search

crossbario / crossbar-examples

Crossbar.io Examples
Apache License 2.0
168 stars 152 forks source link

TLS client certs with containers example is broken #94

Closed oberstet closed 7 years ago

oberstet commented 7 years ago

https://github.com/crossbario/crossbar-examples/tree/master/encryption/tls

It correctly loads both the server and client certs:

2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker._appsession_loader] Starting class 'backend.BackendSession'
2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker.worker.NativeWorkerSession] TLS client using explicit trust (2 certificates)
2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker.worker.NativeWorkerSession] TLS client trust root CA certificate loaded from '/home/oberstet/scm/crossbario/crossbar-examples/encryption/tls/.crossbar/ca.cert.pem'
2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker.worker.NativeWorkerSession] TLS client trust root CA certificate loaded from '/home/oberstet/scm/crossbario/crossbar-examples/encryption/tls/.crossbar/intermediate.cert.pem'
2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker.worker.NativeWorkerSession] Loaded client TLS key from '/home/oberstet/scm/crossbario/crossbar-examples/encryption/tls/.crossbar/client.key'
2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker.worker.NativeWorkerSession] Loaded client TLS certificate from '/home/oberstet/scm/crossbario/crossbar-examples/encryption/tls/.crossbar/client.crt' (cn='b'client_0'', sha256=b'7E:66:9A:C1:'..)

However, then it blows up (this only shows up at --loglevel=debug, which is also a (user experience) problem):

2017-04-17T15:44:40+0200 [Container   12143 autobahn.twisted.websocket.WebSocketClientProtocol] connection to tcp4:127.0.0.1:8083 established
2017-04-17T15:44:40+0200 [Container   12143 autobahn.twisted.websocket.WebSocketClientProtocol] GET /ws HTTP/1.1
User-Agent: AutobahnPython/0.18.2
Host: localhost:8083
Upgrade: WebSocket
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Sec-WebSocket-Key: JjsCCJLnEbk+qU4tp9AHug==
Sec-WebSocket-Protocol: wamp.2.cbor.batched,wamp.2.cbor,wamp.2.msgpack.batched,wamp.2.msgpack,wamp.2.ubjson.batched,wamp.2.ubjson,wamp.2.json.batched,wamp.2.json
Sec-WebSocket-Version: 13

2017-04-17T15:44:40+0200 [Container   12143 autobahn.twisted.websocket.WebSocketClientProtocol] Connection made to tcp4:127.0.0.1:8083
2017-04-17T15:44:40+0200 [Controller  12134 crossbar.router.router.Router] Validate 'call_result' for 'crossbar.worker.worker-002.start_component'
2017-04-17T15:44:40+0200 [Controller  12134 crossbar.controller.node.Node] Container 'worker-002': component 'component-001' started
2017-04-17T15:44:40+0200 [Controller  12134 crossbar.controller.node.Node] Local node configuration applied successfully!
2017-04-17T15:44:40+0200 [Container   12143 autobahn.twisted.websocket.WebSocketClientProtocol] Connection to/from tcp4:127.0.0.1:8083 lost (<class 'OpenSSL.SSL.Error'>): [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])
2017-04-17T15:44:40+0200 [Container   12143 autobahn.twisted.websocket.WebSocketClientProtocol] _connectionLost: [Failure instance: Traceback: <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]
/home/oberstet/cpy361_1/lib/python3.6/site-packages/twisted/internet/posixbase.py:597:_doReadOrWrite
/home/oberstet/cpy361_1/lib/python3.6/site-packages/twisted/internet/tcp.py:208:doRead
/home/oberstet/cpy361_1/lib/python3.6/site-packages/twisted/internet/tcp.py:214:_dataReceived
/home/oberstet/cpy361_1/lib/python3.6/site-packages/twisted/protocols/tls.py:315:dataReceived
--- <exception caught here> ---
/home/oberstet/cpy361_1/lib/python3.6/site-packages/twisted/protocols/tls.py:235:_checkHandshakeStatus
/home/oberstet/cpy361_1/lib/python3.6/site-packages/OpenSSL/SSL.py:1426:do_handshake
/home/oberstet/cpy361_1/lib/python3.6/site-packages/OpenSSL/SSL.py:1174:_raise_ssl_error
/home/oberstet/cpy361_1/lib/python3.6/site-packages/OpenSSL/_util.py:48:exception_from_error_queue
]
2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker.worker.NativeWorkerSession] Lost connection to component 'component-001' with code '1006'.
2017-04-17T15:44:40+0200 [Container   12143 crossbar.worker.worker.NativeWorkerSession] connection was closed uncleanly (peer dropped the TCP connection without previous WebSocket closing handshake)
oberstet commented 7 years ago

Ah, never mind .. the fix was easy: the demo certs were expired;) I regenerated them .. works https://github.com/crossbario/crossbar-examples/tree/master/encryption/tls#how-to-test