View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000155 | easycwmp | Question | public | 2016-07-26 14:55 | 2016-07-29 10:25 |
Reporter | Tyler-PN | Assigned To | |||
Priority | high | Severity | major | Reproducibility | always |
Status | new | Resolution | open | ||
Summary | 0000155: easycwmp and session cookies | ||||
Description | Hi! We are testing mutual authentication based on certificates between easycwmp on OpenWRT against F5 reverse proxy implementing APM. Mutual certificate authentication seems to work fine, the F5 reverse proxy issues a session cookie, but seems that easycwmp is not using this session cookie in the HTTP communication (that is used to identify the client). Moreover, cannot find anything in /tmp/easycwmp_cookies At the end of the session, I find * SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 But this should be the result of the TCP reset sent from the F5. Looking F5 logs, the client is correctly passing its own cert. Am using latest version : easycwmp-1.3.4 | ||||
Additional Information | Here the whole log (some info shadowed) +++ HTTP CLIENT CONFIGURATION +++ http_client_init(50):: url: https://someurl.somedomain.net http_client_init(52):: ssl_cert: /home/anakin/client0.pem http_client_init(54):: ssl_cacert: /etc/ssl/certs/infrastructure_ca.cert.pem http_client_init(56):: ssl_verify: SSL certificate validation disabled. --- HTTP CLIENT CONFIGURATION --- 2016-07-26 14:46:58 [easycwmp] NOTICE - configured acs url https://someurl.somedomain.net 2016-07-26 14:46:58 [easycwmp] NOTICE - external script init 2016-07-26 14:46:58 [easycwmp] NOTICE - external: execute inform parameter 2016-07-26 14:46:58 [easycwmp] NOTICE - send Inform +++ SEND HTTP REQUEST +++ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <soap_env:Envelope xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"> <soap_env:Header> <cwmp:ID soap_env:mustUnderstand="1">8</cwmp:ID> </soap_env:Header> BLA BLA BLA --- SEND HTTP REQUEST --- * Rebuilt URL to: https://someurl.somedomain.net/ * Trying [F5 IP Address]... * Connected to someurl.somedomain.net ([F5 IP Address]) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/infrastructure_ca.cert.pem CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: O=corporate; OU=Some Stuff; CN=someurl.somedomain.net; subjectAltName=someurl.somedomain.net * start date: Jul 20 10:04:08 2016 GMT * expire date: Jul 20 10:04:08 2018 GMT * common name: someurl.somedomain.net (matched) * issuer: O=corporate; OU=Some Stuff; CN=Infrastructure CA * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > POST / HTTP/1.1 Host: someurl.somedomain.net User-Agent: easycwmp Content-Type: text/xml; charset="utf-8" SOAPAction: Content-Length: 3051 Expect: 100-continue * Done waiting for 100-continue * We are completely uploaded and fine * HTTP 1.0, assume close after body < HTTP/1.0 302 Found < Server: BigIP < Connection: Close < Content-Length: 0 < Location: /my.policy * Added cookie LastMRH_Session="098bff1a" for domain someurl.somedomain.net, path /, expire 0 < Set-Cookie: LastMRH_Session=098bff1a; domain=someurl.somedomain.net;path=/;secure * Added cookie MRHSession="c9e1e92e3394affa2a2dc975098bff1a" for domain someurl.somedomain.net, path /, expire 0 < Set-Cookie: MRHSession=c9e1e92e3394affa2a2dc975098bff1a; domain=someurl.somedomain.net;path=/;secure * Added cookie MRHSHint="deleted" for domain someurl.somedomain.net, path /, expire 1 < Set-Cookie: MRHSHint=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ < * Closing connection 0 +++ HTTP CLIENT CONFIGURATION +++ http_client_init(50):: url: https://someurl.somedomain.net/my.policy