Closed tulipanaccio closed 3 years ago
bfussell
commented
3 years ago Yes, that's exactly what we have to do in our corporate environment including defining http(s)_proxy You've improperly defined your URI prefix, see the in the logs:
Url: https://demo.acvts.nist.gov:**443acvp**/v1/login
Please try with the missing '/':
ACV_URI_PREFIX: /acvp/v1/
tulipanaccio
commented
3 years ago Thanks for the response. I've fixed the script but the no response error still remains:
Using the following parameters:
ACV_SERVER: demo.acvts.nist.gov
ACV_PORT: 443
ACV_URI_PREFIX: /acvp/v1/
ACV_CA_FILE: certs/acvp.nist.gov.crt
ACV_CERT_FILE: xxxxxxxxxxx
ACV_KEY_FILE: xxxxxxxxxxx
***ACVP [STATUS][acvp_login:2539]--> Logging in...
***ACVP [INFO][acvp_http_user_agent_handler:484]--> HTTP User-Agent: libacvp/1.0;Linux;4.4.0-17763-Microsoft;x86_64;Intel(R) Core(TM) i5-4300U CPU @ 1.90GHz;GCC/9.3.0
***ACVP [INFO][log_network_status:1478]--> POST Login...
Status: 0
Url: https://demo.acvts.nist.gov:443/acvp/v1/login
Resp: Recieved
***ACVP [ERR][log_network_status:1504]--> Received no response from server.
***ACVP [STATUS][acvp_login:2551]--> Login Send Failed
***ACVP [ERR][acvp_run:3234]--> Failed to login with ACVP serverAnother info about my environment is that our corporate proxy has its own root CA certificate. Do I need to append it to the ACV_CA_FILE?
Thanks again for the support!
bfussell
commented
3 years ago You're past the url issue now and the CA information doesn't come into play until you receive a response from the ACV server. I just checked and the NIST server is up, so it looks as if you're not able to reach the server through your proxy. You may get a little more information and possibly help in your debug by using curl command line in verbose mode, such as this:
curl -i -v -X POST "https://acvts.nist.gov/acvp/validation/acvp/register" --cacert
The -d option can be omitted unless you have a copy of your registration json.
tulipanaccio
commented
3 years ago Here's the output I have. I hope I used the curl command properly
$ curl -i -v -X POST "https://acvts.nist.gov/acvp/validation/acvp/register" --cacert $ACV_CA_FILE -H "Content-Type: application/json" -d @ --cert $ACV_CERT_FILE --key $ACV_KEY_FILE
Warning: Couldn't read data from file "", this makes an empty POST.
Note: Unnecessary use of -X or --request, POST is already inferred.
* Uses proxy env variable https_proxy == 'http://<username>:<password>@<proxy_ip>:<proxy_port>'
* Trying <proxy_ip>:<proxy_port>...
* TCP_NODELAY set
* Connected to <proxy_ip> (<proxy_ip>) port <proxy_port> (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to acvts.nist.gov:443
* Proxy auth using Basic with user '<username>'
> CONNECT acvts.nist.gov:443 HTTP/1.1
> Host: acvts.nist.gov:443
> Proxy-Authorization: Basic Z2FpYm90dDE6RXJhTWVnbGlvKm5peDk1
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection Established
HTTP/1.1 200 Connection Established
< Proxy-Agent: Zscaler/6.0
Proxy-Agent: Zscaler/6.0
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: certs/acvp.nist.gov.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Maryland; L=Gaithersburg; O=National Institute of Standards and Technology; OU=STVM ACVP; CN=acvts.nist.gov
* start date: Nov 28 17:06:17 2020 GMT
* expire date: Dec 12 17:06:17 2020 GMT
* subjectAltName: host "acvts.nist.gov" matched cert's "acvts.nist.gov"
* issuer: C=US; ST=California; O=Zscaler Inc.; OU=Zscaler Inc.; CN=Zscaler Intermediate Root CA (zscaler.net) (t)
* SSL certificate verify ok.
> POST /acvp/validation/acvp/register HTTP/1.1
> Host: acvts.nist.gov
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 0
>
* Connection #0 to host <proxy_ip> left intact Warning: Couldn't read data from file "", this makes an empty POST. Note: Unnecessary use of -X or --request, POST is already inferred.
That means you don't have the http_proxy/https_proxy set properly, it should look something like this:
Warning: Couldn't read data from file "./new-small-reg.txt", this makes an Warning: empty POST. Note: Unnecessary use of -X or --request, POST is already inferred.
tulipanaccio
commented
3 years ago Hello,
bfussell
commented
3 years ago Ah ok. One other thing that looks a little off is this:
CAfile: certs/acvp.nist.gov.crt CApath: /etc/ssl/certs
Your CAfile is using a relative path and the CApath is pointing to the standard location in your distro. Did you actually move the CAfile there ?
My output has this because I use a local relative path:
CAfile: certs/acvp.nist.gov.crt CApath: none
Nothing else comes to mind, we haven't hit anything like this in our environment. You may search the issues on the NIST server github or post there for help. I know they have worked through many connection problems there.
tulipanaccio
commented
3 years ago Ok thanks for the support. I'll close the issue and try to raise the issue to NIST server.
Hello, Is it possible to use the acvp_app in order to communicate with ACVP demo server from a corporate proxy?
I'm able to run the application without problems if I'm in a network without proxy. Running from the corporate network the following message appear:
I'm using WSL with Ubuntu 20.04 and I've already set up http_proxy and https_proxy environment variables.
Best regards