Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SSL Client support #63

Merged
merged 32 commits into from
Mar 15, 2015
Merged

Add SSL Client support #63

merged 32 commits into from
Mar 15, 2015

Conversation

mhaas
Copy link
Contributor

@mhaas mhaas commented Mar 10, 2015

This pull request adds optional SSL client support when talking to the auth server. This is useful if your auth server only speaks HTTPS or if you just want to use HTTPS in a post-snowden world.

The patch is tested lightly: it works with my server. The code is heavily based on the [http://www.yassl.com/yaSSL/Docs-cyassl-manual-11-ssl-tutorial.html](CyaSSL tutorial). No guarantee regards "security" given :)

Fixes #61

@mhaas
Copy link
Contributor Author

mhaas commented Mar 11, 2015

Two problems:

  • ca-certificates are not loaded, so SSLNoPeerVerification is required
  • in conf.c, the debug logs fire although they are #ifndef'd with USE_CYASSL

mhaas added 2 commits March 11, 2015 20:03
Otherwise, USE_CYASSL won't be available.
When loading CA certificates with CyaSSL, print the error code
on failure
@@ -96,6 +97,8 @@ typedef enum {
oTrustedMACList,
oHtmlMessageFile,
oProxyPort,
oSSLNoPeerVerification,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest a key to disable the use of HTTPS globally when talking to AuthServer for testing purpose.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can simple set SSLAvailable to No in the auth server section. Clients will be redirected to HTTP then, but if it's just for testing, that should be ok.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a note in wifidog.conf: 4f634ed

@acv
Copy link
Contributor

acv commented Mar 12, 2015

Stylistic thing but generally, it's best to do white space / formatting fix separately to minimize code to review ;-)

@mhaas
Copy link
Contributor Author

mhaas commented Mar 12, 2015

@avc Sorry about the white space. I tried to minimize his - or are you talking about keeping white space and actual code PRs separate?

Thanks for the thorough review!

@acv
Copy link
Contributor

acv commented Mar 12, 2015

Yeah, the latter. White space PRs as separate.

@mhaas
Copy link
Contributor Author

mhaas commented Mar 12, 2015

Thanks. There are some other proiblems:

  • I can't load SSL certs, the call fails with E_COMPRESS for some reason. Maybe I'm missing zlib?!
  • I might have to enable domain name verification separately

@mhaas
Copy link
Contributor Author

mhaas commented Mar 12, 2015

Do you need me to re-do the pull request re whitespace or can we let it slip one time? ;)

@acv
Copy link
Contributor

acv commented Mar 12, 2015

Don't worry about it.

florida63 and others added 5 commits March 12, 2015 21:19
Certainly a mistake among all the recent corrections.

TrustedMACList Isn't deprecated.
Fix removal option TrustedMACList
If certificates can't be loaded, then direct user to config options.
@acv
Copy link
Contributor

acv commented Mar 15, 2015

For the "error state on socket" error, I'd suppress its logging. If we can't do any better, we might as well avoid ourselves support questions.

@mhaas
Copy link
Contributor Author

mhaas commented Mar 15, 2015

@acv, thanks! I have to verify COMPRESS_E then.

Testing on my VM right now, but apparently wifidog linked against host libc. Time to fix my build.

Use ASN_UNKNOWN_OID_E instead of COMPRESS_E
@mhaas
Copy link
Contributor Author

mhaas commented Mar 15, 2015

You were right, it is ASN_UNKNOWN_OID_E. I mixed up -184 and -148.

@acv
Copy link
Contributor

acv commented Mar 15, 2015

Sweet, so we have a root cause (ECC root certs) and a fix (--enable-ecc).

@mhaas
Copy link
Contributor Author

mhaas commented Mar 15, 2015

Removed the "error state on socket" message.

cyassl with --enable-ecc works for me now.

I think we can merge. I didn't test against known broken servers (e.g. expired, wrong hostname), though.

@acv
Copy link
Contributor

acv commented Mar 15, 2015

I would suppress the logging when numbytes == 0 in the read loop personally but I think it's merge ready now otherwise.

@acv
Copy link
Contributor

acv commented Mar 15, 2015

I checked the hostname mismatch case and it prints a meaning full error about peer mismatch.

