6 Replies Latest reply on May 5, 2016 4:36 AM by peter.mason

    NSP Certificate Error

    bblanchard

      Deploying change the an M-8000 sensor fails everytime. We're seeing these errors:

       

      2016-04-28 14:40:11,528 ERROR [PktlogNIOChannelServerPool- 4] iv.core.ControlChannel.NIO - ControlChannelWorkers : ************* An in-valid client (/x.x.x.124:42148) trying to connect to Control Channel server (/x.x.x.55:8503). SSLHandShake error occured : javax.net.ssl.SSLHandshakeException: General SSLEngine problem. javax.net.ssl.SSLHandshakeException: General SSLEngine problem. sun.security.validator.ValidatorException: Certificate signature validation failed. java.security.SignatureException: Signature does not match..

      2016-04-28 14:40:11,636 ERROR [TwoWayNIOChannelServerPool- 7] iv.core.ControlChannel.NIO - ControlChannelWorkers : ************* An in-valid client (/x.x.x.125:59511) trying to connect to Control Channel server (/x.x.x.55:8502). SSLHandShake error occured : javax.net.ssl.SSLHandshakeException: General SSLEngine problem. javax.net.ssl.SSLHandshakeException: General SSLEngine problem. java.security.cert.CertificateExpiredException: NotAfter: Sat Jul 09 16:41:18 EDT 2011.

      2016-04-28 14:40:11,745 ERROR [TwoWayNIOChannelServerPool- 8] iv.core.ControlChannel.NIO - ControlChannelWorkers : ************* An in-valid client (/x.x.x.176:34870) trying to connect to Control Channel server (/x.x.x.55:8502). SSLHandShake error occured : javax.net.ssl.SSLHandshakeException: General SSLEngine problem. javax.net.ssl.SSLHandshakeException: General SSLEngine problem. sun.security.validator.ValidatorException: Certificate signature validation failed. java.security.SignatureException: Signature does not match..

      2016-04-28 14:40:11,747 ERROR [TwoWayNIOChannelServerPool- 1] iv.core.ControlChannel.NIO - ControlChannelWorkers : ************* An in-valid client (/x.x.x.125:59513) trying to connect to Control Channel server (/x.x.x.55:8502). SSLHandShake error occured : javax.net.ssl.SSLHandshakeException: General SSLEngine problem. javax.net.ssl.SSLHandshakeException: General SSLEngine problem. java.security.cert.CertificateExpiredException: NotAfter: Sat Jul 09 16:41:18 EDT 2011.

      2016-04-28 14:40:11,755 ERROR [TwoWayNIOChannelServerPool- 2] iv.core.ControlChannel.NIO - ControlChannelWorkers : ************* An in-valid client (/x.x.x.124:42149) trying to connect to Control Channel server (/x.x.x.55:8502). SSLHandShake error occured : javax.net.ssl.SSLHandshakeException: General SSLEngine problem. javax.net.ssl.SSLHandshakeException: General SSLEngine problem. sun.security.validator.ValidatorException: Certificate signature validation failed. java.security.SignatureException: Signature does not match..

      2016-04-28 14:40:12,195 ERROR [TwoWayNIOChannelServerPool- 5] iv.core.ControlChannel.NIO - ControlChannelWorkers : ************* An in-valid client (/x.x.x.176:34871) trying to connect to Control Channel server (/x.x.x.55:8502). SSLHandShake error occured : javax.net.ssl.SSLHandshakeException: General SSLEngine problem. javax.net.ssl.SSLHandshakeException: General SSLEngine problem. sun.security.validator.ValidatorException: Certificate signature validation failed. java.security.SignatureException: Signature does not match..

      2016-04-28 14:40:12,283 INFO  [TwoWayNIOChannelServerPool- 10] iv.common - java.lang.String@42c892d[Server type=ALERT_CHANNEL,Ciphers={TLS_RSA_WITH_AES_128_CBC_SHA}]

      2016-04-28 14:40:15,521 ERROR [TwoWayNIOChannelServerPool- 8] iv.core.ControlChannel.NIO - ControlChannelWorkers : ************* An in-valid client (/x.x.x.124:42150) trying to connect to Control Channel server (/x.x.x.55:8502). SSLHandShake error occured : javax.net.ssl.SSLHandshakeException: General SSLEngine problem. javax.net.ssl.SSLHandshakeException: General SSLEngine problem. sun.security.validator.ValidatorException: Certificate signature validation failed. java.security.SignatureException: Signature does not match..

       

      Any idea what could cause this and how to solve it?

        • 1. Re: NSP Certificate Error
          peter.mason

          Hi Bblanchard,

           

          What manager / sensor software are you using?

           

          Are you still receiving alerts from this sensor?

           

          Can you log on to the sensor?

           

          Have you run the checkmanagerconnectivy command from the CLI?

           

          Have you tried breaking and recreating the trust between the manager and sensor?

           

          Have you tried de-installing and reinstalling the sensor?

           

          Peter

          • 2. Re: NSP Certificate Error
            bblanchard

            Will breaking the trust cause any traffic outage? Will the sensor stop processing traffic at any point?

            • 3. Re: NSP Certificate Error
              jvdavis456

              The sensors will cache alerts until trust is re-established. It will not stop processing traffic but the alerts generated may fall off in a FIFO fashion if it cannot upload to the NSM within a few days. The length of time alerts are stored depends on a lot different factors but for what you are trying to do here it shouldn't be an issue.

               

              BTW, it is possible that this error is related to Java versioning. Upgrading the NSM software to 8.3 MAY fix it but proceed down that road with caution if it comes to that as it is a full NSM upgrade just like any other. It does, however get rid of the java dependencies.

              • 4. Re: NSP Certificate Error
                peter.mason

                Hi Bblanchard,

                 

                Were you able to resolve the issue?

                 

                There is a resolved issue listed in the Network Security Platform 8.2.7.83-8.2.3.113 M-Series Release Notes (PD26443)

                 

                1082873 Error in connecting with alert and log channel as ems.log shows SSLHandshakeException.

                 

                It's lacking in detail but if you're not already on manager version 8.2.7.83 it may be work asking support for more details.

                 

                Regards

                 

                Peter

                • 5. Re: NSP Certificate Error
                  bblanchard

                  Yes, I realized that these errors and the issues we were having are not related.

                   

                  These error messages were caused by old IPS sensors, which were supposed to be decomissioned, trying to connect to the manager.

                   

                  Our original issue was caused by a Snort signature which was not supported by the new version of the manager (we upgraded from 7.x to 8.x)

                  • 6. Re: NSP Certificate Error
                    peter.mason

                    Hey bblanchard,

                     

                    Glad to hear you got it fixed, I always wipe the config from the sensor using the factorydefaults command from the CLI when I deinstall and delete them, this stops them from being reconnected to the manager.

                     

                    Regards

                     

                    Peter