[Chilli] Coova-chilli-1.2.4 & SSL Problem
Adam Hammond
adam at freerunr.com
Wed Sep 29 13:19:47 UTC 2010
Hi Tim,
Many thanks for the reply.
It turned out to a problem with my configuration: I was setting my
uamaliasip in my chilli/defaults config file.
For anyone's reference who may read this in the future:
The SSL errors I noted in my initial post resulted from me posting an
HTTPS login request to a non HTTPS channel.
I had set the uamaliasip in my chilli/defaults file to the same ip as
that of my uamlisten ip. I had set my DNS to resolve
(uamaliasname.domain) to that same ip address, and was posting logins
to http://uamaliasname.domain:3990/login?... etc
I also tried posting to that same url without the port - with the same
errors.
I got it working by NOT setting the uamaliasip in any config files -
therefore using the default of 1.0.0.1
I changed my DNS to match this.
I added the following to my chilli/defaults configuration file:
HS_UAMUISSL=on
HS_DNS_DOMAIN=<my domain>
HS_UAMALIASNAME=<my host>
HS_SSLKEYFILE=<path to my key file>
HS_SSLCERTFILE=<path to my certificate file>
... and I added the following to my chilli/local.conf file:
sslcafile=<path to my ca root certificate file>
I set the login url in my smart client UAM method to post to:
https://uamaliasname.domain/login?..etc
... and made sure my certificate provider crl server(s) were added to
my UAMALLOW list in my chilli/defaults config file.
So I have now got an HTTPS enabled solution for smart clients working
using coova-chilli-1.2.4 on openWRT backfire 10.03 rc3 with
radsecproxy 1.4 sending my RADIUS traffic using TLS.
If anyone is interested in the hardware I am using a TP-Link WR741ND
access point.
...........
Adam
On 28 Sep 2010, at 12:40, Tim Long wrote:
> Hi Adam,
>
> Are you sure that those certificate settings in the defaults file
> are making it into the configuration?
>
> We're using an older version of openwrt, but we had to add
>
> [ -n "$HS_SSLKEYFILE" -a -n "$HS_SSLCERTFILE" ] && {
> addconfig2 "sslkeyfile $HS_SSLKEYFILE"
> addconfig2 "sslcertfile $HS_SSLCERTFILE"
> }
>
> to the /etc/chilli/functions file, so that the init.d script would
> take the values from the defaults file and add it to main.conf.
>
>
>
> On Fri, Sep 24, 2010 at 5:22 PM, Adam Hammond <adam at freerunr.com>
> wrote:
> Hello everyone,
>
> I'm trying to develop an openwrt image using openwrt backfire 10.0.3
> rc3 with coova-chilli-1.2.4, compiled with ssl support, for use with
> (amongst other smartclients) iPass. I am developing this image for
> the TP-Link WR741ND Acess Point. The critical thing I'm trying to
> get working is support in chilli for clients to post login events to
> the chilli controller using SSL.
>
> I have been using this mailing list post as a general how-to for my
> setup: http://lists.coova.org/pipermail/chilli/2010-May/001379.html,
> and others as guides on what to and not to do.
>
> I am writing to the mailing list as I am now a bit stuck. Suffice to
> say that I can't get it to work, and I don't know exactly why it
> isn't working either.
>
> Below is the typical output I see from chilli when an HTTPS login
> post is sent to the controller (e.g. https://ap.thewifinetwork.net:3990/logon?username=adam@freerunr.com&password=623fcbda6a6fc5b8659f26d82a0c45ed)
>
> redir.c: 3150: 0 (Debug) Receiving HTTP Request
> redir.c: 1897: 0 (Debug) HTTP request timeout!
> redir.c: 2288: 0 (Debug) -->> Setting userurl=[http:///]
> redir.c: 3202: 0 (Debug) Processing HTTP Request
> redir.c: 3434: 0 (Debug) Processing received request
> redir.c: 3648: 0 (Debug) redir_accept: Original request
> redir.c: 3678: 0 (Debug) ---->>> challenge:
> 0de41675a44417e279a0754c0b251712
> redir.c: 2933: 0 (Debug) close_exit
> chilli.c: 114: 0 (Debug) caught 18 via selfpipe
> chilli.c: 75: 0 (Debug) child 14158 terminated
>
> I have set my UAM method for smartclients to pass back a login url
> in the WISPr tags with a hardcoded value (uamaliasname.domain) that
> corresponds to the common name set in the SSL certificate I am using
> with chilli. (I have also tried this with the more generic "https://$uamip:$uamport/logon?
> .." url with exactly the same debug output from chilli). The UAM
> method works fine with http requests.
>
> The error I see in the iPass logs is:
>
> WinInet error code: 12157 Message: An error occurred in the secure
> channel support
>
> ... which according to msdn means "The application experienced an
> internal error loading the SSL libraries". Not much of a clue for me.
>
> I have tried posting to the login controller using a standard
> browser and have seen the following errors.
>
> Chrome (pretty vague):
>
> Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
>
> Firefox:
>
> SSL received a record that exceeded the maximum permissible length.
> (Error code: ssl_error_rx_record_too_long)
>
> I should mention that I am using a Thawte test certificate for
> testing. I have tried using a different (non elf signed)
> certificate, if only to provoke an error in chilli, or get it to
> provide a different error message to provide me a clue, to no avail.
>
> If I run chilli --help I notice options for 'uamaliasip' and
> 'sslcafile' but cannot find reference to them in my /etc/chilli/
> functions file. I have tried adding them to my local.conf file to no
> effect.
>
> I know a few posters to this mailing list have been working on
> similar iPass integration projects and would be eternally grateful
> if they could provide me any clues about where I might be going wrong.
>
> Many thanks in advance,
>
> Adam
>
> coova-chilli 1.2.4
> Compiled with ENABLE_BINSTATFILE ENABLE_CHILLIRADSEC
> ENABLE_CHILLIXML ENABLE_IEEE8021Q ENABLE_JSON ENABLE_LEAKYBUCKET
> ENABLE_MINIPORTAL ENABLE_PROXYVSA ENABLE_SESSGARDEN ENABLE_STATFILE
> HAVE_OPENSSL USING_POLL
>
> <snippet from /etc/chilli/defaults>
> HS_UAMUISSL=on
> HS_DNS_DOMAIN=thewifinetwork.net
> HS_UAMALIASNAME=ap
> HS_SSLKEYFILE=/etc/certs/ap.thewifinetwork.net.key
> HS_SSLCERTFILE=/etc/certs/ap.thewifinetwork.net.pem
> </snippet>
>
> <snippet from /etc/chilli/local.config>
> sslcafile=/etc/certs/thawte-intermediate-ca.pem
> uamaliasip=172.17.172.1
> </snippet>
>
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.coova.org/pipermail/chilli/attachments/20100929/31f0c611/attachment.htm>
More information about the Chilli
mailing list