Connection Reset By Peer

[srtimsina]

Hi All, I was trying to execute the taxii-discovery schema after installing the OpenTAXII, Gunicorn and Cabby. The taxii-discovery command worked well when the authentication was basic authentication. But I need to setup client key based authentication and I followed the steps here to setup https certs based auth with Gunicorn. I started the OpenTAXII with the following schema.

gunicorn opentaxii.http:app --bind localhost:9000 --config python:opentaxii.http --keyfile server.key --certfile server.crt --ca-certs ca-crt.pem --cert-reqs 2

It looks working fine.

(venv) ubuntu@ubuntu:~$ gunicorn opentaxii.http:app --bind localhost:9000 --config python:opentaxii.http --keyfile server.key --certfile server.crt --ca-certs ca-crt.pem --cert-reqs 2

{"api": "opentaxii.persistence.sqldb.SQLDatabaseAPI", "level": "info", "event": "api.initialized", "timestamp": "2019-09-15T14:45:21.339138Z", "logger": "opentaxii.utils"}
{"api": "opentaxii.auth.sqldb.SQLDatabaseAPI", "level": "info", "event": "api.initialized", "timestamp": "2019-09-15T14:45:21.378607Z", "logger": "opentaxii.utils"}
{"level": "info", "event": "opentaxii.server_configured", "timestamp": "2019-09-15T14:45:21.379221Z", "logger": "opentaxii.server"}
{"level": "info", "logger": "gunicorn.error", "timestamp": "2019-09-15T14:45:21.406857Z", "event": "Starting gunicorn 19.9.0"}
{"level": "info", "logger": "gunicorn.error", "timestamp": "2019-09-15T14:45:21.408663Z", "event": "Listening at: https://127.0.0.1:9000 (5464)"}
{"level": "info", "logger": "gunicorn.error", "timestamp": "2019-09-15T14:45:21.408987Z", "event": "Using worker: sync"}
{"level": "info", "logger": "gunicorn.error", "timestamp": "2019-09-15T14:45:21.414845Z", "event": "Booting worker with pid: 5468"}

But when i run the discovery schema, it get's into an error.

(venv) ubuntu@ubuntu:~$ taxii-discovery --path http://localhost:9000/services/discovery-a --cert client.crt --key client.key
2019-09-15 20:14:35,725 INFO: Sending Discovery_Request to http://localhost:9000/services/discovery-a
2019-09-15 20:14:35,732 ERROR: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

Any help and suggestions would be appreciated.

[srtimsina]

@traut there are some progress, we are able to setup Nginx and installed server side ssl. We are able to run the discovery schema, it's giving the expected output. But, when trying to run the discovery schema with a client key, cert, it's giving the error. taxii-discovery --path https://suryaraj.com:443/services/discovery-a --cert certificate.crt --key private.key 2019-09-23 20:17:33,253 INFO: Sending Discovery_Request to https://suryaraj.com/services/discovery-a 2019-09-23 20:17:33,276 ERROR: HTTP Error: status code 400

The Nginx config portion should be ok, as it is working fine when we run a test application and try to curl with the client key, cert files.

[arcsector]

@srtimsina can you try using libtaxii to discover with the cert/key combo? I have found that it works much better with cert auth.

[arcsector]

In addition, that link is for flask bindings with certificate auth; in other words you would use the certificate to CURL to get the JWT, and then use the taxii-discovery method, like so:

$ curl --insecure \
>      --cacert ca-crt.pem \
>      --key client.key \
>      --cert client.crt \
>      -d 'username=test&password=test' \
>      http://localhost:9000/management/auth
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY2NvdW50X2lkIjoxLCJleHAiOjE0Mjc2MzgyMjN9.oKd43j4KR1Ovu8zOtwFdeaKILys_kpl3fAiECclP7_4"
}

$ taxii-discovery --path http://localhost:9000/services/discovery-a \
>                 --header Authorization:'Bearer eyJleHAiOjE0MjY3OTMwOTYsImFsZyI6IkhTMjU2IiwiaWF0IjoxNDI2Nzg1ODk2fQ.eyJ1c2VyX2lkIjoxfQ.YsZIdbrU92dL8j5G8ydVAsdWHXtx371vC0POmXrS3W8'

This is shows to be the case here

[srtimsina]

@arcsector , In addition to my 1st comment, following is the error message I can see in the log message of Nginx, I think the below message is because OpenTAXII could not verify the CA's root cert.

Can you please help me with the following information?

From where does the OpenTAXII read the CA's root certificate? In our mutual authentication setup with Nginx, I am able to authenticate after importing the client certificate along with CA's root certificate but in the case of Cabby, taxii-discovery does not work even though we pass the ca_cert parameter in the schema.

It is giving the following error message

client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers, client: 192.168.4.203, server: srtimsina.com, request: "POST /services/discovery-a HTTP/1.1", host: "srtimsina.com"

[arcsector]

@srtimsina the issue is that OpenTAXII doesnt validate certs like HTTP does. I'm not even sure how to specify a cert in opentaxii for auth. You would have to do it at the application level if you wanted to use cabby, because thats how cabby exchanges certfiles. Your current integration supports only cert auth at the wsgi level (gunicorn/flask).

Does that make sense? I'll try and explain it this way:

You have 3 layers here:

• OpenTAXII: this is where you should be inputting certs for auth
• Gunicorn: WSGI orchestration tool
• Nginx: Web proxy

Nginx and Gunicorn broker the transaction with OpenTAXII. When you use cabby to send certs, they're not making it past Nginx/Gunicorn because they're designed to take certs at the HTTP level.

I could be wrong about this. Regardless: where are you specifying OpenTAXII to accept cert for auth? Please post your data-configuration yaml file or wherever you're specifying OpenTAXII to accept certfiles as auth.

[srtimsina]

@arcsector finally done with the setup of SSL/TLS also. It looks like there was some issue with the client cert/ keys previously generated. We generated self signed client certs/keys and got working.

Another problem while creating the poll. I am not sure discovery request is working properly but in the case of poll request, the request is going to localhost:9000 instead of srtimsina.com. Any suggestions?

(venv) ubuntu@ubuntu:/tmp$taxii-poll --host srtimsina.com --https --collection /services/collection_a --discovery /services/discovery-a --cert client.crt --key client.key

2019-09-27 08:10:28,118 INFO: Polling using data binding: ALL
2019-09-27 08:10:28,121 INFO: Sending Discovery_Request to https://srtimsina.com/services/discovery-a
2019-09-27 08:10:28,154 INFO: 5 services discovered
2019-09-27 08:10:28,156 INFO: **Sending Poll_Request to https://localhost:9000/services/poll-a**
2019-09-27 08:10:28,160 ERROR: HTTPSConnectionPool(host='localhost', port=9000): Max retries exceeded with url: /services/poll-a (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f31995a17b8>: Failed to establish a new connection: [Errno 111] Connection refused',))

[traut]

@srtimsina glad to hear you figured out SSL/TLS issue!

as about discovery response: the domain used in the response is the one defined in your yaml settings file

[srtimsina]

@traut, got it. Thank you both! @arcsector :)