possible issue with disable TLS and SSH

[ntadas]

I've noticed a problem with libnetconf if I disable TLS and SSH (this this a issue? should I have at least one enabled?)

If I have both disabled the hello handshake doesn't work. To make it work I had to do a small change in the libnetconf code: https://github.com/CESNET/libnetconf/blob/master/src/transport.c line 451 because both reply and recv hello are not ok.

[michalvasko]

Hi, what exactly was the problem? Can you provide the full patch if you managed to fix it? How did you tested it (netopeer won't work with libnetconf compiled this way)?

Regards, Michal

[ntadas]

The critical code is:

NC_MSG_TYPE reply = NC_MSG_UNKNOWN;

if (nc_session_send_rpc(session, hello) == 0) {
    return (EXIT_FAILURE);
}

#ifdef DISABLE_LIBSSH
if (side == HANDSHAKE_SIDE_CLIENT) {
    recv_hello = read_hello_openssh(session);
} else {
    reply = nc_session_recv_reply(session, hello_timeout, &recv_hello);
}
#else
reply = nc_session_recv_reply(session, hello_timeout, &recv_hello);
#endif
if (reply != NC_MSG_HELLO || recv_hello == NULL) {
    if (reply == NC_MSG_WOULDBLOCK) {
        ERROR("Hello timeout expired.");
    }
    return (EXIT_FAILURE);
}

you start with reply == NC_MSG_UNKNOWN and in case of DISABLE_LIBSSH in client side you only update the recv_hello so it will always fail in the last if condition. The quick fix I've done to workaround this was to set the reply to something different then NC_MSG_HELLO. Basically the problem is that both reply and recv_hello start with the fail status but only one is updated in the client side and both should be.

[ntadas]

I'm not using netopeer, I'm using libnetconf to have my own server. libnetconf compiles fine, it simple doesn't work if we have both disable ssh and disable tls (see why above). is this expected? do we have to choose at least one?

[michalvasko]

Hi, hopefully I fixed it and it will work for you now. libnetconf does indeed allow to disable libssh and then it uses OpenSSH client application for SSH communication. However, libnetconf2 does not have this option and you should avoid it.

Regards, Michal

[ntadas]

Hi thanks

why did you decided to not use openssh in libnetconf2? did you saw an issue with it?

Regards Nuno

[michalvasko]

Hi Nuno, sorry, what I wrote is not entirely correct. libnetconf2 does not support OpenSSH software directly (like the old libnetconf), but enables session creation (both server and client-side) that uses standard file descriptors. This way you can use any external applications for establishing secure transport connection and then pass it to libnetconf2 if you do not want to use libssh and/or libssl libraries.

Regards, Michal

[ntadas]

Hi Michal,

Thanks, this is exactly what I need. One last question, this libnetconf2, do you have any estimation when it will be "ready"? When we can/should switch from libnetconf to libnetconf2?

Regards Nuno

[michalvasko]

Hi Nuno, libnetconf2 will be fully implemented quite soon, but that is not the problem. We decided that datastores will not be a part of the library and without them you cannot do any configuration. So, datastore (actually something much more complex than libnetconf datastore) implementation is being worked on, but it's hard to guess when it will be ready, several months at the very earliest. Until then there is little choice, you must use libnetconf. Theoretically, it should be possible to use libnetconf datastore with libnetconf2, but I cannot recommend it as it entails manual detachment of it from libnetconf code, which is not simple without deep insight into it. We are not currently planning to do this.

Regards, Michal

[rkrejci]

Hi Nuno, I believe that working Netopeer server based on libnetconf2 will be available in the middle of 2016. As a datastore we plan to use sysrepo.

[ntadas]

thanks