[Chilli] OpenSSL & redirssl etc

David Bird david at coova.com
Sat Apr 24 05:41:00 UTC 2010 

Hi Tim,

I don't think you want "RADPROXY" at all.. you would use that for 802.1x
authentication proxy (or, more recently, if using MAC authentication
with gear like Cisco or OmniAccess). For RadSec, yes, you do indeed need
the sslcertfile, sslkeyfile, and sslcafile. Currently, the sslcertfile
and sslkeyfile are also used for the uamuissl and redirssl (though,
should probably separate as you'd eventually want different certs for
those purposes). With the subversion code, using RadSec means that
chilli_radsec will listen to localhost ports radiusauthport and
radiusacctport and will connect to RadSec server radiusserver1 port 2083
(not yet able to change the standard RadSec port). Chilli is then
configured (by itself, internally) to use the chilli_radsec ports (on
localhost) for it's RADIUS. 

I will have to give your setup a try regarding redirssl (is that what
you are testing below?). I recently tested it all working, though I was
configured with --enable-chilliredir. Will also verify without it. 

David


On Fri, 2010-04-23 at 16:07 +0100, Timothy wrote:
> Hi David,
> 
> I look to still be having the problem.
> 
> When running in debug & connecting via http to a static file in
> /etc/chilli/www
> 
> redir.c: 2524: 0 (Debug) Calling redir_getstate()
> redir.c: 2550: 0 (Debug) Receiving HTTP Request
> redir.c: 1497: 0 (Debug) The path: www/test.html
> redir.c: 1567: 0 (Debug) Host: <removed>:3990
> redir.c: 1584: 0 (Debug) User-Agent: Mozilla/5.0 (Windows; U; Windows NT
> 5.1; en-GB; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
> redir.c: 1550: 0 (Debug) end of http-request
> redir.c: 1693: 0 (Debug) Serving file test.html
> redir.c: 2598: 0 (Debug) Processing HTTP Request
> redir.c: 2318: 0 (Debug) close_exit
> chilli.c: 73: 0 (Debug) received 18 signal
> 
> When trying with https:// I get
> 
> redir.c: 1385: 0 (Debug) HTTP request timeout!
> redir.c: 1706: 0 (Debug) -->> Setting userurl=[http:///]
> redir.c: 2598: 0 (Debug) Processing HTTP Request
> redir.c: 2839: 0 (Debug) Processing received request
> redir.c: 3051: 0 (Debug) redir_accept: Original request
> redir.c: 3072: 0 (Debug) ---->>> resetting challenge:
> c62d84b69bd8916fc3a536a63e7b5976
> redir.c: 3083: 0 (Debug) ---->>> challenge: c62d84b69bd8916fc3a536a63e7b5976
> redir.c: 2318: 0 (Debug) close_exit
> chilli.c: 73: 0 (Debug) received 18 signal
> 
> 
> 
> 
> Compiled with ENABLE_CHILLIPROXY ENABLE_CHILLIRADSEC ENABLE_CHILLIXML
> ENABLE_IEEE8021Q ENABLE_JSON ENABLE_LEAKYBUCKET ENABLE_SESSGARDEN
> HAVE_OPENSSL
> 
> I think there may need to be some additional items for radsec config
> still (remote server(s) and port(s), I might be misreading the defaults
> and functions file though). I can see where radsec is configured to
> listen on localhost. Does HS_RADPROXY=on cause coova-chilli to speak to
> the local proxy and then HS_RADIUS= is the remote server ?
> 
>     [ -n "$HS_SSLKEYFILE" -a -n "$HS_SSLCERTFILE" ] && {
>         addconfig2 "sslkeyfile $HS_SSLKEYFILE"
>         addconfig2 "sslcertfile $HS_SSLCERTFILE"
>     }
> 
> Should that contain sslcafile.
> 
> Maybe I've just been looking at this too long and not thinking clearly
> enough
> 
> Tim
> 
> David Bird wrote:
> > Hi Tim,
> >
> > You are always encouraged to check against the current subversion; and
> > to restate your problem if it persists. I'm testing various features
> > now, including redirssl, uamuissl, and radsec, and have success. I'm
> > currently configured with:  ./configure --enable-largelimits
> > --enable-proxyvsa --enable-miniportal --enable-chilliredir
> > --enable-chilliproxy --enable-binstatusfile --with-poll
> > --enable-chilliradsec --with-openssl , btw, I took your off-line
> > suggestion and you'll find this also in the subversion version:
> >
> > $ chilli --help
> > coova-chilli 1.2.3-rc1
> >
> > ...
> >
> > Compiled with ENABLE_BINSTATFILE ENABLE_CHILLIPROXY ENABLE_CHILLIRADSEC
> > ENABLE_CHILLIREDIR ENABLE_CHILLIXML ENABLE_IEEE8021Q ENABLE_JSON
> > ENABLE_LARGELIMITS ENABLE_LEAKYBUCKET ENABLE_MINIPORTAL ENABLE_PROXYVSA
> > ENABLE_SESSGARDEN ENABLE_STATFILE HAVE_OPENSSL USING_POLL 
> >
> > David
> >
> > On Tue, 2010-04-20 at 13:23 +0100, Timothy wrote:
> >   
> >> Hi,
> >>
> >> A while ago there were some issues with REDIRSSL and OpenSSL (matrix SSL
> >> worked fine)
> >> The error was ssl_error_rx_record_too_long
> >> Has anyone been able to get this working correctly with openssl (rather
> >> than matrix) or is this issue still outstanding ?
> >>
> >> I'm trying to get UAMUISSL working but I get the
> >> ssl_error_rx_record_too_long.
> >>
> >> Tim
> >> _______________________________________________
> >> Chilli mailing list
> >> Chilli at coova.org
> >> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
> >>     
> >
> >
> >   
>

More information about the Chilli mailing list