error message:
http://forums.opensuse.org/archives/sls-archives/archives-suse-linux/archives-network-security/archives-security/363298-openssl.html
From the server, I see a bunch of REFUSAL messages. Probably because I’ve
mandated that encryption be in place, and the client isn’t able to continue to
communicate on an encrypted link.
community> cf-serverd access list is empty, no files are visible
community> Access control in sync
community> From (host=ech3-zrepo01.prod,user=root,ip=172.17.53.57)
community> REFUSAL of request from connecting host: (SYNCH 1297713683 STAT
/var/cfengine/masterfiles/cf-agent_modules/locate-server)
I compiled Cfengine 3.1.4 using the configure option —with-openssl=/usr/sfw,
which builds against the pre-packaged version of OpenSSL that ships with
Solaris 10. Has anyone run into this, or have any suggestions?
I’ve tried removing the contents of /var/cfengine/ppkeys on both the client /
server, and regenerate keys using cf-key (thinking that there might be some old
crufty SSL key data) but I’m continuing to hit the error above. If you’ve hit
this issue, let me know what you needed to do to resolve.
Here’s what I’m linked against on the MPS.
$ ldd /var/cfengine/bin/cf-serverd
libpromises.so.1 => /var/cfengine/lib/libpromises.so.1
libpthread.so.1 => /usr/lib/libpthread.so.1
librt.so.1 => /usr/lib/librt.so.1
libpcre.so.0 => /usr/local/lib/libpcre.so.0
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libm.so.2 => /usr/lib/libm.so.2
libdb-4.4.so => /usr/local/BerkeleyDB/4.4/lib/libdb-4.4.so
libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7
libelf.so.1 => /usr/lib/libelf.so.1
libsec.so.1 => /usr/lib/libsec.so.1
libc.so.1 => /usr/lib/libc.so.1
libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
libaio.so.1 => /usr/lib/libaio.so.1
libmd.so.1 => /usr/lib/libmd.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libscf.so.1 => /usr/lib/libscf.so.1
libthread.so.1 => /usr/lib/libthread.so.1
libavl.so.1 => /usr/lib/libavl.so.1
libdoor.so.1 => /usr/lib/libdoor.so.1
libuutil.so.1 => /usr/lib/libuutil.so.1
libgen.so.1 => /usr/lib/libgen.so.1
libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7
Thanks
Mike
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
