[Chilli] Coova-chilli-1.2.4 & SSL Problem
Adam Hammond
adam at freerunr.com
Fri Sep 24 15:22:15 UTC 2010
Hello everyone,
I'm trying to develop an openwrt image using openwrt backfire 10.0.3
rc3 with coova-chilli-1.2.4, compiled with ssl support, for use with
(amongst other smartclients) iPass. I am developing this image for the
TP-Link WR741ND Acess Point. The critical thing I'm trying to get
working is support in chilli for clients to post login events to the
chilli controller using SSL.
I have been using this mailing list post as a general how-to for my
setup: http://lists.coova.org/pipermail/chilli/2010-May/001379.html,
and others as guides on what to and not to do.
I am writing to the mailing list as I am now a bit stuck. Suffice to
say that I can't get it to work, and I don't know exactly why it isn't
working either.
Below is the typical output I see from chilli when an HTTPS login post
is sent to the controller (e.g. https://ap.thewifinetwork.net:3990/logon?username=adam@freerunr.com&password=623fcbda6a6fc5b8659f26d82a0c45ed)
redir.c: 3150: 0 (Debug) Receiving HTTP Request
redir.c: 1897: 0 (Debug) HTTP request timeout!
redir.c: 2288: 0 (Debug) -->> Setting userurl=[http:///]
redir.c: 3202: 0 (Debug) Processing HTTP Request
redir.c: 3434: 0 (Debug) Processing received request
redir.c: 3648: 0 (Debug) redir_accept: Original request
redir.c: 3678: 0 (Debug) ---->>> challenge:
0de41675a44417e279a0754c0b251712
redir.c: 2933: 0 (Debug) close_exit
chilli.c: 114: 0 (Debug) caught 18 via selfpipe
chilli.c: 75: 0 (Debug) child 14158 terminated
I have set my UAM method for smartclients to pass back a login url in
the WISPr tags with a hardcoded value (uamaliasname.domain) that
corresponds to the common name set in the SSL certificate I am using
with chilli. (I have also tried this with the more generic "https://$uamip:$uamport/logon?
.." url with exactly the same debug output from chilli). The UAM
method works fine with http requests.
The error I see in the iPass logs is:
WinInet error code: 12157 Message: An error occurred in the secure
channel support
... which according to msdn means "The application experienced an
internal error loading the SSL libraries". Not much of a clue for me.
I have tried posting to the login controller using a standard browser
and have seen the following errors.
Chrome (pretty vague):
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
Firefox:
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
I should mention that I am using a Thawte test certificate for
testing. I have tried using a different (non elf signed) certificate,
if only to provoke an error in chilli, or get it to provide a
different error message to provide me a clue, to no avail.
If I run chilli --help I notice options for 'uamaliasip' and
'sslcafile' but cannot find reference to them in my /etc/chilli/
functions file. I have tried adding them to my local.conf file to no
effect.
I know a few posters to this mailing list have been working on similar
iPass integration projects and would be eternally grateful if they
could provide me any clues about where I might be going wrong.
Many thanks in advance,
Adam
coova-chilli 1.2.4
Compiled with ENABLE_BINSTATFILE ENABLE_CHILLIRADSEC ENABLE_CHILLIXML
ENABLE_IEEE8021Q ENABLE_JSON ENABLE_LEAKYBUCKET ENABLE_MINIPORTAL
ENABLE_PROXYVSA ENABLE_SESSGARDEN ENABLE_STATFILE HAVE_OPENSSL
USING_POLL
<snippet from /etc/chilli/defaults>
HS_UAMUISSL=on
HS_DNS_DOMAIN=thewifinetwork.net
HS_UAMALIASNAME=ap
HS_SSLKEYFILE=/etc/certs/ap.thewifinetwork.net.key
HS_SSLCERTFILE=/etc/certs/ap.thewifinetwork.net.pem
</snippet>
<snippet from /etc/chilli/local.config>
sslcafile=/etc/certs/thawte-intermediate-ca.pem
uamaliasip=172.17.172.1
</snippet>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20100924/ff1193ef/attachment.htm>
More information about the Chilli
mailing list