View Issue Details

IDProjectCategoryView StatusLast Update
0000155easycwmpQuestionpublic2016-07-29 10:25
ReporterTyler-PN Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Summary0000155: easycwmp and session cookies
DescriptionHi!

We are testing mutual authentication based on certificates between easycwmp on OpenWRT against F5 reverse proxy implementing APM.
Mutual certificate authentication seems to work fine, the F5 reverse proxy issues a session cookie, but seems that easycwmp is not using this session cookie in the HTTP communication (that is used to identify the client).
Moreover, cannot find anything in /tmp/easycwmp_cookies

At the end of the session, I find
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

But this should be the result of the TCP reset sent from the F5.
Looking F5 logs, the client is correctly passing its own cert.

Am using latest version : easycwmp-1.3.4
Additional InformationHere the whole log (some info shadowed)
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(50):: url: https://someurl.somedomain.net
http_client_init(52):: ssl_cert: /home/anakin/client0.pem
http_client_init(54):: ssl_cacert: /etc/ssl/certs/infrastructure_ca.cert.pem
http_client_init(56):: ssl_verify: SSL certificate validation disabled.
--- HTTP CLIENT CONFIGURATION ---
2016-07-26 14:46:58 [easycwmp] NOTICE - configured acs url https://someurl.somedomain.net
2016-07-26 14:46:58 [easycwmp] NOTICE - external script init
2016-07-26 14:46:58 [easycwmp] NOTICE - external: execute inform parameter
2016-07-26 14:46:58 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
  <soap_env:Header>
   <cwmp:ID soap_env:mustUnderstand="1">8</cwmp:ID>
  </soap_env:Header>
 
BLA
BLA
BLA

--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://someurl.somedomain.net/
* Trying [F5 IP Address]...
* Connected to someurl.somedomain.net ([F5 IP Address]) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/infrastructure_ca.cert.pem
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=corporate; OU=Some Stuff; CN=someurl.somedomain.net; subjectAltName=someurl.somedomain.net
* start date: Jul 20 10:04:08 2016 GMT
* expire date: Jul 20 10:04:08 2018 GMT
* common name: someurl.somedomain.net (matched)
* issuer: O=corporate; OU=Some Stuff; CN=Infrastructure CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> POST / HTTP/1.1
Host: someurl.somedomain.net
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 3051
Expect: 100-continue

* Done waiting for 100-continue
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Server: BigIP
< Connection: Close
< Content-Length: 0
< Location: /my.policy
* Added cookie LastMRH_Session="098bff1a" for domain someurl.somedomain.net, path /, expire 0
< Set-Cookie: LastMRH_Session=098bff1a; domain=someurl.somedomain.net;path=/;secure
* Added cookie MRHSession="c9e1e92e3394affa2a2dc975098bff1a" for domain someurl.somedomain.net, path /, expire 0
< Set-Cookie: MRHSession=c9e1e92e3394affa2a2dc975098bff1a; domain=someurl.somedomain.net;path=/;secure
* Added cookie MRHSHint="deleted" for domain someurl.somedomain.net, path /, expire 1
< Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
<
* Closing connection 0
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(50):: url: https://someurl.somedomain.net/my.policy
http_client_init(52):: ssl_cert: /home/anakin/client0.pem
http_client_init(54):: ssl_cacert: /etc/ssl/certs/infrastructure_ca.cert.pem
http_client_init(56):: ssl_verify: SSL certificate validation disabled.
--- HTTP CLIENT CONFIGURATION ---
2016-07-26 14:46:59 [easycwmp] NOTICE - configured acs url https://someurl.somedomain.net/my.policy
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
  <soap_env:Header>
   <cwmp:ID soap_env:mustUnderstand="1">8</cwmp:ID>
  </soap_env:Header>
  <soap_env:Body>
   <cwmp:Inform>
     
BLA
BLA
BLA
    </ParameterList>
   </cwmp:Inform>
  </soap_env:Body>
 </soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Trying [F5 IP Address]...
* Connected to someurl.somedomain.net ([F5 IP Address]) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/infrastructure_ca.cert.pem
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=corporate; OU=Some Stuff; CN=someurl.somedomain.net; subjectAltName=someurl.somedomain.net
* start date: Jul 20 10:04:08 2016 GMT
* expire date: Jul 20 10:04:08 2018 GMT
* common name: someurl.somedomain.net (matched)
* issuer: O=corporate; OU=Some Stuff; CN=Infrastructure CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> POST /my.policy HTTP/1.1
Host: someurl.somedomain.net
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 3051
Expect: 100-continue

