-
Notifications
You must be signed in to change notification settings - Fork 317
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSL Client support #63
Conversation
Conflicts: src/centralserver.c
Conflicts: src/ping_thread.c
* Do not null request before sending it * Also quietens compiler warning
Conflicts: src/ping_thread.c
Defaults to off
Two problems:
|
Otherwise, USE_CYASSL won't be available.
When loading CA certificates with CyaSSL, print the error code on failure
@@ -96,6 +97,8 @@ typedef enum { | |||
oTrustedMACList, | |||
oHtmlMessageFile, | |||
oProxyPort, | |||
oSSLNoPeerVerification, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest a key to disable the use of HTTPS globally when talking to AuthServer for testing purpose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can simple set SSLAvailable to No in the auth server section. Clients will be redirected to HTTP then, but if it's just for testing, that should be ok.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a note in wifidog.conf: 4f634ed
Stylistic thing but generally, it's best to do white space / formatting fix separately to minimize code to review ;-) |
@avc Sorry about the white space. I tried to minimize his - or are you talking about keeping white space and actual code PRs separate? Thanks for the thorough review! |
Yeah, the latter. White space PRs as separate. |
Thanks. There are some other proiblems:
|
Do you need me to re-do the pull request re whitespace or can we let it slip one time? ;) |
Don't worry about it. |
Certainly a mistake among all the recent corrections. TrustedMACList Isn't deprecated.
Fix removal option TrustedMACList
If certificates can't be loaded, then direct user to config options.
For the "error state on socket" error, I'd suppress its logging. If we can't do any better, we might as well avoid ourselves support questions. |
@acv, thanks! I have to verify COMPRESS_E then. Testing on my VM right now, but apparently wifidog linked against host libc. Time to fix my build. |
Use ASN_UNKNOWN_OID_E instead of COMPRESS_E
You were right, it is ASN_UNKNOWN_OID_E. I mixed up -184 and -148. |
Sweet, so we have a root cause (ECC root certs) and a fix ( |
Removed the "error state on socket" message. cyassl with --enable-ecc works for me now. I think we can merge. I didn't test against known broken servers (e.g. expired, wrong hostname), though. |
I would suppress the logging when |
I checked the hostname mismatch case and it prints a meaning full error about peer mismatch. |
Good. You pull the trigger, we share the blame. |
FYI, i requested that OpenWrt enable ECC: https://dev.openwrt.org/ticket/19188#ticket |
Sweet. |
Do you have : build for openwrt BB with cyassl 3.3.0 or cyassl 3.3.2 master |
No. Can you post your config? What platform? |
That sounds like connect to a non SSL server with SSL. This happens when the server response is not the expected size on the TLS handshake: if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
return INCOMPLETE_DATA; |
@mhaas I have a ar71xx router, running openwrt BB. I use https://github.com/indutny/bud as TLS terminator ; will try with a basic apache setting to check. |
On 03/30/2015 02:33 PM, databeille wrote:
Does it work with a regular browser? Perhaps the problem lies between |
Yes, usually, everything works perfectly :) |
Hm, ok. It would be good if you made a ticket with as much information (logs) as you can and I will take a look :) Am 30. März 2015 16:20:51 MESZ, schrieb databeille notifications@github.com:
|
Can you run Qualys' SSL tester against your bud-tls endpoint? https://www.ssllabs.com/ssltest/ |
@acv : yes, it works great ! |
Wifidog is hard coded to to TLS 1.x or greater only so SSL2/SSL3 is not supported. |
wifidog-tls works great with Apache+mod_ssl, Apache+stud (https://github.com/bumptech/stud/ ; my previous terminator, not maintained anymore) but miserably fails with bud-tls. |
@databeille I assume you have the cyassl source handy? In examples/client, there is a test program. Execute something like this:
So we can see if it's a wifidog problem or a cyassl+bud-tls problem. |
It is not related to wifidog. |
My last post about this problem : "INCOMPLETE_DATA" being wide (cases in cyassl/src/tls.c and cyassl/src/internal.c), the error code returned is related to : /* make sure can read the message */ if (*inOutIdx + size > totalSz) return INCOMPLETE_DATA; in src/internal.c. Will now push an issue to bud-tls. Anyway, thanks for your help @mhaas |
This pull request adds optional SSL client support when talking to the auth server. This is useful if your auth server only speaks HTTPS or if you just want to use HTTPS in a post-snowden world.
The patch is tested lightly: it works with my server. The code is heavily based on the [http://www.yassl.com/yaSSL/Docs-cyassl-manual-11-ssl-tutorial.html](CyaSSL tutorial). No guarantee regards "security" given :)
Fixes #61