search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
51 stars 18 forks source link

403 - Access is denied. #329

Closed adrianogaibotti closed 5 months ago

adrianogaibotti commented 5 months ago

I just received the signed certificate and TOTP for accessing the demo server. After compiling libacvp and setting up needed environment variables, I tried to launch a request but the server refused my request to access. I'm providing the command I gave and the resulting output:

./app/acvp_app --aes --vector_req example.json --disable_fips --verbose

***********************************************************************************
* WARNING: You have chosen to not fetch the FIPS provider for this run. Any tests *
* created or performed during this run MUST NOT have any validation requested     *
* on it unless the FIPS provider is exclusively loaded or enabled by default in   *
* your configuration. Proceed at your own risk. Continuing in 5 seconds...        *
***********************************************************************************

Using the following parameters:

    ACV_SERVER:     demo.acvts.nist.gov
    ACV_PORT:       443
    ACV_URI_PREFIX: /acvp/v1/
    ACV_CA_FILE:    certs/acvp.nist.gov.crt
    ACV_CERT_FILE:  certs/xxx_Demo.cer
    ACV_KEY_FILE:   certs/xxx_private.key

[ACVP]: HTTP User-Agent: libacvp/2.1.0;Linux;6.5.0-26-generic;x86_64;Intel(R) Xeon(R) w5-3425;GCC/11.4.0

[ACVP]: Logging in...
[ACVP]: POST Login...
        Status: 403
        Url: https://demo.acvts.nist.gov:443/acvp/v1/login
        Resp: Recieved

[ACVP][ERROR]: 403 error received from server. Message:
[ACVP][ERROR]: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server

Best regards

jarnold01 commented 5 months ago

Hi @adrianogaibotti - First, I suggest you use the mozzila_trust_anchors.pem certificate bundle to connect to the Demo environment (ACV_CA_FILE env var)

Next, ensure your ACV_TOTP_SEED environment variable is set and contains the TOTP seed string value (not the reference/pointer to the totp file).

Finally, see if you can first use libacvp to connect to this endpoint to test connectivity and authentication. This will list out all of the algorithms supported by the environment if it is successful:

acvp_app --get /acvp/v1/algorithms

adrianogaibotti commented 5 months ago

Thanks @jarnold01 for the prompt feedback. Unfortunately, changing the trust anchor doesn't solve the issue. The ACV_TOTP_SEED variable contains the seed string value (I tried with and without double quotes wrapping, but the result is always the same).

./app/acvp_app --get /acvp/v1/algorithms --disable_fips

***********************************************************************************
* WARNING: You have chosen to not fetch the FIPS provider for this run. Any tests *
* created or performed during this run MUST NOT have any validation requested     *
* on it unless the FIPS provider is exclusively loaded or enabled by default in   *
* your configuration. Proceed at your own risk. Continuing in 5 seconds...        *
***********************************************************************************

Using the following parameters:

    ACV_SERVER:     demo.acvts.nist.gov
    ACV_PORT:       443
    ACV_URI_PREFIX: /acvp/v1/
    ACV_CA_FILE:    certs/mozzila_trust_anchors.pem
    ACV_CERT_FILE:  certs/xxx_Demo.cer
    ACV_KEY_FILE:   certs/xxx_private.key

[ACVP]: Logging in...
[ACVP][ERROR]: 403 error received from server. Message:
[ACVP][ERROR]: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server

Best regards, Adriano

abkarcher commented 5 months ago

Hi Adriano, Some more things to try:

Usually, TOTP issues would present a different error, so I wouldn't worry too much about that for this specific error.

Thanks, Andrew

jarnold01 commented 5 months ago

Thanks for chiming in @abkarcher ; much appreciated.

@adrianogaibotti Please give it another try. I noticed a small issue with your user account entry that I fixed, and that may have likely been the issue impacting your ability to authenticate. Thanks.

adrianogaibotti commented 5 months ago

Hi @jarnold01, I tried again but I still continue to have the same error. Please let me know if I need to generate a new certificate request.

