Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:50 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Tue Jun 27, 2017 9:32 pm 
Offline

Joined: Tue Jun 27, 2017 9:20 pm
Posts: 1
I been trying to setup ssl syncing between validation servers and so far have had no luck.



I've created certificates for both servers using openssl.
I then added the certificate to the /etc/ssl/certs/ca-certificates.crt for both servers. This fixed the issue of me calling curl and getting a cert error. I thought everything would be working now, since I could manually call a sync and get a good status, but logged onto the mysql dabase and saw my queue was full. I then checked /var/log/syslog and saw the following error:
Jun 27 15:22:38 testval1 ykval[3982]: LOG_DEBUG:ykval-queue:synclib:handle indicated to be for https://testval2/wsapi/2.0/sync.
Jun 27 15:22:38 testval2 ykval[3982]: LOG_NOTICE:ykval-queue:synclib:Timeout. Stopping queue resync for server https://testval2/wsapi/2.0/sync

If i call curl directly using:
curl 'https://testval2/wsapi/2.0/sync?otp=<otpval>&modified=<mod_val>&yk_publicname=<public_id>yk_counter=5&yk_use=5&yk_high=229&yk_low=52183&nonce=<nonce>,local_counter=5&local_use=4'

The status comes back as OK.

Any help would be appreciated.


Update:
My current work around until I can get a better fix is to set verifypeer to false in the curl options:
Code:
$baseParams['__YKVAL_SYNC_CURL_OPTS__'] = array(
        CURLOPT_SSL_VERIFYPEER => false
);



What I found was it appears I'm getting a CURLE_SSL_CACERT error from ykval-queue. I created a simple test.php to debug this with the following:
Code:
<?php

$urls = array(
   "https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr&timestamp=1",
   "http://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzd&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr&timestamp=1"
);

$mh = curl_multi_init();

var_dump('start');
foreach ($urls as $i => $url) {
    $conn[$i] = curl_init($url);
    curl_setopt($conn[$i], CURLOPT_RETURNTRANSFER, 1);
//    curl_setopt($conn[$i], CURLOPT_CAPATH, "/etc/ssl/certs/");
//    curl_setopt($conn[$i], CURLOPT_CAINFO, "/etc/ssl/certs/ca-certificates.crt");
    curl_setopt($conn[$i], CURLOPT_CAINFO, "/test/blah.pem");
//    curl_setopt($conn[$i], CURLOPT_SSL_VERIFYPEER, 0);
    curl_multi_add_handle($mh, $conn[$i]);
}

var_dump('doloop');
do {
    $status = curl_multi_exec($mh, $active);
    $info = curl_multi_info_read($mh);
    if (false !== $info) {
        var_dump($info);
    }
} while ($status === CURLM_CALL_MULTI_PERFORM || $active);

var_dump('another loop');
foreach ($urls as $i => $url) {
    $res[$i] = curl_multi_getcontent($conn[$i]);
    curl_close($conn[$i]);
}

var_dump('enddump');
var_dump(curl_multi_info_read($mh));

?>



Which gives me the following:
Code:
string(5) "start"
string(6) "doloop"
array(3) {
  ["msg"]=>
  int(1)
  ["result"]=>
  int(60) <--- HERE IS THE CURLE_SSL_CACERT ERROR
  ["handle"]=>
  resource(5) of type (curl)
}
array(3) {
  ["msg"]=>
  int(1)
  ["result"]=>
  int(0)
  ["handle"]=>
  resource(6) of type (curl)
}
string(12) "another loop"
string(7) "enddump"
bool(false)


So my manual example is as follows, i moved my certificate out of the /etc/ssl/certs/ca-certificates.crt file to just a /test/blah.pem file, and get the following:
Code:
curl 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr&timestamp=1'
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.


And pointing to the cert:
Code:
 curl --cacert blah.pem 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr&timestamp=1'
h=RoeWTtwokPc0wbIQ17rOqHrGux8=
t=2017-06-29T15:15:08Z0971
otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr
nonce=sopxxrlklguqquyvbkwwqthyvofukjzc
status=REPLAYED_OTP


For some reason calling curl from command line with the certificate in /etc/ssl/certs/ca-certificates.crt file has no issue. It will automatically pickup the cert, but the ykval-queue and test.php for some reason is having issues with the cert. I tried setting some curl_opts to specify the cert, but had no luck with those.

Again any help would be appreciated, as I don't think setting the verifypeer option to false is a great work around.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group