* Done waiting for 100-continue
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Server: BigIP
< Connection: Close
< Content-Length: 0
< Location: /my.logout.php3?errorcode=20
* Added cookie LastMRH_Session="" for domain someurl.somedomain.net, path /, expire 0
< Set-Cookie: LastMRH_Session=; domain=someurl.somedomain.net;path=/;secure
* Added cookie MRHSession="" for domain someurl.somedomain.net, path /, expire 0
< Set-Cookie: MRHSession=; domain=someurl.somedomain.net;path=/;secure
<
* Closing connection 0
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(50):: url: https://someurl.somedomain.net/my.logout.php3?errorcode=20
http_client_init(52):: ssl_cert: /home/anakin/client0.pem
http_client_init(54):: ssl_cacert: /etc/ssl/certs/infrastructure_ca.cert.pem
http_client_init(56):: ssl_verify: SSL certificate validation disabled.
--- HTTP CLIENT CONFIGURATION ---
2016-07-26 14:47:01 [easycwmp] NOTICE - configured acs url https://someurl.somedomain.net/my.logout.php3?errorcode=20
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
  <soap_env:Header>
   <cwmp:ID soap_env:mustUnderstand="1">8</cwmp:ID>
  </soap_env:Header>
BLA
BLA
BLA
   </cwmp:Inform>
  </soap_env:Body>
 </soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Trying [F5 IP Address]...
* Connected to someurl.somedomain.net ([F5 IP Address]) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/infrastructure_ca.cert.pem
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=corporate; OU=Some Stuff; CN=someurl.somedomain.net; subjectAltName=someurl.somedomain.net
* start date: Jul 20 10:04:08 2016 GMT
* expire date: Jul 20 10:04:08 2018 GMT
* common name: someurl.somedomain.net (matched)
* issuer: O=corporate; OU=Some Stuff; CN=Infrastructure CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> POST /my.logout.php3?errorcode=20 HTTP/1.1
Host: someurl.somedomain.net
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 3051
Expect: 100-continue

* Done waiting for 100-continue
* We are completely uploaded and fine
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
TagsNo tags attached.
e-mail notification

Activities

mohamed.kallel

2016-07-26 17:00

administrator   ~0000513

Concerning the :

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104


Is it a normal behviour since your server is sending TCP connection reset ?

If not, Could you please share your libcurl version and the openSSL version if your libcurl is using OpenSSL?

Tyler-PN

2016-07-27 08:39

reporter   ~0000514

Hi,
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
is thrown by the web frontend when mutual authentication does not succeed.
Anyhow am using libcurl 7.47.0 and openssl 1.0.2g-1ubuntu4.1

Today did a further test, as I feel that session cookies are not used by easycwmp after 302 redirect to my.policy.
I've enabled "a so called "clientless mode" on the F5, that avoids 302 redirect to my.policy and picks up mutual authentication, and this is working!

Is this easycwmp behaviour something by design?

Many thanks for prompt reply

Tyler-PN

2016-07-28 09:14

reporter   ~0000515

For your reference, here a HTTP conversation that works fine (disabling redirects):
--- SEND HTTP REQUEST ---
* Trying xxx.xxx.xxx.xxx...
* Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/corp_ca.cert.pem
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=SomeCorp; OU=Some Connected Stuff; CN=somename.somedomain.net; subjectAltName=somename.somedomain.net
* start date: Jul 20 10:04:08 2016 GMT
* expire date: Jul 20 10:04:08 2018 GMT
* common name: somename.somedomain.net (matched)
* issuer: O=SomeCorp; OU=Some Connected Stuff; CN=Infrastructure CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> POST / HTTP/1.1
Host: somename.somedomain.net
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2849
Expect: 100-continue

