? 2015/1/27 ?? 02:34, Nikos Mavrogiannopoulos ??: > On Tue, 2015-01-27 at 02:25 +0800, Lemon Lam wrote: >> ? 2015/1/27 ?? 02:03, Nikos Mavrogiannopoulos ??: >>> On Tue, 2015-01-27 at 01:21 +0800, Lemon Lam wrote: >>>> (snip) >>> >>> Check for some firewall terminating the connection; there is no >>> handshake occurring there, the session is terminated before it starts. >> My iptables-based firewall should not be the problem as it just need one >> more INPUT rules to let this handshake stuff through like a web server >> and another one for the DTLS tunnel. > > Try connecting from localhost first. Then you'll know whether it is a > firewall issue. > > regards, > Nikos > > I tried that: > $ openssl s_client -connect localhost:8443 > CONNECTED(00000003) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 305 bytes > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > --- > $ gnutls-cli localhost -p 8443 > Processed 147 CA certificate(s). > Resolving 'localhost'... > Connecting to '127.0.0.1:8443'... > *** Fatal error: Error in the pull function. > *** Handshake has failed > GnuTLS error: Error in the pull function. Meanwhile, at ocserv log: > # ocserv -f -d 9999 > listening (TCP) on 0.0.0.0:8443... > listening (TCP) on [::]:8443... > listening (UNIX) on /var/run/ocserv-conn.socket... > listening (UDP) on 0.0.0.0:8443... > listening (UDP) on [::]:8443... > ocserv[2007]: main: initializing control unix socket: /var/run/occtl.socket > ocserv[2007]: main: initialized ocserv 0.9.0 > ocserv[2008]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.2007) > ocserv[2007]: TLS[<3>]: ASSERT: common.c:1041 > ocserv[2008]: sec-mod: received request from pid 2007 and uid 0 > ocserv[2008]: sec-mod: cmd [size=55] sm: sign > ocserv[2010]: worker: 127.0.0.1:59879 accepted connection > ocserv[2010]: TLS[<5>]: REC[0x9aadf28]: Allocating epoch #0 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_constate.c:586 > ocserv[2010]: TLS[<5>]: REC[0x9aadf28]: Allocating epoch #1 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:1139 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:224 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:333 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:574 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_record.c:1058 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_record.c:1179 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_buffers.c:1392 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_handshake.c:1428 > ocserv[2010]: TLS[<3>]: ASSERT: gnutls_handshake.c:3092 > ocserv[2010]: GnuTLS error (at worker-vpn.c:349): Error in the push function. > ocserv[2007]: main: 127.0.0.1:59879 main-misc.c:501: command socket closed > ocserv[2007]: main: 127.0.0.1:59879 removing client '' with id '2010' > *repeat* regards, Lam
