non-hosted asyncio TLS client certificate auth config?
64 views
Skip to first unread message
pe...@koodaamo.fi
Nov 29, 2016, 6:13:28 AM11/29/16
to Crossbar
I've struggled for a while with that now. I've created my own CA and then a client key & certificate using that. The crossbar router is using a certificate from LetsEncrypt.
The server certificate config works ok, but for some reason, I am stuck with the asyncio WAMP client certificate auth. Trying to authenticate, I get the error:
wamp.error.no_auth_method: cannot authenticate using any of the offered authmethods ['anonymous']
So it's as if the client needs to specifically request some auth method? How?
The docs & examples I've found for TLS client certificate auth seem to always use a WAMP component hosted by crossbar. But that's not my use case - the WAMP components connect remotely (what's the point of using TLS for a hosted local component, anyway?)
For what it's worth, here's what I've already followed to the best of my ability:
And checked various examples:
I also found this, with some nuggets:
pe...@koodaamo.fi
Nov 29, 2016, 6:21:42 AM11/29/16
to Crossbar
To clarify, what I am trying to do is static TLS Client Certificate authentication. Here's the crossbar transport config:
(with obfuscated file names, changed SHA etc.)
And here's the ssl context passed as 'ssl' to ApplicationRunner:
transports:
- type: websocket
auth:
tls:
type: static
principals:
tms_29344008:
certificate-sha1: "5C:CE:3E:90:00:0F:5D:9F:93:45:3E:94:CE:13:FD:00:8B:AA:DB:83"
role: tms
endpoint:
type: tcp
port: 443
tls:
key: /etc/letsencrypt/live/xxx.com/privkey.pem
certificate: /etc/letsencrypt/live/xxx.com/cert.pem
chain_certificates: ["/etc/letsencrypt/live/xxx.com/chain.pem"]
ca_certificates: ["xxx-integrations.cert.pem"]
And here's the ssl context passed as 'ssl' to ApplicationRunner:
ssl_c = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_c.load_cert_chain(certfile='client.crt', keyfile='client.key')
ssl_c.load_verify_locations(cafile='xxx.com.cert'So... I wonder what am I missing?
Thanks!
pe...@koodaamo.fi
Nov 29, 2016, 7:06:38 AM11/29/16
to Crossbar
I also noticed my client was missing the "authid" passed to ApplicationRunner as part of the "extra" parameter. But seems that does not make any difference.
Here's also the pertinent entry of the crossbar debug log:
crossbar.router.session.RouterSession] client requested valid, but unconfigured authentication method anonymous
Tobias Oberstein
Nov 29, 2016, 7:40:34 AM11/29/16
to cross...@googlegroups.com
Hi,
here is a complete example (Twisted though) of client cert based
authentication:
https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static
Maybe this helps,
/Tobias
PS: This example runs the component embedded in the router to simplify
starting the whole example.
here is a complete example (Twisted though) of client cert based
authentication:
https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static
Maybe this helps,
/Tobias
PS: This example runs the component embedded in the router to simplify
starting the whole example.
Petri Savolainen
Nov 29, 2016, 8:12:14 AM11/29/16
to cross...@googlegroups.com
Thanks Tobias, that I had already checked. Does not help unfortunately- as you said, it's Twisted and runs in router, whereas I have a standalone Asyncio app...
--
You received this message because you are subscribed to a topic in the Google Groups "Crossbar" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/crossbario/0dJ9-TcHYMM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to crossbario+...@googlegroups.com.
To post to this group, send email to cross...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/6d1d66cd-e07b-b4a6-725f-0c8b84c6a40a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
Tobias Oberstein
Nov 29, 2016, 8:42:11 AM11/29/16
to cross...@googlegroups.com, Autobahn
Am 29.11.2016 um 14:12 schrieb Petri Savolainen:
> Thanks Tobias, that I had already checked. Does not help unfortunately- as you said, it's Twisted and runs in router, whereas I have a standalone Asyncio app...
So this is actually an AutobahnPython/asyncio question .. forwarding ..
> Thanks Tobias, that I had already checked. Does not help unfortunately- as you said, it's Twisted and runs in router, whereas I have a standalone Asyncio app...
to the Autobahn list ..
>
>> Tobias Oberstein <tobias.o...@gmail.com> kirjoitti 29.11.2016 kello 14.40:
>>
>> Hi,
>>
>> here is a complete example (Twisted though) of client cert based authentication:
>>
>>
>> Maybe this helps,
>> /Tobias
>>
>> PS: This example runs the component embedded in the router to simplify starting the whole example.
>>
>> Maybe this helps,
>> /Tobias
>>
>> PS: This example runs the component embedded in the router to simplify starting the whole example.
>>
>> For more options, visit https://groups.google.com/d/optout <https://groups.google.com/d/optout>.
>
Reply all
Reply to author
Forward
0 new messages