Sync through proxy

[elhoim]

Trying to sync through a proxy.
Connecting to another MISP using HTTPS. No SNI, but the certificate is for *.domain.com and I try to connect to misp.domain.com.

The error message on the job page is "Unable to perform enableCrypto operation on CakeSocket".
No additional messages in resque-worker-error.log / resque-scheduler-error.log / error.log or debug.log
No additional messages in MISP app logs.
Enabling debug does not help since it is executed in a job.

Wgetting the page, after adding the same copy/pasted proxy credentials in the shell; works to get the homepage on the same server.

Using debian wheezy latest, php v5.4.45, cakephp v2.7.7, MISP v2.3.169.

[iglocska]

Do you have the proxy set up in MISP itself?

On Tue, Dec 1, 2015 at 11:59 AM, David André notifications@github.com
wrote:

Trying to sync through a proxy.
Connecting to another MISP using HTTPS. No SNI, but the certificate is for *.domain.com
http://domain.com and I try to connect to misp.domain.com
http://misp.domain.com.

The error message on the job page is "Unable to perform enableCrypto
operation on CakeSocket".
No additional messages in resque-worker-error.log /
resque-scheduler-error.log / error.log or debug.log
No additional messages in MISP app logs.
Enabling debug does not help since it is executed in a job.

Wgetting the page, after adding the same copy/pasted proxy credentials in
the shell; works to get the homepage on the same server.

Using debian wheezy latest, php v5.4.45, cakephp v2.7.7, MISP v2.3.169.

—
Reply to this email directly or view it on GitHub
#740.

[RichieB2B]

You can try to use tcpdump to see what MISP actually sends to the proxy. IIRC the CakePHP proxy code does not handle all possible scenario's like authentication problems gracefully.

[elhoim]

Thanks for the idea @RichieB2B !
The result is that credentials to the proxy don't get sent.

We try to connect via a proxy on a non-standard port (8102); the HTTP connect gets issued correctly but the basic authentication headers are not present, so the proxy gives a 407 Authentication required.

The credentials are correct, since I used them (copy/paste to be sure to have exactly the same thing) with wget on the command line to fetch the homepage of the remote MISP instance I am trying to sync to.

[RichieB2B]

In MISP all communication with external servers is done through the SyncTool class (app/Lib/Tools/SyncTool.php). The code there is pretty straight forward:

$proxy = Configure::read('Proxy');
if ($proxy) $HttpSocket->configProxy($proxy['host'], $proxy['port'], $proxy['method'], $proxy['user'], $proxy['password']);

So this appears to be an issue with HttpSocket from CakePHP, see
http://book.cakephp.org/2.0/en/core-utility-libraries/httpsocket.html
http://api.cakephp.org/2.7/class-HttpSocket.html#_configProxy

Judging by your tcpdump test CakePHP sets and uses the host and port correctly, but not the user and password variables.

[RichieB2B]

What have you set as the proxy.method in the MISP config.php? This should be either Basic or Digest depending on your proxy.

[elhoim]

I used Basic since it is what we use.

[RichieB2B]

I think I fixed the issue. After overcoming a general issue with SSL via proxies in cakephp/cakephp#7834 I managed to add the Proxy-Authorization header to the CONNECT request in cakephp/cakephp#7836

You can try this fork that includes above PRs: https://github.com/RichieB2B/cakephp/tree/2.7+fixes

[RichieB2B]

cakephp/cakephp#7836 has been merged so you can just use the latest CakePHP 2.7 branch: https://github.com/cakephp/cakephp/tree/2.7

[Rafiot]

excellent, I update the branch to get the HEAD of cakephp 2.4

[elhoim]

Could you also please do this to master branch so 2.3 users can also benefit from it?

[elhoim]

@RichieB2B I owe you a beer if it works!

[adulau]

@elhoim go for the 2.4 branch (which is now the default branch) ;-)

[Rafiot]

Considering as fixed :)

[RichieB2B]

Expecting that beer then from @elhoim ;-)