[Chilli] How to put uamport behind SSL?
David Bird
david at coova.com
Sun Nov 29 19:59:42 UTC 2009
The hijacking doesn't impact other services.. just like hijacking port
80 doesn't mean you can't run apache locally on port 80 as well.
On Sun, 2009-11-29 at 14:42 -0500, Outback Dingo wrote:
> hijacking a port like 443 that could be in use by say apache isnt a
> great idea
> it would negate the use of chilli and a ssl web server on the same
> system
>
> On Sun, Nov 29, 2009 at 2:36 PM, David Bird <david at coova.com> wrote:
> Fixed in rev 250. Though, it doesn't do what you outlined. It
> will
> hijack port 443 and with security error redirect to the
> captive portal.
> It doesn't do SSL on the UAM port. I suppose it is a straight
> forward
> feature (perhaps for uamuiport leaving uamport as is). With
> that said,
> chilli uses the chap challenge/response style login to secure
> the
> password. It does reveal a username over plain HTTP, but then
> again you
> can always use anonymous codes or one-time-passwords. At this
> point, I
> would use a relay -- chilli already has all the facilities for
> SSL
> (using openssl at least).
>
> David
>
>
>
> On Sun, 2009-11-29 at 15:34 +0200, Gunther Mayer wrote:
> > Hi guys,
> >
> > I've been trying to enable clients to communicate to
> chilli's uamport
> > over SSL for authentication. Our uamserver has been running
> with SSL
> > from day one but the uamport access is currently still over
> ordinary
> > http for lack of a better alternative. With newer browsers
> > increasingly complaining about mixed content the time has
> come to ssl
> > enable chilli's uamport as well (I know - we'll have to get
> a
> > commercial certificate but that's OK).
> >
> > But how?
> >
> > At first I thought there's a simple solution: use
> matrixtunnel (or its
> > successor xrelayd with xyssl/polarssl) in front of chilli,
> i.e. as a
> > proxy to provide a "fake" SSL port for clients which is then
> forwarded
> > to chilli's normal http uamport. I've got xrelayd installed
> and
> > working but if I point my browser to
> >
> > https://ua.m.lis.ten:8443/prelogin
> >
> > I just get an empty page instead of the normal login page
> that I get
> > when using the plain http://ua.m.lis.ten:uamport/prelogin
> (8443 is the
> > port xrelayd is forwarding to chilli's uamport). I think
> that's
> > because chilli only sees the http request as originating
> from the
> > local machine instead of from the client and hence doesn't
> know what
> > to do. Or am I doing something wrong here?
> >
> > Then I saw the very recent openssl support that David put in
> trunk
> > this month and thought perhaps that's the solution. However,
> latest
> > svn (r249) doesn't even compile:
> >
> > $ svn co http://dev.coova.org/svn/coova-chilli
> > $ ./bootstrap2 # ./bootstrap no longer works here :-(
> > $ ./configure --with-openssl
> > $ make
> > cd . && /bin/bash ./config.status config.h
> > config.status: creating config.h
> > config.status: config.h is unchanged
> > make all-recursive
> > make[1]: Entering directory
> `/Coova/coova-chilli-1.0.15-pre-r249'
> > Making all in bstring
> > make[2]: Entering directory
> > `/Coova/coova-chilli-1.0.15-pre-r249/bstring'
> > make[2]: Nothing to be done for `all'.
> > make[2]: Leaving directory
> > `/Coova/coova-chilli-1.0.15-pre-r249/bstring'
> > Making all in src
> > make[2]: Entering directory
> `/Coova/coova-chilli-1.0.15-pre-r249/src'
> > /bin/bash ../libtool --tag=CC --mode=compile gcc
> -DHAVE_CONFIG_H -I.
> > -I.. -D_GNU_SOURCE -Wall -fno-builtin
> -fno-strict-aliasing -O2
> > -fomit-frame-pointer -funroll-loops -pipe
> > -DDEFCHILLICONF='"/usr/local/etc/chilli.conf"'
> > -DDEFPIDFILE='"/usr/local/var/run/chilli.pid"'
> > -DDEFSTATEDIR='"/usr/local/var/run"'
> > -DDEFCMDSOCK='"/usr/local/var/run/chilli.sock"'
> > -DSBINDIR='"/usr/local/sbin"' -I../bstring -g -O2 -MT
> chilli.lo -MD
> > -MP -MF .deps/chilli.Tpo -c -o chilli.lo chilli.c
> > libtool: compile: gcc -DHAVE_CONFIG_H -I. -I..
> -D_GNU_SOURCE -Wall
> > -fno-builtin -fno-strict-aliasing -O2 -fomit-frame-pointer
> > -funroll-loops -pipe -DDEFCHILLICONF=
> \"/usr/local/etc/chilli.conf\"
> > -DDEFPIDFILE=\"/usr/local/var/run/chilli.pid\"
> -DDEFSTATEDIR=
> > \"/usr/local/var/run\" -DDEFCMDSOCK=
> \"/usr/local/var/run/chilli.sock\"
> > -DSBINDIR=\"/usr/local/sbin\" -I../bstring -g -O2 -MT
> chilli.lo -MD
> > -MP -MF .deps/chilli.Tpo -c chilli.c -fPIC -DPIC
> -o .libs/chilli.o
> > chilli.c: In function ‘cb_redir_getstate’:
> > chilli.c:1682: error: ‘struct dhcp_conn_t’ has no member
> named
> > ‘dnatport’
> > chilli.c:1683: error: ‘struct dhcp_conn_t’ has no member
> named
> > ‘dnatstate’
> > chilli.c: In function ‘config_radius_session’:
> > chilli.c:2429: warning: passing argument 3 of
> > ‘pass_throughs_from_string’ from incompatible pointer type
> > garden.h:53: note: expected ‘size_t *’ but argument is of
> type
> > ‘uint32_t *’
> > chilli.c: In function ‘cmdsock_accept’:
> > chilli.c:3756: warning: passing argument 3 of ‘accept’ from
> > incompatible pointer type
> > /usr/include/sys/socket.h:214: note: expected ‘socklen_t *
> > __restrict__’ but argument is of type ‘size_t *’
> > chilli.c: In function ‘redir_msg’:
> > chilli.c:3997: warning: passing argument 3 of ‘accept’ from
> > incompatible pointer type
> > /usr/include/sys/socket.h:214: note: expected ‘socklen_t *
> > __restrict__’ but argument is of type ‘size_t *’
> > make[2]: *** [chilli.lo] Error 1
> > make[2]: Leaving directory
> `/Coova/coova-chilli-1.0.15-pre-r249/src'
> > make[1]: *** [all-recursive] Error 1
> > make[1]: Leaving directory
> `/Coova/coova-chilli-1.0.15-pre-r249'
> > make: *** [all] Error 2
> >
> > Now I'm really stuck. How do I achieve my goal?
> >
> > Gunther
>
>
> > _______________________________________________
> > Chilli mailing list
> > Chilli at coova.org
> > http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>
>
More information about the Chilli
mailing list