search

michael-lazar / gemini-diagnostics

A torture test for gemini servers
MIT License
25 stars 5 forks source link

TLSV1_ALERT_ACCESS_DENIED #2

Closed tinywombat765 closed 3 years ago

tinywombat765 commented 3 years ago

So I'm writing a gemini server and someone an the mailing list recommended I use this tool for testing it. When running the tests I get the error TLSV1_ALERT_ACCESS_DENIED on bunch of the tests. It's quite possible that this is an issue with my server but the error message is bewildering so maybe you could give some insight.

My server code of reference https://sr.ht/~zethra/stargazer/

Running server diagnostics check against localhost:1965
...

[IPv4Address] Establish a connection over an IPv4 address
Looking up IPv4 address for 'localhost'
  ✓ '127.0.0.1'
Attempting to connect to 127.0.0.1:1965
  ✓ Successfully established connection

ERROR - Error accepting tls connection: tls handshake eof
[IPv6Address] Establish a connection over an IPv6 address
Looking up IPv6 address for 'localhost'
  ✓ '::1'
Attempting to connect to [::1]:1965
  x [Errno 111] Connection refused

[TLSVersion] Server must negotiate at least TLS v1.2, ideally TLS v1.3
Checking client library
  'OpenSSL 1.1.1h  22 Sep 2020'
Determining highest supported TLS version
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[TLSClaims] Certificate claims must be valid
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[TLSVerified] Certificate should be self-signed or have a trusted issuer
Connecting over verified SSL socket
  ✓ Self-signed TLS certificate detected
ERROR - Error accepting tls connection: cannot decrypt peer's message

[TLSRequired] Non-TLS requests should be refused
Sending non-TLS request
  ✓ Connection closed by server

ERROR - Error accepting tls connection: received corrupt message
[ConcurrentConnections] Server should support concurrent connections
Attempting to establish two connections
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[ResponseFormat] Validate the response header and body for the root URL
Request URL
  'gemini://localhost/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[HomepageRedirect] A URL with no trailing slash should redirect to the canonical resource
Request URL
  'gemini://localhost\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[PageNotFound] Request a gemini URL that does not exist
Request URL
  'gemini://localhost/09pdsakjo73hjn12id78\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[RequestMissingCR] A request without a <CR> should timeout
Request URL
  'gemini://localhost/\n'
No response should be received
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
  ✓ [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

[URLIncludePort] Send the URL with the port explicitly defined
Request URL
  'gemini://localhost:1965/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[URLSchemeMissing] A URL without a scheme should be inferred as gemini
Request URL
  '//localhost/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[URLByIPAddress] Send the URL using the IPv4 address
Request URL
  'gemini://127.0.0.1:1965/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[URLInvalidUTF8Byte] Send a URL containing a non-UTF8 byte sequence
Request URL
  'gemini://localhost/\udcdc\r\n'
Connection should either drop, or return 59 (BAD REQUEST)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
  ✓ Connection closed without response

[URLMaxSize] Send a 1024 byte URL, the maximum allowed size
Request URL
  'gemini://localhost/000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[URLAboveMaxSize] Send a 1025 byte URL, above the maximum allowed size
Request URL
  'gemini://localhost/0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\r\n'
Connection should either drop, or return 59 (BAD REQUEST)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
  ✓ Connection closed without response

[URLWrongPort] A URL with an incorrect port number should be rejected
Request URL
  'gemini://localhost:443/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[URLWrongHost] A URL with a foreign hostname should be rejected
Request URL
  'gemini://wikipedia.org/\r\n'
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

[URLSchemeHTTP] Send a URL with an HTTP scheme
Request URL
  'http://localhost/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[URLSchemeHTTPS] Send a URL with an HTTPS scheme
Request URL
  'https://localhost/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[URLSchemeGopher] Send a URL with a Gopher scheme
Request URL
  'gopher://localhost/\r\n'
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

[URLEmpty] Empty URLs should not be accepted by the server
Request URL
  '\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[URLRelative] Relative URLs should not be accepted by the server
Request URL
  '/\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved

[URLInvalid] Random text should not be accepted by the server
Request URL
  'Hello Gemini!\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
[URLDotEscape] A URL should not be able to escape the root using dot notation
Request URL
  'gemini://localhost/../../\r\n'
  x [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1124)

