[Chilli] Coova-chilli-1.2.4 & SSL Problem

Tim Long tim at skyrove.com
Tue Sep 28 11:40:47 UTC 2010


Hi Adam,

Are you sure that those certificate settings in the defaults file are making
it into the configuration?

We're using an older version of openwrt, but we had to add

                [ -n "$HS_SSLKEYFILE" -a -n "$HS_SSLCERTFILE" ] && {
                        addconfig2 "sslkeyfile $HS_SSLKEYFILE"
                        addconfig2 "sslcertfile $HS_SSLCERTFILE"
                }

to the /etc/chilli/functions file, so that the init.d script would take the
values from the defaults file and add it to main.conf.



On Fri, Sep 24, 2010 at 5:22 PM, Adam Hammond <adam at freerunr.com> wrote:

> Hello everyone,
>
> I'm trying to develop an openwrt image using openwrt backfire 10.0.3 rc3
> with coova-chilli-1.2.4, compiled with ssl support, for use with (amongst
> other smartclients) iPass. I am developing this image for the TP-Link
> WR741ND Acess Point. The critical thing I'm trying to get working is support
> in chilli for clients to post login events to the chilli controller using
> SSL.
>
> I have been using this mailing list post as a general how-to for my setup:
> http://lists.coova.org/pipermail/chilli/2010-May/001379.html, and others
> as guides on what to and not to do.
>
> I am writing to the mailing list as I am now a bit stuck. Suffice to say
> that I can't get it to work, and I don't know exactly why it isn't working
> either.
>
> Below is the typical output I see from chilli when an HTTPS login post is
> sent to the controller (e.g.
> https://ap.thewifinetwork.net:3990/logon?username=adam@freerunr.com&password=623fcbda6a6fc5b8659f26d82a0c45ed)
>
> redir.c: 3150: 0 (Debug) Receiving HTTP Request
> redir.c: 1897: 0 (Debug) HTTP request timeout!
> redir.c: 2288: 0 (Debug) -->> Setting userurl=[http:///]
> redir.c: 3202: 0 (Debug) Processing HTTP Request
> redir.c: 3434: 0 (Debug) Processing received request
> redir.c: 3648: 0 (Debug) redir_accept: Original request
> redir.c: 3678: 0 (Debug) ---->>> challenge:
> 0de41675a44417e279a0754c0b251712
> redir.c: 2933: 0 (Debug) close_exit
> chilli.c: 114: 0 (Debug) caught 18 via selfpipe
> chilli.c: 75: 0 (Debug) child 14158 terminated
>
> I have set my UAM method for smartclients to pass back a login url in the
> WISPr tags with a hardcoded value (uamaliasname.domain) that corresponds
> to the common name set in the SSL certificate I am using with chilli. (I
> have also tried this with the more generic "https://$uamip:$uamport/logon?.."
> url with exactly the same debug output from chilli). The UAM method works
> fine with http requests.
>
> The error I see in the iPass logs is:
>
> WinInet error code: 12157  Message: An error occurred in the secure channel
> support
>
> ... which according to msdn means "The application experienced an internal
> error loading the SSL libraries". Not much of a clue for me.
>
> I have tried posting to the login controller using a standard browser and
> have seen the following errors.
>
> Chrome (pretty vague):
>
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
>
> Firefox:
>
> SSL received a record that exceeded the maximum permissible length.
> (Error code: ssl_error_rx_record_too_long)
>
> I should mention that I am using a Thawte test certificate for testing. I
> have tried using a different (non elf signed) certificate, if only to
> provoke an error in chilli, or get it to provide a different error message
> to provide me a clue, to no avail.
>
> If I run chilli --help I notice options for 'uamaliasip' and 'sslcafile'
> but cannot find reference to them in my /etc/chilli/functions file. I have
> tried adding them to my local.conf file to no effect.
>
> I know a few posters to this mailing list have been working on similar
> iPass integration projects and would be eternally grateful if they could
> provide me any clues about where I might be going wrong.
>
> Many thanks in advance,
>
> Adam
>
> coova-chilli 1.2.4
> Compiled with ENABLE_BINSTATFILE ENABLE_CHILLIRADSEC ENABLE_CHILLIXML
> ENABLE_IEEE8021Q ENABLE_JSON ENABLE_LEAKYBUCKET ENABLE_MINIPORTAL
> ENABLE_PROXYVSA ENABLE_SESSGARDEN ENABLE_STATFILE HAVE_OPENSSL USING_POLL
>
> <snippet from /etc/chilli/defaults>
> HS_UAMUISSL=on
> HS_DNS_DOMAIN=thewifinetwork.net
> HS_UAMALIASNAME=ap
> HS_SSLKEYFILE=/etc/certs/ap.thewifinetwork.net.key
> HS_SSLCERTFILE=/etc/certs/ap.thewifinetwork.net.pem
> </snippet>
>
> <snippet from /etc/chilli/local.config>
> sslcafile=/etc/certs/thawte-intermediate-ca.pem
> uamaliasip=172.17.172.1
> </snippet>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20100928/bbc64f29/attachment.htm>


More information about the Chilli mailing list