http_client_init(52):: ssl_cert: /home/anakin/client0.pem http_client_init(54):: ssl_cacert: /etc/ssl/certs/infrastructure_ca.cert.pem http_client_init(56):: ssl_verify: SSL certificate validation disabled. --- HTTP CLIENT CONFIGURATION --- 2016-07-26 14:46:59 [easycwmp] NOTICE - configured acs url https://someurl.somedomain.net/my.policy +++ SEND HTTP REQUEST +++ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <soap_env:Envelope xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"> <soap_env:Header> <cwmp:ID soap_env:mustUnderstand="1">8</cwmp:ID> </soap_env:Header> <soap_env:Body> <cwmp:Inform> BLA BLA BLA </ParameterList> </cwmp:Inform> </soap_env:Body> </soap_env:Envelope> --- SEND HTTP REQUEST --- * Trying [F5 IP Address]... * Connected to someurl.somedomain.net ([F5 IP Address]) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/infrastructure_ca.cert.pem CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: O=corporate; OU=Some Stuff; CN=someurl.somedomain.net; subjectAltName=someurl.somedomain.net * start date: Jul 20 10:04:08 2016 GMT * expire date: Jul 20 10:04:08 2018 GMT * common name: someurl.somedomain.net (matched) * issuer: O=corporate; OU=Some Stuff; CN=Infrastructure CA * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > POST /my.policy HTTP/1.1 Host: someurl.somedomain.net User-Agent: easycwmp Content-Type: text/xml; charset="utf-8" SOAPAction: Content-Length: 3051 Expect: 100-continue * Done waiting for 100-continue * We are completely uploaded and fine * HTTP 1.0, assume close after body < HTTP/1.0 302 Found < Server: BigIP < Connection: Close < Content-Length: 0 < Location: /my.logout.php3?errorcode=20 * Added cookie LastMRH_Session="" for domain someurl.somedomain.net, path /, expire 0 < Set-Cookie: LastMRH_Session=; domain=someurl.somedomain.net;path=/;secure * Added cookie MRHSession="" for domain someurl.somedomain.net, path /, expire 0 < Set-Cookie: MRHSession=; domain=someurl.somedomain.net;path=/;secure < * Closing connection 0 +++ HTTP CLIENT CONFIGURATION +++ http_client_init(50):: url: https://someurl.somedomain.net/my.logout.php3?errorcode=20 http_client_init(52):: ssl_cert: /home/anakin/client0.pem http_client_init(54):: ssl_cacert: /etc/ssl/certs/infrastructure_ca.cert.pem http_client_init(56):: ssl_verify: SSL certificate validation disabled. --- HTTP CLIENT CONFIGURATION --- 2016-07-26 14:47:01 [easycwmp] NOTICE - configured acs url https://someurl.somedomain.net/my.logout.php3?errorcode=20 +++ SEND HTTP REQUEST +++ <?xml version="1.0" encoding="UTF-8" standalone="no"?> <soap_env:Envelope xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"> <soap_env:Header> <cwmp:ID soap_env:mustUnderstand="1">8</cwmp:ID> </soap_env:Header> BLA BLA BLA </cwmp:Inform> </soap_env:Body> </soap_env:Envelope> --- SEND HTTP REQUEST --- * Trying [F5 IP Address]... * Connected to someurl.somedomain.net ([F5 IP Address]) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/infrastructure_ca.cert.pem CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: O=corporate; OU=Some Stuff; CN=someurl.somedomain.net; subjectAltName=someurl.somedomain.net * start date: Jul 20 10:04:08 2016 GMT * expire date: Jul 20 10:04:08 2018 GMT * common name: someurl.somedomain.net (matched) * issuer: O=corporate; OU=Some Stuff; CN=Infrastructure CA * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > POST /my.logout.php3?errorcode=20 HTTP/1.1 Host: someurl.somedomain.net User-Agent: easycwmp Content-Type: text/xml; charset="utf-8" SOAPAction: Content-Length: 3051 Expect: 100-continue * Done waiting for 100-continue * We are completely uploaded and fine * SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 | ||||