BR, Adriano

jarnold01 commented 5 months ago

Hmm okay @adrianogaibotti - please try accessing the demo server again, and reply back with the date/time stamp of your attempt so that I can check the server logs and see if I can determine what is happening. Something like:

date; ./app/acvp_app --verbose --get /acvp/v1/algorithms

adrianogaibotti commented 5 months ago

Thanks again for the support :). Below the output of the command (p.s. I'm disabling the fips check just as a first test, but I don't think the issue relies on that. Or at least I hope :))

date; ./app/acvp_app --verbose --get /acvp/v1/algorithms --disable_fips
Mon Apr 22 02:03:01 PM CEST 2024

***********************************************************************************
* WARNING: You have chosen to not fetch the FIPS provider for this run. Any tests *
* created or performed during this run MUST NOT have any validation requested     *
* on it unless the FIPS provider is exclusively loaded or enabled by default in   *
* your configuration. Proceed at your own risk. Continuing in 5 seconds...        *
***********************************************************************************

Using the following parameters:

    ACV_SERVER:     demo.acvts.nist.gov
    ACV_PORT:       443
    ACV_URI_PREFIX: /acvp/v1/
    ACV_CA_FILE:    /local/home/gaibotta/acvp/libacvp/certs/mozzila_trust_anchors.pem
    ACV_CERT_FILE:  /local/home/gaibotta/acvp/libacvp/certs/ST_Adriano_Gaibotti_Demo.cer
    ACV_KEY_FILE:   /local/home/gaibotta/acvp/libacvp/certs/ST_Adriano_Gaibotti_private.key

[ACVP]: HTTP User-Agent: libacvp/2.1.0;Linux;6.5.0-26-generic;x86_64;Intel(R) Xeon(R) w5-3425;GCC/11.4.0

[ACVP]: Logging in...
[ACVP]: POST Login...
        Status: 403
        Url: https://demo.acvts.nist.gov:443/acvp/v1/login
        Resp: Recieved

[ACVP][ERROR]: 403 error received from server. Message:
[ACVP][ERROR]: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>403 - Forbidden: Access is denied.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>

[ACVP][ERROR]: Login Send Failed
[ACVP][ERROR]: Failed to login with ACVP server
jarnold01 commented 5 months ago

I'm seeing the HTTP error 403.7 in the server logs. Usually when I see this error, it is typically because of an outbound enterprise proxy that is disassembling the outbound TLS traffic, inspecting it, and when it is reassembled, it uses the proxy's TLS certificate, which is the certificate that gets presented to the server. The server would, of course, reject this certificate since we have no knowledge of it.

Assuming this is the case, I would ask that if you are operating from within a corporate network environment, that you confirm with your network IT group that such an outbound proxy is in place, and if so, request that your test platform IP address be excepted from the outbound proxy so that the traffic may pass through untouched.

adrianogaibotti commented 5 months ago

Thank you @jarnold01 for the immediate feedback. Indeed, we are inside a corporate network with a corporate certificate. I'm contacting our IT department to understand how to get the exception.

jarnold01 commented 5 months ago

You're welcome @adrianogaibotti . I'm going to close this issue, but feel free to re-open it (or just email me directly) if you continue having access issues once the corporate proxy situation has been resolved.

locksmithone commented 5 months ago

May I suggest putting this information/troubleshooting regarding outbound proxies in the README page in github. It may be tortuous to find out without prior experience. :)

On Tue, Apr 23, 2024 at 10:29 AM Jason Arnold @.***> wrote:

You're welcome @adrianogaibotti https://github.com/adrianogaibotti . I'm going to close this issue, but feel free to re-open it (or just email me directly) if you continue having access issues once the corporate proxy situation has been resolved.

— Reply to this email directly, view it on GitHub https://github.com/usnistgov/ACVP-Server/issues/329#issuecomment-2072711046, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHDIKVKGMET5WU2PYITS4TY6Z47HAVCNFSM6AAAAABGNSOACSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZSG4YTCMBUGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>