0.11.2 does not appear to be handling the tls certificate bundle properly
32 views
Skip to first unread message
Greg Keys
Jan 19, 2016, 12:43:41 AM1/19/16
to Crossbar
After an excruciating amount of testing im fairly confident that crossbar 0.11.2 and or autobahn 0.11.0 is not properly handling the tls certificate ca bundle properly
tls": {
"key": "/certs/server.key",
"certificate": "/certs/server.crt",
"dhparam": "/certs/dhparam.pem",
"ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
}
I can get an ssl connection but there are ca bundle errors
whereas I dont get the errors on our old 0.11.1
Im leaning towards this actually being an autobahn error as the autobahn version seems to be the main change which effects this
this is our current working build
Running on Linux and optimal reactor (epoll) was installed. [33m [1m __ __ __ __ __ __ __ __ [0m [33m [1m / `|__)/ \/__`/__`|__) /\ |__) |/ \ [0m [33m [1m \__,| \\__/.__/.__/|__)/~~\| \. |\__/ [0m [33m [1m [0m Crossbar.io : 0.11.1 Autobahn : 0.10.9 UTF8 Validator : wsaccel-0.6.2 XOR Masker : wsaccel-0.6.2 JSON Codec : ujson-1.33 MsgPack Codec : msgpack-python-0.4.6 Twisted : 15.4.0-EPollReactor [0m Python : 2.7.10 CPython OS : Linux-3.14.38-x86_64-with-debian-8.2 Machine : x86_64
Running on Linux and optimal reactor (epoll) was installed. [33m [1m __ __ __ __ __ __ __ __ [0m [33m [1m / `|__)/ \/__`/__`|__) /\ |__) |/ \ [0m [33m [1m \__,| \\__/.__/.__/|__)/~~\| \. |\__/ [0m [33m [1m [0m Crossbar.io : 0.11.1 Autobahn : 0.10.9 UTF8 Validator : wsaccel-0.6.2 XOR Masker : wsaccel-0.6.2 JSON Codec : ujson-1.33 MsgPack Codec : msgpack-python-0.4.6 Twisted : 15.4.0-EPollReactor [0m Python : 2.7.10 CPython OS : Linux-3.14.38-x86_64-with-debian-8.2 Machine : x86_64
This does not work
AM I missing something that I need to do with 0.11.2 for the ca bundle?
Tobias Oberstein
Jan 19, 2016, 2:02:15 AM1/19/16
to cross...@googlegroups.com
Hi Greg,
> I can get an ssl connection but there are ca bundle errors
What errors exactly? Can you attach an openssl handshake log?
Compare: https://gist.github.com/oberstet/24d33ae7eb5fca2790bd
FWIW, we are running trunk on our own demo instance fine. Check out
https://demo.crossbar.io/ws
or
https://cbdemo-eu-central-1.crossbar.io/ws
https://cbdemo-us-west-1.crossbar.io/ws
(the demo instance actually is 2 instances with DNS georouting)
You can look at SSL Labs rating here
https://www.ssllabs.com/ssltest/analyze.html?d=demo.crossbar.io&latest
(that will connect to the US instance)
This is using Let's Encrypt certificates and this config
{
"type": "web",
"endpoint": {
"type": "tcp",
"port": 443,
"tls": {
"key": "privkey.pem",
"certificate": "cert.pem",
"chain_certificates": ["chain.pem"],
"dhparam": "dhparam.pem",
"ciphers":
"ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA"
}
},
"options": {
"access_log": false,
"display_tracebacks": false,
"hsts": true,
"hsts_max_age": 31536000
},
Please note that the code on trunk disables anything but TLS v2. This is
different from 0.11.2 release (which still allowed older versions).
Trunk also disables TLS session resumption and (non-secure) renegotiation.
Cheers,
/Tobias
> --
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+...@googlegroups.com>.
> To post to this group, send email to cross...@googlegroups.com
> <mailto:cross...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com
> <https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
> I can get an ssl connection but there are ca bundle errors
Compare: https://gist.github.com/oberstet/24d33ae7eb5fca2790bd
FWIW, we are running trunk on our own demo instance fine. Check out
https://demo.crossbar.io/ws
or
https://cbdemo-eu-central-1.crossbar.io/ws
https://cbdemo-us-west-1.crossbar.io/ws
(the demo instance actually is 2 instances with DNS georouting)
You can look at SSL Labs rating here
https://www.ssllabs.com/ssltest/analyze.html?d=demo.crossbar.io&latest
(that will connect to the US instance)
This is using Let's Encrypt certificates and this config
{
"type": "web",
"endpoint": {
"type": "tcp",
"port": 443,
"tls": {
"key": "privkey.pem",
"certificate": "cert.pem",
"chain_certificates": ["chain.pem"],
"dhparam": "dhparam.pem",
"ciphers":
"ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA"
}
},
"options": {
"access_log": false,
"display_tracebacks": false,
"hsts": true,
"hsts_max_age": 31536000
},
Please note that the code on trunk disables anything but TLS v2. This is
different from 0.11.2 release (which still allowed older versions).
Trunk also disables TLS session resumption and (non-secure) renegotiation.
Cheers,
/Tobias
> You received this message because you are subscribed to the Google
> Groups "Crossbar" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to crossbario+...@googlegroups.com
> <mailto:crossbario+...@googlegroups.com>.
> To post to this group, send email to cross...@googlegroups.com
> <mailto:cross...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com
> <https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Sergio Santoro
Jan 19, 2016, 2:54:05 AM1/19/16
to cross...@googlegroups.com
AFAIK Crossbar v0.11.2 does not send to clients the certificate with full CA chain.
This may cause problems with outdated user agents.
The master branch is not affected since a new tls option has been added to solve this issue.
To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+...@googlegroups.com.
To post to this group, send email to cross...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/569DDF75.5000401%40gmail.com.
Tobias Oberstein
Jan 22, 2016, 2:25:49 AM1/22/16
to Crossbar
Some things have changed in both Twisted and Crossbar.io. In the past, the certificates had to be concatenated and provided to CB as one file. With CB master, there now is a server cert and a list of server chain certs to be provided.
an email to crossbario+unsubscribe@googlegroups.com
<mailto:crossbario+unsub...@googlegroups.com>.
To post to this group, send email to cross...@googlegroups.com
<mailto:crossbario@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com
<https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Crossbar" group.
To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+unsubscribe@googlegroups.com.
Greg Keys
Jan 27, 2016, 4:24:48 PM1/27/16
to Crossbar
ah yes i forgot about that, thanks.
Reply all
Reply to author
Forward
0 new messages