Tags | No tags attached. | ||||
e-mail notification | |||||
|
Concerning the : * SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 Is it a normal behviour since your server is sending TCP connection reset ? If not, Could you please share your libcurl version and the openSSL version if your libcurl is using OpenSSL? |
|
Hi, * SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 is thrown by the web frontend when mutual authentication does not succeed. Anyhow am using libcurl 7.47.0 and openssl 1.0.2g-1ubuntu4.1 Today did a further test, as I feel that session cookies are not used by easycwmp after 302 redirect to my.policy. I've enabled "a so called "clientless mode" on the F5, that avoids 302 redirect to my.policy and picks up mutual authentication, and this is working! Is this easycwmp behaviour something by design? Many thanks for prompt reply |
|
For your reference, here a HTTP conversation that works fine (disabling redirects): --- SEND HTTP REQUEST --- * Trying xxx.xxx.xxx.xxx... * Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/corp_ca.cert.pem CApath: /etc/ssl/certs * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: O=SomeCorp; OU=Some Connected Stuff; CN=somename.somedomain.net; subjectAltName=somename.somedomain.net * start date: Jul 20 10:04:08 2016 GMT * expire date: Jul 20 10:04:08 2018 GMT * common name: somename.somedomain.net (matched) * issuer: O=SomeCorp; OU=Some Connected Stuff; CN=Infrastructure CA * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > POST / HTTP/1.1 Host: somename.somedomain.net User-Agent: easycwmp Content-Type: text/xml; charset="utf-8" SOAPAction: Content-Length: 2849 Expect: 100-continue * Done waiting for 100-continue * We are completely uploaded and fine < HTTP/1.1 100 Continue < HTTP/1.1 401 Unauthorized < Server: Apache-Coyote/1.1 * Added cookie JSESSIONID="97FF36953C1B2580E3376BD723C5C44B" for domain somename.somedomain.net, path /, expire 0 < Set-Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; Path=/ < WWW-Authenticate: Basic realm="xaps" < Content-Type: text/html;charset=utf-8 < Content-Language: en < Date: Wed, 27 Jul 2016 06:19:13 GMT < Connection: close * Added cookie LastMRH_Session="d8c1ea54" for domain somename.somedomain.net, path /, expire 0 < Set-Cookie: LastMRH_Session=d8c1ea54; domain=somename.somedomain.net;path=/;secure * Added cookie MRHSession="9b84d47ae2df45f78dea111bd8c1ea54" for domain somename.somedomain.net, path /, expire 0 < Set-Cookie: MRHSession=9b84d47ae2df45f78dea111bd8c1ea54; domain=somename.somedomain.net;path=/;secure < Expires: Thu, 01 Dec 1994 16:00:00 GMT < Transfer-Encoding: chunked < * Closing connection 0 * Issue another request to this URL: 'https://somename.somedomain.net/' * Hostname somename.somedomain.net was found in DNS cache * Trying xxx.xxx.xxx.xxx... * Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#1) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/corp_ca.cert.pem CApath: /etc/ssl/certs * SSL re-using session ID * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: O=SomeCorp; OU=Some Connected Stuff; CN=somename.somedomain.net; subjectAltName=somename.somedomain.net * start date: Jul 20 10:04:08 2016 GMT * expire date: Jul 20 10:04:08 2018 GMT * common name: somename.somedomain.net (matched) * issuer: O=SomeCorp; OU=Some Connected Stuff; CN=Infrastructure CA * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. * Server auth using Basic with user '213213-NIU_NIUX-921382913789' > POST / HTTP/1.1 Host: somename.somedomain.net