[Chilli] Coova-chilli-1.2.4 & SSL Problem

Adam Hammond adam at freerunr.com
Wed Sep 29 13:19:47 UTC 2010 

Hi Tim,

Many thanks for the reply.

It turned out to a problem with my configuration: I was setting my  
uamaliasip in my chilli/defaults config file.

For anyone's reference who may read this in the future:

The SSL errors I noted in my initial post resulted from me posting an  
HTTPS login request to a non HTTPS channel.

I had set the uamaliasip in my chilli/defaults file to the same ip as  
that of my uamlisten ip. I had set my DNS to resolve  
(uamaliasname.domain) to that same ip address, and was posting logins  
to http://uamaliasname.domain:3990/login?... etc

I also tried posting to that same url without the port - with the same  
errors.

I got it working by NOT setting the uamaliasip in any config files -  
therefore using the default of 1.0.0.1
I changed my DNS to match this.

I added the following to my chilli/defaults configuration file:

HS_UAMUISSL=on
HS_DNS_DOMAIN=<my domain>
HS_UAMALIASNAME=<my host>
HS_SSLKEYFILE=<path to my key file>
HS_SSLCERTFILE=<path to my certificate file>

... and I added the following to my chilli/local.conf file:

sslcafile=<path to my ca root certificate file>

I set the login url in my smart client UAM method to post to:

https://uamaliasname.domain/login?..etc

... and made sure my certificate provider crl server(s) were added to  
my UAMALLOW list in my chilli/defaults config file.

So I have now got an HTTPS enabled solution for smart clients working  
using coova-chilli-1.2.4 on openWRT backfire 10.03 rc3 with  
radsecproxy 1.4 sending my RADIUS traffic using TLS.

If anyone is interested in the hardware I am using a TP-Link WR741ND  
access point.

...........
Adam


On 28 Sep 2010, at 12:40, Tim Long wrote:

> Hi Adam,
>
> Are you sure that those certificate settings in the defaults file  
> are making it into the configuration?
>
> We're using an older version of openwrt, but we had to add
>
>                 [ -n "$HS_SSLKEYFILE" -a -n "$HS_SSLCERTFILE" ] && {
>                         addconfig2 "sslkeyfile $HS_SSLKEYFILE"
>                         addconfig2 "sslcertfile $HS_SSLCERTFILE"
>                 }
>
> to the /etc/chilli/functions file, so that the init.d script would  
> take the values from the defaults file and add it to main.conf.
>
>
>
> On Fri, Sep 24, 2010 at 5:22 PM, Adam Hammond <adam at freerunr.com>  
> wrote:
> Hello everyone,
>
> I'm trying to develop an openwrt image using openwrt backfire 10.0.3  
> rc3 with coova-chilli-1.2.4, compiled with ssl support, for use with  
> (amongst other smartclients) iPass. I am developing this image for  
> the TP-Link WR741ND Acess Point. The critical thing I'm trying to  
> get working is support in chilli for clients to post login events to  
> the chilli controller using SSL.
>
> I have been using this mailing list post as a general how-to for my  
> setup: http://lists.coova.org/pipermail/chilli/2010-May/001379.html,  
> and others as guides on what to and not to do.
>
> I am writing to the mailing list as I am now a bit stuck. Suffice to  
> say that I can't get it to work, and I don't know exactly why it  
> isn't working either.
>
> Below is the typical output I see from chilli when an HTTPS login  
> post is sent to the controller (e.g. https://ap.thewifinetwork.net:3990/logon?username=adam@freerunr.com&password=623fcbda6a6fc5b8659f26d82a0c45ed)
>
> redir.c: 3150: 0 (Debug) Receiving HTTP Request
> redir.c: 1897: 0 (Debug) HTTP request timeout!
> redir.c: 2288: 0 (Debug) -->> Setting userurl=[http:///]
> redir.c: 3202: 0 (Debug) Processing HTTP Request
> redir.c: 3434: 0 (Debug) Processing received request
> redir.c: 3648: 0 (Debug) redir_accept: Original request
> redir.c: 3678: 0 (Debug) ---->>> challenge:  
> 0de41675a44417e279a0754c0b251712
> redir.c: 2933: 0 (Debug) close_exit
> chilli.c: 114: 0 (Debug) caught 18 via selfpipe
> chilli.c: 75: 0 (Debug) child 14158 terminated
>
> I have set my UAM method for smartclients to pass back a login url  
> in the WISPr tags with a hardcoded value (uamaliasname.domain) that  
> corresponds to the common name set in the SSL certificate I am using  
> with chilli. (I have also tried this with the more generic "https://$uamip:$uamport/logon? 
> .." url with exactly the same debug output from chilli). The UAM  
> method works fine with http requests.
>
> The error I see in the iPass logs is:
>
> WinInet error code: 12157  Message: An error occurred in the secure  
> channel support
>
> ... which according to msdn means "The application experienced an  
> internal error loading the SSL libraries". Not much of a clue for me.
>
> I have tried posting to the login controller using a standard  
> browser and have seen the following errors.
>
> Chrome (pretty vague):
>
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
>
> Firefox:
>
> SSL received a record that exceeded the maximum permissible length.
> (Error code: ssl_error_rx_record_too_long)
>
> I should mention that I am using a Thawte test certificate for  
> testing. I have tried using a different (non elf signed)  
> certificate, if only to provoke an error in chilli, or get it to  
> provide a different error message to provide me a clue, to no avail.
>
> If I run chilli --help I notice options for 'uamaliasip' and  
> 'sslcafile' but cannot find reference to them in my /etc/chilli/ 
> functions file. I have tried adding them to my local.conf file to no  
> effect.
>
> I know a few posters to this mailing list have been working on  
> similar iPass integration projects and would be eternally grateful  
> if they could provide me any clues about where I might be going wrong.
>
> Many thanks in advance,
>
> Adam
>
> coova-chilli 1.2.4
> Compiled with ENABLE_BINSTATFILE ENABLE_CHILLIRADSEC  
> ENABLE_CHILLIXML ENABLE_IEEE8021Q ENABLE_JSON ENABLE_LEAKYBUCKET  
> ENABLE_MINIPORTAL ENABLE_PROXYVSA ENABLE_SESSGARDEN ENABLE_STATFILE  
> HAVE_OPENSSL USING_POLL
>
> <snippet from /etc/chilli/defaults>
> HS_UAMUISSL=on
> HS_DNS_DOMAIN=thewifinetwork.net
> HS_UAMALIASNAME=ap
> HS_SSLKEYFILE=/etc/certs/ap.thewifinetwork.net.key
> HS_SSLCERTFILE=/etc/certs/ap.thewifinetwork.net.pem
> </snippet>
>
> <snippet from /etc/chilli/local.config>
> sslcafile=/etc/certs/thawte-intermediate-ca.pem
> uamaliasip=172.17.172.1
> </snippet>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20100929/31f0c611/attachment.htm>

More information about the Chilli mailing list