[Chilli] OpenSSL & redirssl etc
Timothy
nzkbuk at gmail.com
Wed Apr 28 17:35:09 UTC 2010
Hi David,
Did you recieve my response ?
Tim
On 24/04/2010 06:41, David Bird wrote:
> Hi Tim,
>
> I don't think you want "RADPROXY" at all.. you would use that for 802.1x
> authentication proxy (or, more recently, if using MAC authentication
> with gear like Cisco or OmniAccess). For RadSec, yes, you do indeed need
> the sslcertfile, sslkeyfile, and sslcafile. Currently, the sslcertfile
> and sslkeyfile are also used for the uamuissl and redirssl (though,
> should probably separate as you'd eventually want different certs for
> those purposes). With the subversion code, using RadSec means that
> chilli_radsec will listen to localhost ports radiusauthport and
> radiusacctport and will connect to RadSec server radiusserver1 port 2083
> (not yet able to change the standard RadSec port). Chilli is then
> configured (by itself, internally) to use the chilli_radsec ports (on
> localhost) for it's RADIUS.
>
> I will have to give your setup a try regarding redirssl (is that what
> you are testing below?). I recently tested it all working, though I was
> configured with --enable-chilliredir. Will also verify without it.
>
> David
>
>
> On Fri, 2010-04-23 at 16:07 +0100, Timothy wrote:
>
>> Hi David,
>>
>> I look to still be having the problem.
>>
>> When running in debug& connecting via http to a static file in
>> /etc/chilli/www
>>
>> redir.c: 2524: 0 (Debug) Calling redir_getstate()
>> redir.c: 2550: 0 (Debug) Receiving HTTP Request
>> redir.c: 1497: 0 (Debug) The path: www/test.html
>> redir.c: 1567: 0 (Debug) Host:<removed>:3990
>> redir.c: 1584: 0 (Debug) User-Agent: Mozilla/5.0 (Windows; U; Windows NT
>> 5.1; en-GB; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
>> redir.c: 1550: 0 (Debug) end of http-request
>> redir.c: 1693: 0 (Debug) Serving file test.html
>> redir.c: 2598: 0 (Debug) Processing HTTP Request
>> redir.c: 2318: 0 (Debug) close_exit
>> chilli.c: 73: 0 (Debug) received 18 signal
>>
>> When trying with https:// I get
>>
>> redir.c: 1385: 0 (Debug) HTTP request timeout!
>> redir.c: 1706: 0 (Debug) -->> Setting userurl=[http:///]
>> redir.c: 2598: 0 (Debug) Processing HTTP Request
>> redir.c: 2839: 0 (Debug) Processing received request
>> redir.c: 3051: 0 (Debug) redir_accept: Original request
>> redir.c: 3072: 0 (Debug) ---->>> resetting challenge:
>> c62d84b69bd8916fc3a536a63e7b5976
>> redir.c: 3083: 0 (Debug) ---->>> challenge: c62d84b69bd8916fc3a536a63e7b5976
>> redir.c: 2318: 0 (Debug) close_exit
>> chilli.c: 73: 0 (Debug) received 18 signal
>>
>>
>>
>>
>> Compiled with ENABLE_CHILLIPROXY ENABLE_CHILLIRADSEC ENABLE_CHILLIXML
>> ENABLE_IEEE8021Q ENABLE_JSON ENABLE_LEAKYBUCKET ENABLE_SESSGARDEN
>> HAVE_OPENSSL
>>
>> I think there may need to be some additional items for radsec config
>> still (remote server(s) and port(s), I might be misreading the defaults
>> and functions file though). I can see where radsec is configured to
>> listen on localhost. Does HS_RADPROXY=on cause coova-chilli to speak to
>> the local proxy and then HS_RADIUS= is the remote server ?
>>
>> [ -n "$HS_SSLKEYFILE" -a -n "$HS_SSLCERTFILE" ]&& {
>> addconfig2 "sslkeyfile $HS_SSLKEYFILE"
>> addconfig2 "sslcertfile $HS_SSLCERTFILE"
>> }
>>
>> Should that contain sslcafile.
>>
>> Maybe I've just been looking at this too long and not thinking clearly
>> enough
>>
>> Tim
>>
>> David Bird wrote:
>>
>>> Hi Tim,
>>>
>>> You are always encouraged to check against the current subversion; and
>>> to restate your problem if it persists. I'm testing various features
>>> now, including redirssl, uamuissl, and radsec, and have success. I'm
>>> currently configured with: ./configure --enable-largelimits
>>> --enable-proxyvsa --enable-miniportal --enable-chilliredir
>>> --enable-chilliproxy --enable-binstatusfile --with-poll
>>> --enable-chilliradsec --with-openssl , btw, I took your off-line
>>> suggestion and you'll find this also in the subversion version:
>>>
>>> $ chilli --help
>>> coova-chilli 1.2.3-rc1
>>>
>>> ...
>>>
>>> Compiled with ENABLE_BINSTATFILE ENABLE_CHILLIPROXY ENABLE_CHILLIRADSEC
>>> ENABLE_CHILLIREDIR ENABLE_CHILLIXML ENABLE_IEEE8021Q ENABLE_JSON
>>> ENABLE_LARGELIMITS ENABLE_LEAKYBUCKET ENABLE_MINIPORTAL ENABLE_PROXYVSA
>>> ENABLE_SESSGARDEN ENABLE_STATFILE HAVE_OPENSSL USING_POLL
>>>
>>> David
>>>
>>> On Tue, 2010-04-20 at 13:23 +0100, Timothy wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>> A while ago there were some issues with REDIRSSL and OpenSSL (matrix SSL
>>>> worked fine)
>>>> The error was ssl_error_rx_record_too_long
>>>> Has anyone been able to get this working correctly with openssl (rather
>>>> than matrix) or is this issue still outstanding ?
>>>>
>>>> I'm trying to get UAMUISSL working but I get the
>>>> ssl_error_rx_record_too_long.
>>>>
>>>> Tim
>>>> _______________________________________________
>>>> Chilli mailing list
>>>> Chilli at coova.org
>>>> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>>>>
>>>>
>>>
>>>
>>>
>>
>
>
More information about the Chilli
mailing list