Skip to main content

 I can't get MVSP on my Linux D3/10.2 server to work with SSL.  I have a server.pem file in the /usr/lib/pick directory and MVSP seems to start ok when I instruct it to do so with ssl. But if I try to use openssl to connect to it, it acts like there is no certificate:

# openssl s_client -connect localhost:9000
CONNECTED(00000003)
140144259938192:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1723061738
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

and if I try it with the C# library, I get an exeption:

System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
   at System.Collections.CollectionBase.System.Collections.IList.get_Item(Int32 index)
   at System.Security.Cryptography.X509Certificates.X509CertificateCollection.get_Item(Int32 index)
   at rocketsoftware.MVSP.Pick.OnLocalCertificateSelect(Object sender, String targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, String[] acceptableIssuers)
   at System.Net.Security.SslStream.userCertSelectionCallbackWrapper(String targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, String[] acceptableIssuers)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at rocketsoftware.MVSP.Pick.ConnectCore(String hostName, Int32 hostPort, String userName, String userPassword, Boolean sslConnect, eLicenseType licenseType)

Further to this mystery, if I telnet to port 9000, I get a message that sslsetup is  missing:

# telnet 0 9000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
mve_tel: sslsetup: No such file or directory
Connection closed by foreign host.

What is this file and how does it get populated?

Is there a trick to getting SSL to work with MVSP?

Thanks

Tom



------------------------------
Tom Marracci
General Manager
Aircraft Spruce
corona CA US
------------------------------

 I can't get MVSP on my Linux D3/10.2 server to work with SSL.  I have a server.pem file in the /usr/lib/pick directory and MVSP seems to start ok when I instruct it to do so with ssl. But if I try to use openssl to connect to it, it acts like there is no certificate:

# openssl s_client -connect localhost:9000
CONNECTED(00000003)
140144259938192:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1723061738
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

and if I try it with the C# library, I get an exeption:

System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
   at System.Collections.CollectionBase.System.Collections.IList.get_Item(Int32 index)
   at System.Security.Cryptography.X509Certificates.X509CertificateCollection.get_Item(Int32 index)
   at rocketsoftware.MVSP.Pick.OnLocalCertificateSelect(Object sender, String targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, String[] acceptableIssuers)
   at System.Net.Security.SslStream.userCertSelectionCallbackWrapper(String targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, String[] acceptableIssuers)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at rocketsoftware.MVSP.Pick.ConnectCore(String hostName, Int32 hostPort, String userName, String userPassword, Boolean sslConnect, eLicenseType licenseType)

Further to this mystery, if I telnet to port 9000, I get a message that sslsetup is  missing:

# telnet 0 9000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
mve_tel: sslsetup: No such file or directory
Connection closed by foreign host.

What is this file and how does it get populated?

Is there a trick to getting SSL to work with MVSP?

Thanks

Tom



------------------------------
Tom Marracci
General Manager
Aircraft Spruce
corona CA US
------------------------------

Hi Tom,

Is your D3 system linked with the SSL libraries (https://www3.rocketsoftware.com/rocketd3/support/documentation/d3nt/102/mvsp/index.htm)

Can you encrypt files within D3 OK ?

Bryan



------------------------------
Bryan Buchanan
------------------------------

Hi Tom,

Is your D3 system linked with the SSL libraries (https://www3.rocketsoftware.com/rocketd3/support/documentation/d3nt/102/mvsp/index.htm)

Can you encrypt files within D3 OK ?

Bryan



------------------------------
Bryan Buchanan
------------------------------

That's it!  My d3 is linked with openssl, but d3_tel is not. 

From readelf -a /usr/lib/pick/d3_tel

you can find the linked modules

Dynamic section at offset 0x7f0c contains 25 entries:
  Tag        Type                         Name/Value
 0x00000001 (NEEDED)                     Shared library: [libutil.so.1]
 0x00000001 (NEEDED)                     Shared library: [libc.so.6]
 0x0000000c (INIT)                       0x8048d48

neither libssl nor libcrypto are listed hence, no SSL.  As far as I know this is not linked at build time but provided with the distribution. Is there no way to provide d3_tel with D3/10.2?  Looks like I'll be using secure tunnels instead to make this more secure.

Tom



------------------------------
Tom Marracci
General Manager
Aircraft Spruce
corona CA US
------------------------------

 I can't get MVSP on my Linux D3/10.2 server to work with SSL.  I have a server.pem file in the /usr/lib/pick directory and MVSP seems to start ok when I instruct it to do so with ssl. But if I try to use openssl to connect to it, it acts like there is no certificate:

# openssl s_client -connect localhost:9000
CONNECTED(00000003)
140144259938192:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1723061738
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

and if I try it with the C# library, I get an exeption:

System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
Parameter name: index
   at System.Collections.CollectionBase.System.Collections.IList.get_Item(Int32 index)
   at System.Security.Cryptography.X509Certificates.X509CertificateCollection.get_Item(Int32 index)
   at rocketsoftware.MVSP.Pick.OnLocalCertificateSelect(Object sender, String targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, String[] acceptableIssuers)
   at System.Net.Security.SslStream.userCertSelectionCallbackWrapper(String targetHost, X509CertificateCollection localCertificates, X509Certificate remoteCertificate, String[] acceptableIssuers)
   at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
   at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
   at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at rocketsoftware.MVSP.Pick.ConnectCore(String hostName, Int32 hostPort, String userName, String userPassword, Boolean sslConnect, eLicenseType licenseType)

Further to this mystery, if I telnet to port 9000, I get a message that sslsetup is  missing:

# telnet 0 9000
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
mve_tel: sslsetup: No such file or directory
Connection closed by foreign host.

What is this file and how does it get populated?

Is there a trick to getting SSL to work with MVSP?

Thanks

Tom



------------------------------
Tom Marracci
General Manager
Aircraft Spruce
corona CA US
------------------------------

Tom, I suggest that you open a case. Please include a WHICH CAD from your system so we can get the system ID and D3 version. Also, please attach the server.pem file so we can have a look at it. Thanks.



------------------------------
Brian S. Cram
Principal Technical Support Engineer
Rocket Software
------------------------------

Tom, I suggest that you open a case. Please include a WHICH CAD from your system so we can get the system ID and D3 version. Also, please attach the server.pem file so we can have a look at it. Thanks.



------------------------------
Brian S. Cram
Principal Technical Support Engineer
Rocket Software
------------------------------

Hi Brian,

I got the SSL client to work. I had to download and build a 32 bit version of openssl and link it to create d3_tel_ssl which I then inserted into the xinetd control file for MVSP.  That issue is resolved.  However, there is a bigger problem.  There is a bug in the MVSPNET api code when encoding control characters with DLE.  It comes up with all SSL, and non SSL when a command includes one of LF, CR, or DLE. I'll start a ticket and explain what I found and why it doesn't work.

Thanks

Tom



------------------------------
Tom Marracci
General Manager
Aircraft Spruce
corona CA US
------------------------------
Terms & ConditionsAccessibility statement