Authorization: Basic Nzg0NTYxLU5JVV9OSVVYLTc4NDU2MTFGQkIwNzozMmJ5dGVzZ2VuZXJhdGlhY2FzbzAxMjM0NTY3ODkyMQ== Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; LastMRH_Session=d8c1ea54; MRHSession=9b84d47ae2df45f78dea111bd8c1ea54 User-Agent: easycwmp Content-Type: text/xml; charset="utf-8" Content-Length: 2849 Expect: 100-continue * Done waiting for 100-continue * We are completely uploaded and fine < HTTP/1.1 100 Continue < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < SOAPAction: < Content-Type: text/xml;charset=ISO-8859-1 < Content-Length: 491 < Date: Wed, 27 Jul 2016 06:19:14 GMT < Expires: Thu, 01 Dec 1994 16:00:00 GMT < * Connection #1 to host somename.somedomain.net left intact +++ RECEIVED HTTP RESPONSE +++ <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-0"> <soapenv:Header> <cwmp:ID soapenv:mustUnderstand="1">1</cwmp:ID> </soapenv:Header> <soapenv:Body> <cwmp:InformResponse> <MaxEnvelopes>1</MaxEnvelopes> </cwmp:InformResponse> </soapenv:Body> </soapenv:Envelope> --- RECEIVED HTTP RESPONSE --- 2016-07-27 08:19:14 [easycwmp] NOTICE - receive InformResponse from the ACS 2016-07-27 08:19:14 [easycwmp] NOTICE - send empty message to the ACS +++ SEND EMPTY HTTP REQUEST +++ * Found bundle for host somename.somedomain.net: 0x94200e8 [can pipeline] * Re-using existing connection! (#1) with host somename.somedomain.net * Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#1) * Server auth using Basic with user '213213-NIU_NIUX-921382913789' > POST / HTTP/1.1 Host: somename.somedomain.net Authorization: Basic Nzg0NTYxLU5JVV9OSVVYLTc4NDU2MTFGQkIwNzozMmJ5dGVzZ2VuZXJhdGlhY2FzbzAxMjM0NTY3ODkyMQ== Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; LastMRH_Session=d8c1ea54; MRHSession=9b84d47ae2df45f78dea111bd8c1ea54 User-Agent: easycwmp Content-Type: text/xml; charset="utf-8" Content-Length: 0 < HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 < SOAPAction: < Content-Type: text/xml;charset=ISO-8859-1 < Content-Length: 2504 < Date: Wed, 27 Jul 2016 06:19:14 GMT < Expires: Thu, 01 Dec 1994 16:00:00 GMT < * Connection #1 to host somename.somedomain.net left intact --- SEND HTTP REQUEST --- * Found bundle for host somename.somedomain.net: 0x94200e8 [can pipeline] * Re-using existing connection! (#1) with host somename.somedomain.net * Connected to somename.somedomain.net (xxx.xxx.xxx.xxx) port 443 (#1) * Server auth using Basic with user '213213-NIU_NIUX-921382913789' > POST / HTTP/1.1 Host: somename.somedomain.net Authorization: Basic Nzg0NTYxLU5JVV9OSVVYLTc4NDU2MTFGQkIwNzozMmJ5dGVzZ2VuZXJhdGlhY2FzbzAxMjM0NTY3ODkyMQ== Cookie: JSESSIONID=97FF36953C1B2580E3376BD723C5C44B; LastMRH_Session=d8c1ea54; MRHSession=9b84d47ae2df45f78dea111bd8c1ea54 User-Agent: easycwmp Content-Type: text/xml; charset="utf-8" SOAPAction: Content-Length: 4262 Expect: 100-continue |
|
Your issue is related to the HTTP redirect. HTTP redirect is not well supported by Libcurl, so it was implemented by easycwmp team in the cwmp stack. May be our implementation is not fully compliant with the HTTP standard. I can not treat the issue in the near future since it takes time and I m busy these days. Please feel free to check the source code and fix it. Please share your patch with the community. |
Date Modified | Username | Field | Change |
---|---|---|---|
2016-07-26 14:55 | Tyler-PN | New Issue | |
2016-07-26 17:00 | mohamed.kallel | Note Added: 0000513 | |
2016-07-27 08:39 | Tyler-PN | Note Added: 0000514 | |
2016-07-28 09:14 | Tyler-PN | Note Added: 0000515 | |
2016-07-29 10:18 | mohamed.kallel | Note Added: 0000516 | |
2016-07-29 10:25 | mohamed.kallel | Note Edited: 0000516 |