Yubico Forum

Re: ykclient fails talking HTTP/1.1 to tomcat

2009-04-30T20:07:08+01:00

guymatz wrote:

And it looks like you've found a resolution to the issue! Thanks so much, Mr. Sushkin! It's a pleasure to be a part of the Yubico community with such helpful people such as yourself! If only there was a "pat on the back" emoticon . . . I would give you *two* of them!

Thanks again,
Guy Matz

No problem at all, Mr. Matz
"buy a beer" emoticons?

Statistics: Posted by NicholasSushkin — Thu Apr 30, 2009 8:07 pm

Re: ykclient fails talking HTTP/1.1 to tomcat

2009-04-30T17:45:33+01:00

Statistics: Posted by guymatz — Thu Apr 30, 2009 5:45 pm

Re: ykclient fails talking HTTP/1.1 to tomcat

2009-04-30T17:02:44+01:00

Running into a known issue
http://code.google.com/p/yubico-c-clien ... etail?id=2

Statistics: Posted by NicholasSushkin — Thu Apr 30, 2009 5:02 pm

Re: ykclient fails talking HTTP/1.1 to tomcat

2009-04-30T16:26:35+01:00

I rerun Guy's test with ykclient SVN revision 59 (latest as of today). It looks like there is some problem parsing out lines of response.
Here's the output of ykclient run with debug enabled. Notice how the status variable has length of 51 and contains both status=... and h=... lines.

./ykclient 2 tgueneblcteluhgudfnbbiffevgddlifgnngiekvuiuu
Input:
client id: 2
token: tgueneblcteluhgudfnbbiffevgddlifgnngiekvuiuu
debug: ykclient.c:399 (ykclient_request): server response (83): t=2009-04-30T10:16:03Z0613
status=REPLAYED_OTP
h=BWwOiYTKijmo3SJCmUT1XyMLGPY=

debug: ykclient.c:412 (ykclient_request): parsed status (51): status=REPLAYED_OTP
h=BWwOiYTKijmo3SJCmUT1XyMLGPY=
Verification output (101): Could not parse server response

Statistics: Posted by NicholasSushkin — Thu Apr 30, 2009 4:26 pm

ykclient fails talking HTTP/1.1 to tomcat

2009-04-29T21:58:31+01:00

ykclient fails, but it shouldn't!
i get the following when trying to authenticate to a local authentication server:
[gmatz@bunnybear ykclient-2.2]$ ./ykclient 1 frrdebhfhebhtdvevvthgktfutbigvkufb
Input:
client id: 1
token: frrdebhfhebhtdvevvthgktfutbigvkufb
Verification output (101): Could not parse server response

however my webserver log says:

2009-04-29 15:45:01,863 [http-8080-1] DEBUG com.yubico.wsapi.Database - com.mysql.jdbc.ServerPreparedStatement[1] - select * from clients where id = '1'
2009-04-29 15:45:01,866 [http-8080-1] DEBUG com.yubico.wsapi.Database - com.mysql.jdbc.ServerPreparedStatement[2] - select * from perms where id = '1'
2009-04-29 15:45:01,868 [http-8080-1] INFO com.yubico.wsapi.Perms - Checking [VerificationRequest [Request [Message map={id=1, otp=frhikfucfnvevtunnfrrdirlcdliihivdutlbjllhdcu}]]] against [Perms verify otp=true, add clients=true, delete clients=true, add keys=true, delete keys=true]
2009-04-29 15:45:01,895 [http-8080-1] INFO com.yubico.wsapi.Database - com.mysql.jdbc.ServerPreparedStatement[1] - select * from yubikeys where tokenId = 'TGeU4Evz'
2009-04-29 15:45:01,897 [http-8080-1] DEBUG com.yubico.wsapi.Database - com.mysql.jdbc.ServerPreparedStatement[1] - select * from yubikeys where tokenId = 'TGeU4Evz'
2009-04-29 15:45:01,899 [http-8080-1] DEBUG com.yubico.wsapi.KeySubsystem - secret=[Secret key=X3YvTwzsvfDC6CZoo3NJ6g==]
2009-04-29 15:45:01,899 [http-8080-1] DEBUG com.yubico.wsapi.KeySubsystem - otp=vtunnfrrdirlcdliihivdutlbjllhdcu
2009-04-29 15:45:01,919 [http-8080-1] DEBUG com.yubico.wsapi.Database - com.mysql.jdbc.ServerPreparedStatement[1] - update yubikeys set accessed='2009-04-29 15:45:01', counter=64, high=101, low=48332, sessionUse=0 where tokenId='TGeU4Evz'
2009-04-29 15:45:01,987 [http-8080-1] DEBUG com.yubico.wsapi.VerificationResponse - client signer=[Client created=Wed Apr 15 00:00:00 GMT-05:00 2009, email=fooo@bar.com, secret=[Secret key=Mysecret], perms=[Perms verify otp=true, add clients=true, delete clients=true, add keys=true, delete keys=true]]
2009-04-29 15:45:01,987 [http-8080-1] DEBUG com.yubico.wsapi.Message - message.sign, map={t=2009-04-29T15:45:01Z0987, status=OK}
2009-04-29 15:45:01,987 [http-8080-1] DEBUG com.yubico.wsapi.Crypto - about to sign {t=2009-04-29T15:45:01Z0987, status=OK}
2009-04-29 15:45:01,988 [http-8080-1] DEBUG com.yubico.wsapi.Crypto - signing status=OK&t=2009-04-29T15:45:01Z0987 with [Secret key=MySecret] into hpiahOFNvJ6DA3rUxnUnqIe1k/g=

strace says that ykclient (libcurl) is initiating a HTTP/1.1 call (its default), so i tried a few HTTP/1.0 GETs by hand and it looks like it fails in HTTP/1.1 GETs and only works with HTTP/1.0 GETs

[gmatz@bunnybear ykclient-2.2]$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /wsapi/verify?id=1&otp=frhikfucfnvecjgvhkbigeknvglrdlbclhbbnlkhnujk HTTP/1.0

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/plain
Content-Length: 73
Date: Wed, 29 Apr 2009 20:50:03 GMT
Connection: close

t=2009-04-29T15:50:03Z0415
status=OK
h=qrEMiTi7i4tcOR2NKJem1VDoYZk=

Connection closed by foreign host.
[gmatz@bunnybear ykclient-2.2]$ telnet localhost 8080
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /wsapi/verify?id=1&otp=frhikfucfnvelvgjgdujjvvhulvrjtjdnuffnnegflbh HTTP/1.1

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Wed, 29 Apr 2009 20:50:27 GMT
Connection: close

0

Connection closed by foreign host.

I added a line to ykclient.c to force a 1.0 connection:
curl_easy_setopt (ykc->curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);

but I still get a 1.1 response from my tomcat 6 server.

BTW, does anyone know why the server is hard-coded in ykclient? why it doesn't take command line params?

any help here would be much appreciated.

Regards,
Guy

Statistics: Posted by guymatz — Wed Apr 29, 2009 9:58 pm