Add SSL Client support

[mhaas]

This pull request adds optional SSL client support when talking to the auth server. This is useful if your auth server only speaks HTTPS or if you just want to use HTTPS in a post-snowden world.

The patch is tested lightly: it works with my server. The code is heavily based on the [http://www.yassl.com/yaSSL/Docs-cyassl-manual-11-ssl-tutorial.html](CyaSSL tutorial). No guarantee regards "security" given :)

Fixes #61

[mhaas]

Two problems:

• ca-certificates are not loaded, so SSLNoPeerVerification is required
• in conf.c, the debug logs fire although they are #ifndef'd with USE_CYASSL

[acv]

I would suggest a key to disable the use of HTTPS globally when talking to AuthServer for testing purpose.

[mhaas]

You can simple set SSLAvailable to No in the auth server section. Clients will be redirected to HTTP then, but if it's just for testing, that should be ok.

[mhaas]

Added a note in wifidog.conf: 4f634ed

[acv]

Stylistic thing but generally, it's best to do white space / formatting fix separately to minimize code to review ;-)

[mhaas]

@avc Sorry about the white space. I tried to minimize his - or are you talking about keeping white space and actual code PRs separate?

Thanks for the thorough review!

[acv]

Yeah, the latter. White space PRs as separate.

[mhaas]

Thanks. There are some other proiblems:

• I can't load SSL certs, the call fails with E_COMPRESS for some reason. Maybe I'm missing zlib?!
• I might have to enable domain name verification separately

[mhaas]

Do you need me to re-do the pull request re whitespace or can we let it slip one time? ;)

[acv]

Don't worry about it.

[acv]

For the "error state on socket" error, I'd suppress its logging. If we can't do any better, we might as well avoid ourselves support questions.

[mhaas]

@acv, thanks! I have to verify COMPRESS_E then.

Testing on my VM right now, but apparently wifidog linked against host libc. Time to fix my build.

[mhaas]

You were right, it is ASN_UNKNOWN_OID_E. I mixed up -184 and -148.

[acv]

Sweet, so we have a root cause (ECC root certs) and a fix (--enable-ecc).

[mhaas]

Removed the "error state on socket" message.

cyassl with --enable-ecc works for me now.

I think we can merge. I didn't test against known broken servers (e.g. expired, wrong hostname), though.

[acv]

I would suppress the logging when numbytes == 0 in the read loop personally but I think it's merge ready now otherwise.

[acv]

I checked the hostname mismatch case and it prints a meaning full error about peer mismatch.

[mhaas]

Good. You pull the trigger, we share the blame.

[mhaas]

FYI, i requested that OpenWrt enable ECC: https://dev.openwrt.org/ticket/19188#ticket

[acv]

Sweet.

[databeille]

Do you have :
(simple_http.c:256) CyaSSL_send failed: don't have enough data to complete task
when trying to ping authserver ?

build for openwrt BB with cyassl 3.3.0 or cyassl 3.3.2 master

[mhaas]

No. Can you post your config? What platform?

[acv]

That sounds like connect to a non SSL server with SSL.

This happens when the server response is not the expected size on the TLS handshake:

    if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
            return INCOMPLETE_DATA;

[databeille]

@mhaas I have a ar71xx router, running openwrt BB.

I use https://github.com/indutny/bud as TLS terminator ; will try with a basic apache setting to check.

[mhaas]

On 03/30/2015 02:33 PM, databeille wrote:

@mhaas https://github.com/mhaas I have a ar71xx router, running
openwrt BB.

I use https://github.com/indutny/bud as TLS terminator, will try with a
basic apache setting to check.

Does it work with a regular browser? Perhaps the problem lies between
the terminator and your webserver.

[databeille]

Yes, usually, everything works perfectly :)
With Apache handling SSL-TLS, wifidog-tls works, I got a "Pong".
bud-tls returns many different error codes with wifidog-tls, the "weirdest" being : "no shared cipher".

[mhaas]

Hm, ok. It would be good if you made a ticket with as much information (logs) as you can and I will take a look :)

Am 30. März 2015 16:20:51 MESZ, schrieb databeille notifications@github.com:

Yes, usually, everything works perfectly :)
With Apache handling SSL-TLS, wifidog-tls works, I got a "Pong".
bud-tls returns many different error codes with wifidog-tls, the
"weirdest" being : "no shared cipher".

---

Reply to this email directly or view it on GitHub:
#63 (comment)

[acv]

Can you run Qualys' SSL tester against your bud-tls endpoint? https://www.ssllabs.com/ssltest/

[databeille]

@acv : yes, it works great !
I try to configure it less severe (+SSL2 +SSL3 +UseClientCypherSuite +...), but nothing good for now...

[acv]

Wifidog is hard coded to to TLS 1.x or greater only so SSL2/SSL3 is not supported.

[databeille]

wifidog-tls works great with Apache+mod_ssl, Apache+stud (https://github.com/bumptech/stud/ ; my previous terminator, not maintained anymore) but miserably fails with bud-tls.
I give up for now.

[mhaas]

@databeille I assume you have the cyassl source handy? In examples/client, there is a test program. Execute something like this:

./client -h yourserver.xzy -p 443

So we can see if it's a wifidog problem or a cyassl+bud-tls problem.

[databeille]

It is not related to wifidog.
cyassl's ./client script fails too (master branch).

[databeille]

My last post about this problem : "INCOMPLETE_DATA" being wide (cases in cyassl/src/tls.c and cyassl/src/internal.c), the error code returned is related to :

    /* make sure can read the message */
    if (*inOutIdx + size > totalSz)
        return INCOMPLETE_DATA;

in src/internal.c.

Will now push an issue to bud-tls.

Anyway, thanks for your help @mhaas