pragatir / shellinabox

Automatically exported from code.google.com/p/shellinabox
Other
0 stars 0 forks source link

Can't get SSL/TLS sessions working #22

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Install Debian package on an Etch system: dpkg -i 
shellinabox_2.9-1_i386.deb
2. Run SIAB daemon (as root) : shellinaboxd --cert=/tmp/certificates -g 
shellinabox
3. Point a browser to https://localhost:4200

What is the expected output? What do you see instead?

I'd expect a self-signed certificate to be created under /tmp/certificates 
and an encrypted browser session. Instead of that, when I go to the https 
URL, I get an error message (varies depending upong the browser) saying 
that a connection cannot be established. If I go to http://localhost:4200 
then I get the login prompt, but the connection is never promoted to SSL/
TLS. I've tried Opera, Firefox, Konqueror and IE6 (by using Wine). 

It's quite likely that I'm missing something pretty obvious here, but I 
cannot find what is it.

What version of the product are you using? On what operating system?

I'm running version 2.9 (r139), installed from the Debian package that is 
available for download. The operating system is Debian Etch running a 
vserver-k7 kernel:

Linux version 2.6.18-6-vserver-k7 (Debian 2.6.18.dfsg.1-18etch1) 
(waldi@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 
4.1.1-21)) #1 SMP Sun Feb 10 22:35:25 UTC 2008

Please provide any additional information below.

When trying to access SIAB through https://... with Firefox, I got an 
error message that I had never seen before: "localhost has sent an 
incorrect or unexpected message. Error code: -12263". 

Original issue reported on code.google.com by alejandr...@gmail.com on 12 Jul 2009 at 6:36

GoogleCodeExporter commented 9 years ago
The directory /tmp/certificates exists and it has write permission for the 
shellinabox group.

Original comment by alejandr...@gmail.com on 12 Jul 2009 at 6:39

GoogleCodeExporter commented 9 years ago
The Debian package already starts the daemon for you and if it can find the 
"openssl"
binary, it stores self-signed certificates in "/var/lib/shellinabox".

If you don't want the daemon to be started automatically, you will need to 
disable it
in "/etc/default/shellinabox". But then you need to figure out how to correctly 
set
it up yourselves, so I don't recommend that approach for most users.

If you then decide to start it manually, you have to make sure that the 
certificate
directory has the right permissions. By default, shellinabox will drop 
privileges to
become "nobody". So, if the directory isn't accessible by "nobody", shellinabox 
won't
be able to serve encrypted connections. And that's most likely the problem you 
are
seeing.

Of course, changing the directory to be owned by "nobody" would be a bad idea.
Anybody who can become "nobody", would then be able to read your private keys.

Instead, you should create a dedicated user for the shellinabox daemon. And 
that's
what the Debian package does for you. You will notice that after installing the
package you have a "shellinabox" user. And that "/var/lib/shellinabox" is owned 
by
"shellinabox".

You then also need to make sure you that you pass the right command line flags 
to
switch to this user.

In other words, if you use the default settings that the package configures 
after a
"dpkg -i", and if "openssl" is available in "/usr/bin", things should work out 
of the
box. Just point your browser to "http://localhost:4200/".

If that doesn't work, that would be a bug. But I'd need to know more details to
figure out how your system is different from other Debian machines.

Original comment by zod...@gmail.com on 12 Jul 2009 at 6:49

GoogleCodeExporter commented 9 years ago
I've also tried running SIAB with the same command line arguments mentioned on 
the 
man page:

" shellinaboxd -c certificates -g shellinaboxd

  If  the  certificates  directory  exists and is writable by the shellinaboxd 
group, self-signed SSL certificates will be generated in this directory. 
Running 
this command as root allows  any  user on the system to log in at http://
localhost:4200/.  Sessions will automatically be promoted to SSL/TLS."

The shellinaboxd group doesn't exist (I don't know if that's a typo in the man 
page, 
or a problem with the Debian package). So I used -g shellinabox (that's the 
group 
name created by the installer). 

Then if I point the browser to http://localhost:4200/ I can login wihtout any 
problems. However, the session is never promoted to SSL/TLS (or at least the 
browser 
doesn't show any visual cues about that, like the URL changing to https or a 
warning 
about a self-signed certificate). 

Original comment by alejandr...@gmail.com on 12 Jul 2009 at 7:03

GoogleCodeExporter commented 9 years ago
Just to discard permission related problems, I've run chmod 777 
/tmp/certificates, 
but I still get the same behaviour (i.e., http access works OK, but session 
doesn't 
get promoted to SSL).

Also, openssl is installed: 

ii  openssl                                                       0.9.8c-4etch5

and the openssl command is available under /usr/bin

I'd be happy to provide any additional information required in order to 
diagnose 
this problem.

Original comment by alejandr...@gmail.com on 12 Jul 2009 at 7:10

GoogleCodeExporter commented 9 years ago
Thank you for pointing out the misleading example in the manual page. I'll 
update that.

In the meantime, do you have Google Talk enabled? If so, that might be the 
easiest
way to debug this issue, if you have a few minutes time.

Original comment by zod...@gmail.com on 12 Jul 2009 at 7:20

GoogleCodeExporter commented 9 years ago
Installing SIAB on a virtual machine running Lenny seems to work. I say "seems" 
because I get a certificate.pem file under /tmp/certificates as soon as I run 
shellinaboxd -c /tmp/certificates -g shellinabox (on the Etch box, that file 
isn't 
created when issuing the same command).

Howevever, when I access http://lennyhost:4200, then connection gets redirected 
to 
https, and then Firefox gives this message: "Firefox can't connect securely to 
lennyhost because the site uses a security protocol which isn't enabled" (I'm 
not 
quite soure about what that really means).

The certificate.pem file has a 0 byte length, so I guess that something must be 
wrong:

-r-------- 1 nobody shellinabox 0 2009-07-12 16:23 certificate.pem

Original comment by alejandr...@gmail.com on 12 Jul 2009 at 7:29

GoogleCodeExporter commented 9 years ago
If i create the certificate manually under /var/lib/shellinabox by running 
openssl 
req -x509 -nodes -days 7300 -newkey rsa:1024 -out certificate.pem  -subj '/
CN=localhost/', and then run SIAB using the same command that is used by the 
script 
on init.d (/usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c 
/var/
lib/shellinabox -p 4200 -u shellinabox -g shellinabox --no-beep), the behavior 
is 
still the same (http works fine, https doesn't).

ls /var/lib/shellinabox -l 

-rwxrwxrwx 1 shellinabox shellinabox 790 2009-07-12 17:25 certificate.pem
-rwxrwxrwx 1 shellinabox shellinabox 887 2009-07-12 17:25 privkey.pem

I'll try to run SIAB on an official Debian Lenny LiveCD and see what happens.

Original comment by alejandr...@gmail.com on 12 Jul 2009 at 8:37