@mhaas
Copy link
Contributor Author

mhaas commented Mar 15, 2015

Good. You pull the trigger, we share the blame.

acv added a commit that referenced this pull request Mar 15, 2015
@acv acv merged commit 29207c8 into wifidog:master Mar 15, 2015
@mhaas
Copy link
Contributor Author

mhaas commented Mar 15, 2015

FYI, i requested that OpenWrt enable ECC: https://dev.openwrt.org/ticket/19188#ticket

@acv
Copy link
Contributor

acv commented Mar 15, 2015

Sweet.

@florida63 florida63 added this to the 1.2.0 milestone Mar 24, 2015
@databeille
Copy link
Contributor

Do you have :
(simple_http.c:256) CyaSSL_send failed: don't have enough data to complete task
when trying to ping authserver ?

build for openwrt BB with cyassl 3.3.0 or cyassl 3.3.2 master

@mhaas
Copy link
Contributor Author

mhaas commented Mar 27, 2015

No. Can you post your config? What platform?

@acv
Copy link
Contributor

acv commented Mar 27, 2015

That sounds like connect to a non SSL server with SSL.

This happens when the server response is not the expected size on the TLS handshake:

    if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
            return INCOMPLETE_DATA;

@databeille
Copy link
Contributor

@mhaas I have a ar71xx router, running openwrt BB.

I use https://github.com/indutny/bud as TLS terminator ; will try with a basic apache setting to check.

@mhaas
Copy link
Contributor Author

mhaas commented Mar 30, 2015

On 03/30/2015 02:33 PM, databeille wrote:

@mhaas https://github.com/mhaas I have a ar71xx router, running
openwrt BB.

I use https://github.com/indutny/bud as TLS terminator, will try with a
basic apache setting to check.

Does it work with a regular browser? Perhaps the problem lies between
the terminator and your webserver.

@databeille
Copy link
Contributor

Yes, usually, everything works perfectly :)
With Apache handling SSL-TLS, wifidog-tls works, I got a "Pong".
bud-tls returns many different error codes with wifidog-tls, the "weirdest" being : "no shared cipher".

@mhaas
Copy link
Contributor Author

mhaas commented Mar 30, 2015

Hm, ok. It would be good if you made a ticket with as much information (logs) as you can and I will take a look :)

Am 30. März 2015 16:20:51 MESZ, schrieb databeille notifications@github.com:

Yes, usually, everything works perfectly :)
With Apache handling SSL-TLS, wifidog-tls works, I got a "Pong".
bud-tls returns many different error codes with wifidog-tls, the
"weirdest" being : "no shared cipher".


Reply to this email directly or view it on GitHub:
#63 (comment)

@acv
Copy link
Contributor

acv commented Mar 30, 2015

Can you run Qualys' SSL tester against your bud-tls endpoint? https://www.ssllabs.com/ssltest/

@databeille
Copy link
Contributor

@acv : yes, it works great !
I try to configure it less severe (+SSL2 +SSL3 +UseClientCypherSuite +...), but nothing good for now...

@acv
Copy link
Contributor

acv commented Mar 30, 2015

Wifidog is hard coded to to TLS 1.x or greater only so SSL2/SSL3 is not supported.

@databeille
Copy link
Contributor

wifidog-tls works great with Apache+mod_ssl, Apache+stud (https://github.com/bumptech/stud/ ; my previous terminator, not maintained anymore) but miserably fails with bud-tls.
I give up for now.

@mhaas
Copy link
Contributor Author

mhaas commented Apr 1, 2015

@databeille I assume you have the cyassl source handy? In examples/client, there is a test program. Execute something like this:

./client -h yourserver.xzy -p 443

So we can see if it's a wifidog problem or a cyassl+bud-tls problem.

@databeille
Copy link
Contributor

It is not related to wifidog.
cyassl's ./client script fails too (master branch).

@databeille
Copy link
Contributor

My last post about this problem : "INCOMPLETE_DATA" being wide (cases in cyassl/src/tls.c and cyassl/src/internal.c), the error code returned is related to :

    /* make sure can read the message */
    if (*inOutIdx + size > totalSz)
        return INCOMPLETE_DATA;

in src/internal.c.

Will now push an issue to bud-tls.

Anyway, thanks for your help @mhaas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Talk SSL to the auth server
5 participants