* Done waiting for 100-continue
* We are completely uploaded and fine
< HTTP/1.1 100 Continue
< HTTP/1.1 401 Unauthorized
< Server: Apache-Coyote/1.1
* Added cookie JSESSIONID="97FF36953C1B2580E3376BD723C5C44B" for domain somename.somedomain.net, path /, expire 0
< Set-Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; Path=/
< WWW-Authenticate: Basic realm="xaps"
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Date: Wed, 27 Jul 2016 06:19:13 GMT
< Connection: close
* Added cookie LastMRH_Session="d8c1ea54" for domain somename.somedomain.net, path /, expire 0
< Set-Cookie: LastMRH_Session=d8c1ea54; domain=somename.somedomain.net;path=/;secure
* Added cookie MRHSession="9b84d47ae2df45f78dea111bd8c1ea54" for domain somename.somedomain.net, path /, expire 0
< Set-Cookie: MRHSession=9b84d47ae2df45f78dea111bd8c1ea54; domain=somename.somedomain.net;path=/;secure
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
< Transfer-Encoding: chunked
<
* Closing connection 0
* Issue another request to this URL: 'https://somename.somedomain.net/'
* Hostname somename.somedomain.net was found in DNS cache
* Trying xxx.xxx.xxx.xxx...
* Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/corp_ca.cert.pem
  CApath: /etc/ssl/certs
* SSL re-using session ID
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: O=SomeCorp; OU=Some Connected Stuff; CN=somename.somedomain.net; subjectAltName=somename.somedomain.net
* start date: Jul 20 10:04:08 2016 GMT
* expire date: Jul 20 10:04:08 2018 GMT
* common name: somename.somedomain.net (matched)
* issuer: O=SomeCorp; OU=Some Connected Stuff; CN=Infrastructure CA
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user '213213-NIU_NIUX-921382913789'
> POST / HTTP/1.1
Host: somename.somedomain.net
Authorization: Basic Nzg0NTYxLU5JVV9OSVVYLTc4NDU2MTFGQkIwNzozMmJ5dGVzZ2VuZXJhdGlhY2FzbzAxMjM0NTY3ODkyMQ==
Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; LastMRH_Session=d8c1ea54; MRHSession=9b84d47ae2df45f78dea111bd8c1ea54
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2849
Expect: 100-continue

* Done waiting for 100-continue
* We are completely uploaded and fine
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< SOAPAction:
< Content-Type: text/xml;charset=ISO-8859-1
< Content-Length: 491
< Date: Wed, 27 Jul 2016 06:19:14 GMT
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
<
* Connection #1 to host somename.somedomain.net left intact
+++ RECEIVED HTTP RESPONSE +++
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-0">
<soapenv:Header>
        <cwmp:ID soapenv:mustUnderstand="1">1</cwmp:ID>
</soapenv:Header>
<soapenv:Body>
                <cwmp:InformResponse>
                        <MaxEnvelopes>1</MaxEnvelopes>
                </cwmp:InformResponse>
</soapenv:Body>
</soapenv:Envelope>
--- RECEIVED HTTP RESPONSE ---
2016-07-27 08:19:14 [easycwmp] NOTICE - receive InformResponse from the ACS
2016-07-27 08:19:14 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host somename.somedomain.net: 0x94200e8 [can pipeline]
* Re-using existing connection! (#1) with host somename.somedomain.net
* Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#1)
* Server auth using Basic with user '213213-NIU_NIUX-921382913789'
> POST / HTTP/1.1
Host: somename.somedomain.net
Authorization: Basic Nzg0NTYxLU5JVV9OSVVYLTc4NDU2MTFGQkIwNzozMmJ5dGVzZ2VuZXJhdGlhY2FzbzAxMjM0NTY3ODkyMQ==
Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; LastMRH_Session=d8c1ea54; MRHSession=9b84d47ae2df45f78dea111bd8c1ea54
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0

< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< SOAPAction:
< Content-Type: text/xml;charset=ISO-8859-1
< Content-Length: 2504
< Date: Wed, 27 Jul 2016 06:19:14 GMT
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
<
* Connection #1 to host somename.somedomain.net left intact
--- SEND HTTP REQUEST ---
* Found bundle for host somename.somedomain.net: 0x94200e8 [can pipeline]
* Re-using existing connection! (#1) with host somename.somedomain.net
* Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#1)
* Server auth using Basic with user '213213-NIU_NIUX-921382913789'
> POST / HTTP/1.1
Host: somename.somedomain.net
Authorization: Basic Nzg0NTYxLU5JVV9OSVVYLTc4NDU2MTFGQkIwNzozMmJ5dGVzZ2VuZXJhdGlhY2FzbzAxMjM0NTY3ODkyMQ==
Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; LastMRH_Session=d8c1ea54; MRHSession=9b84d47ae2df45f78dea111bd8c1ea54
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 4262
Expect: 100-continue

mohamed.kallel

2016-07-29 10:18

administrator   ~0000516

Last edited: 2016-07-29 10:25

Your issue is related to the HTTP redirect.
HTTP redirect is not well supported by Libcurl, so it was implemented by easycwmp team in the cwmp stack. May be our implementation is not fully compliant with the HTTP standard.
I can not treat the issue in the near future since it takes time and I m busy these days. Please feel free to check the source code and fix it. Please share your patch with the community.

Issue History

Date Modified Username Field Change
2016-07-26 14:55 Tyler-PN New Issue
2016-07-26 17:00 mohamed.kallel Note Added: 0000513
2016-07-27 08:39 Tyler-PN Note Added: 0000514
2016-07-28 09:14 Tyler-PN Note Added: 0000515
2016-07-29 10:18 mohamed.kallel Note Added: 0000516
2016-07-29 10:25 mohamed.kallel Note Edited: 0000516