search

JuliaLang / MbedTLS.jl

Wrapper around mbedtls
Other
41 stars 50 forks source link

Mutual authentication SSL server stuck in infinite loop #155

Closed GearsAD closed 6 years ago

GearsAD commented 6 years ago

I'm trying to setup up a web server that uses mutual authentication, however the server seems to get stuck in an infinite loop whenever a request is made. Is this an issue in HTTP.jl, MbedTLS, or could it be in the MbedTLS configuration?

This is a copy of the issue filed under HTTP.jl - #274

# Simple HTTPS Server
using MbedTLS, HTTP

# Rolling my own SSL config
cert = MbedTLS.crt_parse_file("server_cert.pem")
key = MbedTLS.parse_keyfile("server_key.pem")
sslConfig = MbedTLS.SSLConfig(true)
entropy = MbedTLS.Entropy()
rng = MbedTLS.CtrDrbg()
MbedTLS.config_defaults!(sslConfig, endpoint=MbedTLS.MBEDTLS_SSL_IS_SERVER)
# Asking for mutual authentication
MbedTLS.authmode!(sslConfig, MbedTLS.MBEDTLS_SSL_VERIFY_REQUIRED)
MbedTLS.seed!(rng, entropy)
MbedTLS.rng!(sslConfig, rng)
MbedTLS.own_cert!(sslConfig, cert, key)
MbedTLS.dbg!(sslConfig, (level, filename, number, msg)->begin
    warn("MbedTLS emitted debug info: $msg in $filename:$number")
end)
# Verbose debugging
MbedTLS.set_dbg_level(MbedTLS.DebugThreshold(4))
MbedTLS.ca_chain!(sslConfig)

# New HTTP.jl code

HTTP.listen(ssl=true, sslconfig = sslConfig, verbose=true) do request::HTTP.Request
   # If we get here, it's working
   try
       return HTTP.Response("Hello")
   catch e
       return HTTP.Response(404, "Error: $e")
   end
end

The server gets caught in MbedTLS:

WARNING: MbedTLS emitted debug info: <= handshake
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:6669
WARNING: MbedTLS emitted debug info: => handshake
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:6659
WARNING: MbedTLS emitted debug info: server state: 7
 in /workspace/srcdir/mbedtls/library/ssl_srv.c:3976
WARNING: MbedTLS emitted debug info: => flush output
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:2454
WARNING: MbedTLS emitted debug info: <= flush output
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:2466
WARNING: MbedTLS emitted debug info: => parse certificate
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:4374
WARNING: MbedTLS emitted debug info: => read record
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:3775
WARNING: MbedTLS emitted debug info: => fetch input
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:2246
WARNING: MbedTLS emitted debug info: in_left: 0, nb_want: 5
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:2404
WARNING: MbedTLS emitted debug info: in_left: 0, nb_want: 5
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:2428
WARNING: MbedTLS emitted debug info: <= handshake
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:6669
WARNING: MbedTLS emitted debug info: => handshake
 in /workspace/srcdir/mbedtls/library/ssl_tls.c:6659

I tried to do it using HttpServer.jl, and it has a similar issue:

# Generate a certificate and key if they do not exist

# Simple HTTPS Server
using MbedTLS, HttpServer

http = HttpHandler() do req, res
    @show req
    Response("Hello Secure World!")
end

# Rolling my own SSL config
cert = MbedTLS.crt_parse_file("server_cert.pem")
key = MbedTLS.parse_keyfile("server_key.pem")

sslConfig = MbedTLS.SSLConfig(true)
entropy = MbedTLS.Entropy()
rng = MbedTLS.CtrDrbg()
MbedTLS.config_defaults!(sslConfig, endpoint=MbedTLS.MBEDTLS_SSL_IS_SERVER)
# MbedTLS.authmode!(sslConfig, MbedTLS.MBEDTLS_SSL_VERIFY_REQUIRED)
MbedTLS.seed!(rng, entropy)
MbedTLS.rng!(sslConfig, rng)
MbedTLS.own_cert!(sslConfig, cert, key)
MbedTLS.dbg!(sslConfig, (level, filename, number, msg)->begin
    warn("MbedTLS emitted debug info: $msg in $filename:$number")
end)
MbedTLS.set_dbg_level(MbedTLS.DebugThreshold(4))
# MbedTLS.authmode!(sslConfig, MbedTLS.MBEDTLS_SSL_VERIFY_NONE)
MbedTLS.ca_chain!(sslConfig)

server = Server(http)
run(server, port=8002, ssl=sslConfig)

I'm not sure if it's in the way I am configuring MbedTLS, or whether it is a bug. It seems to happen whether or not a client certificate is provided (I'm using Chrome with a self-signed certificate to test).

FYI, this is the example I am trying to reproduce in Julia - Authentication using https client certificates

Versions: Julia 0.6.2 HTTP.jl 0.6.9 MbedTLS.jl 0.5.8

quinnj commented 6 years ago

This should be fixed by #166

GearsAD commented 6 years ago

Thanks, I'll try it tonight