Done!
ERROR - Error accepting tls connection: unexpected error: no server certificate chain resolved
michael-lazar commented 3 years ago

Hi! I can't say that I've seen that error before but my instinct is that something is abnormal with your TLS certificate. Could you post or link to an example of a certificate/key that your server is generating?

tinywombat765 commented 3 years ago

Here are the certs I'm using

certs.zip

tslocum commented 3 years ago

When running twins with these certificates, no error is encountered.

tinywombat765 commented 3 years ago

It may have something to do with me using rustls instead of openssl. No other client has had issues that I know of though.

tinywombat765 commented 3 years ago

When I run it again my public site benaaron.dev that's running my server I get this error instead. [Errno -2] Name or service not known That seems to be that case with any public gemini server.

michael-lazar commented 3 years ago

Ahh, it looks like it's caused by the client not sending SNI information. This testing utility was written before SNI was changed to be mandatory in the gemini spec.

 ~/D/certs  jetforce-client gemini://benaaron.dev                                                              408ms  Tue Nov 17 15:32:41 2020
Traceback (most recent call last):
  File "/usr/local/bin/jetforce-client", line 8, in <module>
    sys.exit(run_client())
  File "/usr/local/lib/python3.8/site-packages/jetforce_client.py", line 64, in run_client
    fetch(args.url, args.host, args.port, args.tls_enable_sni)
  File "/usr/local/lib/python3.8/site-packages/jetforce_client.py", line 26, in fetch
    with context.wrap_socket(sock, server_hostname=sni) as ssock:
  File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/local/Cellar/python@3.8/3.8.5/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_ACCESS_DENIED] tlsv1 alert access denied (_ssl.c:1123)
!  ~/D/certs  jetforce-client gemini://benaaron.dev --tls-enable-sni                                         254ms  Tue Nov 17 15:32:45 2020
20 text/gemini
\```
___
\  \     ____                  _                           ██████
 \  \   | __ )  ___ _ __      / \   __ _ _ __ ___  _ __    ██████
  \  \  |  _ \ / _ \ '_ \    / _ \ / _` | '__/ _ \| '_ \   ██████
  /  /  | |_) |  __/ | | |  / ___ \ (_| | | | (_) | | | |  ██████
 /  /   |____/ \___|_| |_| /_/   \_\__,_|_|  \___/|_| |_|  ██████
/__/                                                       ██████
\```

# Ben Aaron's Geminispace

Hello fellow spacefarers!  My name is Ben Aaron Goldberg and this is my gemini capsule.  I like FOSS, Rust, Linux, and being mad at software.

Here are things I've written:
=> https://sr.ht/~zethra/stargazer/ stargazer - A gemini server
=> https://sr.ht/~zethra/license/ license - A tool to easily add a license to your project
=> https://sr.ht/~zethra/poki-launcher/ poki-launcher - An application launcher for Linux

I plan to start a gemlog here at some point.  Let's see if I get to it 😅.

## My Links

=> https://sr.ht/~zethra/ Sourcehut: ~zethra
=> mailto:ben@benaaron.dev Email: ben@benaaron.dev
=> https://fosstodon.org/@zethra Mastondon: @zethra@fosstodon.org
=> gemini://benaaron.dev/pubkey.txt GPG Key: EF9570D2

## License

The content of this site is licensed under CC-BY-SA-4.0. The code for this site is licensed under MIT.
tinywombat765 commented 3 years ago

Awesome! glad you figured it out. Where both errors caused by this?

michael-lazar commented 3 years ago

I just pushed a fix up, try it again when you get a chance

tinywombat765 commented 3 years ago

That problem is fixed. I'm receiving a few errors on some of tests even though they're passing. Like:

[ConcurrentConnections] Server should support concurrent connections
Attempting to establish two connections
  Opening socket 1
  Opening socket 2
  Closing socket 2
  Closing socket 1
  ✓ Concurrent connections supported

ERROR - Connection reset by peer (os error 104)
ERROR - Error closing stream: Broken pipe (os error 32)
ERROR - Broken pipe (os error 32)
ERROR - Error closing stream: Broken pipe (os error 32)

If you're interested.

michael-lazar commented 3 years ago

Thanks for the heads up! Interestingly I don't see those errors when I point to your server.

tinywombat765 commented 3 years ago

So those error were actually my server running in the background. Ooops