[Chilli] Coova-chilli-1.2.4 & SSL Problem

Fri Sep 24 15:22:15 UTC 2010

Hello everyone,

I'm trying to develop an openwrt image using openwrt backfire 10.0.3  
rc3 with coova-chilli-1.2.4, compiled with ssl support, for use with  
(amongst other smartclients) iPass. I am developing this image for the  
TP-Link WR741ND Acess Point. The critical thing I'm trying to get  
working is support in chilli for clients to post login events to the  
chilli controller using SSL.

I have been using this mailing list post as a general how-to for my  
setup: http://lists.coova.org/pipermail/chilli/2010-May/001379.html,  
and others as guides on what to and not to do.

I am writing to the mailing list as I am now a bit stuck. Suffice to  
say that I can't get it to work, and I don't know exactly why it isn't  
working either.

Below is the typical output I see from chilli when an HTTPS login post  
is sent to the controller (e.g. https://ap.thewifinetwork.net:3990/logon?username=adam@freerunr.com&password=623fcbda6a6fc5b8659f26d82a0c45ed)

redir.c: 3150: 0 (Debug) Receiving HTTP Request
redir.c: 1897: 0 (Debug) HTTP request timeout!
redir.c: 2288: 0 (Debug) -->> Setting userurl=[http:///]
redir.c: 3202: 0 (Debug) Processing HTTP Request
redir.c: 3434: 0 (Debug) Processing received request
redir.c: 3648: 0 (Debug) redir_accept: Original request
redir.c: 3678: 0 (Debug) ---->>> challenge:  
0de41675a44417e279a0754c0b251712
redir.c: 2933: 0 (Debug) close_exit
chilli.c: 114: 0 (Debug) caught 18 via selfpipe
chilli.c: 75: 0 (Debug) child 14158 terminated

I have set my UAM method for smartclients to pass back a login url in  
the WISPr tags with a hardcoded value (uamaliasname.domain) that  
corresponds to the common name set in the SSL certificate I am using  
with chilli. (I have also tried this with the more generic "https://$uamip:$uamport/logon? 
.." url with exactly the same debug output from chilli). The UAM  
method works fine with http requests.

The error I see in the iPass logs is:

WinInet error code: 12157  Message: An error occurred in the secure  
channel support

... which according to msdn means "The application experienced an  
internal error loading the SSL libraries". Not much of a clue for me.

I have tried posting to the login controller using a standard browser  
and have seen the following errors.

Chrome (pretty vague):

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Firefox:

SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

I should mention that I am using a Thawte test certificate for  
testing. I have tried using a different (non elf signed) certificate,  
if only to provoke an error in chilli, or get it to provide a  
different error message to provide me a clue, to no avail.

If I run chilli --help I notice options for 'uamaliasip' and  
'sslcafile' but cannot find reference to them in my /etc/chilli/ 
functions file. I have tried adding them to my local.conf file to no  
effect.

I know a few posters to this mailing list have been working on similar  
iPass integration projects and would be eternally grateful if they  
could provide me any clues about where I might be going wrong.

Many thanks in advance,

Adam

coova-chilli 1.2.4
Compiled with ENABLE_BINSTATFILE ENABLE_CHILLIRADSEC ENABLE_CHILLIXML  
ENABLE_IEEE8021Q ENABLE_JSON ENABLE_LEAKYBUCKET ENABLE_MINIPORTAL  
ENABLE_PROXYVSA ENABLE_SESSGARDEN ENABLE_STATFILE HAVE_OPENSSL  
USING_POLL

<snippet from /etc/chilli/defaults>
HS_UAMUISSL=on
HS_DNS_DOMAIN=thewifinetwork.net
HS_UAMALIASNAME=ap
HS_SSLKEYFILE=/etc/certs/ap.thewifinetwork.net.key
HS_SSLCERTFILE=/etc/certs/ap.thewifinetwork.net.pem
</snippet>

<snippet from /etc/chilli/local.config>
sslcafile=/etc/certs/thawte-intermediate-ca.pem
uamaliasip=172.17.172.1
</snippet>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20100924/ff1193ef/attachment.htm>