search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

CMP over HTTPS #216

Closed lfcrypto closed 3 years ago

lfcrypto commented 4 years ago

Hi, I have a problem regarding the use of openssl cmp when connected to an HTTPS server (in my case EJBCA). Could you tell me if this feature (tls_used) should be fully supported at this time !?

The connection seems to be not establish (nothing in the EJBCA log) and error message is not really relevant to be able to have an idea of what append :

cmpopenssl>.\openssl.exe cmp -section cmptls -config cmp.conf OPENSSL_FUNC:apps\cmp.c:2895:CMP info: using OpenSSL configuration file 'cmp.conf' OPENSSL_FUNC:apps\cmp.c:2112:CMP info: will contact https://ejbca.test:8442/ejbca/publicweb/cmp/test OPENSSL_FUNC:apps\cmp.c:826:CMP warning: can load only one certificate in DER format from AC1.cer OPENSSL_FUNC:apps\cmp.c:826:CMP warning: can load only one certificate in DER format from ACR.cer send_receive_check:crypto\cmp\cmp_client.c:172:CMP info: sending IR OSSL_HTTP_REQ_CTX_transfer:crypto\http\http_client.c:774:CMP error: error receiving : server=ejbca.test:8442 send_receive_check:crypto\cmp\cmp_client.c:178:CMP error: transfer error : request sent: IR, expected response: IP

cmp.conf file is :

[cmptls] server = ejbca.test:8442 path = /ejbca/publicweb/cmp/test

ignore_keyusage = 1 unprotected_errors = 1

ref = openssl-cmp-test-tls secret = pass:xxxxxx

cmd = ir

subject = "/C=FR/CN=openssl-cmp-test-tls" srvcert = AC1.cer newkey = openssl-cmp-test-tls.key certout = openssl-cmp-test-tls.cer

tls_used = 1 tls_trusted = AC1.cer,ACR.cer

Notes :

Do you have any idea of what could be the issue

Kind regards, Ludovic

primetomas commented 4 years ago

I get the same in Linux. ../apps/openssl cmp -cmd ir -server localhost:8442 -path ejbca/publicweb/cmp/cmpra -srvcert ManagementCA.cacert.pem -ref NewUser -secret pass:password -certout clcert1.pem -newkey key1.pem -subject "/CN=NewUser/O=My Organization/C=SE" -tls_used -tls_trusted ./ManagementCA.cacert.pem CMP info: will contact https://localhost:8442/ejbca/publicweb/cmp/cmpra CMP info: sending IR CMP error: error receiving : server=localhost:8442 CMP error: transfer error : request sent: IR, expected response: IP There is no connection established to the server, i.e. no IR is received albeit the message on the client looks like it is. There seems to be a TLS connection error, but the details from that is not visible. Is there a debug flag?

(I use the code from https://github.com/openssl/openssl/ pulled today)

DDvO commented 4 years ago

Thanks @lfcrypto for reporting and @primetomas for confirming this issue. The HTTPS feature of CMP used to work, but it looks like when integrating its code with the core of OpenSSL some regression crept in. TLS connections can be pretty hard to debug, and unfortunately I'm not aware of a suitable debug/trace log facility.

I haven't been testing this for a while and am currently busy with other more urgent issues due to the feature freeze deadline (currently set to Sep 8) approaching soon, but I plan to analyze this in more detail - and hopefully fix it - ASAP.

lfcrypto commented 3 years ago

Hi, Could you tell me if you had the chance to tale a look on this issue !? Kind regards, Ludovic

DDvO commented 3 years ago

Hi Ludovic, thanks for asking patently. Unfortunately I was still too busy with other bugs etc., but next week looks better. Kind regards, David

DDvO commented 3 years ago

Hi @lfcrypto and @primetomas,

finally, finally, I became aware of this issue again investigating into it. I think the problem is now gone. Could you please check with the latest OpenSSL master or cmp branch of git@github.com:mpeylo/cmpossl.git? BTW, I guess the problem only occurred when using a finite timeout restriction (such as the default 120 seconds), but not with -msg_timeout 0 (no timeout), right?

Cheers, David

lfcrypto commented 3 years ago

Hi @DDvO thanks for the reply I will check that asap with latest openssl master I haven't done test with no timeout (just use default values), but I will do before testing the new version

lfcrypto commented 3 years ago

Hi @DDvO, I have tested the oldest version and effectively with a msg_timeout set to 0, it works fine. I will test the new openssl master with default value asap Thanks for help

DDvO commented 3 years ago

Hi @lfcrypto and @primetomas, I've meanwhile further improved the underlying HTTP client: https://github.com/openssl/openssl/pull/15053 Please confirm that the problems you had are fixed or let me know if you still experience issues.

lfcrypto commented 3 years ago

Hi @DDvO, unfortunately I have recently change my position and working now for an other customer, so I will not be able to test the change you made. I keep in mind to check that if I have the opportunity Thanks for help

primetomas commented 3 years ago

Thanks. I successfully tested with https, using a command like: apps/openssl cmp -cmd ir -server localhost:8442 -path ejbca/publicweb/cmp/cmpra -srvcert ManagementCA.cacert.pem -ref NewUser -secret pass:password -certout clcert1.pem -newkey key1.pem -subject "/CN=NewUser/O=My Organization/C=SE" -tls_used

DDvO commented 3 years ago

Thanks Tomas for trying this out and reporting! So we can close this for good.