Opened 10 years ago

Closed 9 years ago

#83 closed defect (fixed)

cmdctl and missing key/certificate

Reported by: jreed Owned by: UnAssigned
Priority: medium Milestone: 06. 4th Incremental Release
Component: ~bind-ctl (obsolete) Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity:
Sub-Project: Feature Depending on Ticket:
Estimated Difficulty: 0.0 Add Hours to Ticket:
Total Hours: Internal?: no

Description

b10-cmdctl still runs when missing the certificate and/or key

For example, later on when a HTTPS connection is attempted, it prints:

cmdctl: deny client's invalid connection [Errno 336265218] _ssl.c:338: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib

What can it do without it?

Opening this ticket to make sure it gets documented, logged or whatever needs to be done.

Subtickets

Change History (11)

comment:1 Changed 10 years ago by zhanglikun

  • Owner set to zhanglikun
  • Status changed from new to assigned

comment:2 Changed 9 years ago by shane

  • Component changed from Unclassified to bind-ctl
  • Milestone set to feature backlog item

comment:3 Changed 9 years ago by shane

  • Milestone changed from feature backlog item to 05. 3rd Incremental Release
  • Owner changed from zhanglikun to shentingting

comment:4 follow-up: Changed 9 years ago by zhanglikun

  • Owner changed from shentingting to jreed
  • Status changed from assigned to reviewing

cmdctl still runs when missing key/cert file(There is one error message provided to user), but any user can’t login to cmdctl, cmdctl will deny any connection from clients, but it doesn't do any impact on the service provided by Auth server.

I don't want to let cmdctl exit, since it will make boss start cmdctl again.

There is one open question: How to check the content of key or certificate file? Have't found one better way to check key/certificate content. Now the checking relies on the ssl.wrap_socket(), But I don't think it's the best choice.

comment:5 in reply to: ↑ 4 ; follow-up: Changed 9 years ago by jreed

  • Owner changed from jreed to UnAssigned

Replying to zhanglikun:

cmdctl still runs when missing key/cert file(There is one error message provided to user), but any user can’t login to cmdctl, cmdctl will deny any connection from clients, but it doesn't do any impact on the service provided by Auth server.

I don't see the error message for the admin running bind10 / cmdctl. What is the svn revision number for this "error message"? Or please copy and paste the error message or point me to the code.

comment:6 in reply to: ↑ 5 Changed 9 years ago by zhanglikun

Replying to jreed:

Replying to zhanglikun:

cmdctl still runs when missing key/cert file(There is one error message provided to user), but any user can’t login to cmdctl, cmdctl will deny any connection from clients, but it doesn't do any impact on the service provided by Auth server.

I don't see the error message for the admin running bind10 / cmdctl. What is the svn revision number for this "error message"? Or please copy and paste the error message or point me to the code.

Hi jeremy, you can only get the error message when you try to connect with cmdctl(Should I give the error when cmdctl starting),

Steps:

  1. Remove "/usr/local/etc/bind10-devel/cmdctl-keyfile.pem".
  2. Start Bind10 with '-v' option.
  3. Start Bindctl. the error message will be printed on the screen.

like:
"[b10-cmdctl] Fail to get user information, will deny any user"
""

"[b10-cmdctl] Deny client's connection because key file '/usr/local/etc/bind10-devel/cmdctl-keyfile.pem' doesn't exist"

"[b10-cmdctl] Deny client's connection because certificate file '/usr/local/etc/bind10-devel/cmdctl-certfile.pem' doesn't exist"

comment:7 Changed 9 years ago by shane

  • Milestone changed from 05. 3rd Incremental Release: Serious Secondary to 06. 4th Incremental Release

comment:8 Changed 9 years ago by jreed

  • billable set to 0
  • Estimated Difficulty set to 0.0
  • Internal? unset

The cmdctl has okay output:

[b10-cmdctl] Deny client's connection because key file '/home/reed/opt/bind10/etc/bind10-devel/cmdctl-keyfile.pem' doesn't exist 

But bindctl is too noisy:

$ /home/reed/opt/bind10/bin/bindctl       
Traceback (most recent call last):
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 184, in login_to_cmdctl
    response = self.send_POST('/login', param)
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 247, in send_POST
    self.conn.request('POST', url, param, headers)
  File "/usr/pkg/lib/python3.1/http/client.py", line 918, in request
    self._send_request(method, url, body, headers)
  File "/usr/pkg/lib/python3.1/http/client.py", line 956, in _send_request
    self.endheaders(body)
  File "/usr/pkg/lib/python3.1/http/client.py", line 914, in endheaders
    self._send_output(message_body)
  File "/usr/pkg/lib/python3.1/http/client.py", line 768, in _send_output
    self.send(msg)
  File "/usr/pkg/lib/python3.1/http/client.py", line 716, in send
    self.connect()
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 88, in connect
    ca_certs=self.ca_certs)
  File "/usr/pkg/lib/python3.1/ssl.py", line 381, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/pkg/lib/python3.1/ssl.py", line 135, in __init__
    raise x
  File "/usr/pkg/lib/python3.1/ssl.py", line 131, in __init__
    self.do_handshake()
  File "/usr/pkg/lib/python3.1/ssl.py", line 327, in do_handshake
    self._sslobj.do_handshake()
socket.error: [Errno 54] Connection reset by peer
Fail to login to cmdctl
Fail to connect with b10-cmdctl module, is it running?
Traceback (most recent call last):
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 184, in login_to_cmdctl
    response = self.send_POST('/login', param)
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 247, in send_POST
    self.conn.request('POST', url, param, headers)
  File "/usr/pkg/lib/python3.1/http/client.py", line 918, in request
    self._send_request(method, url, body, headers)
  File "/usr/pkg/lib/python3.1/http/client.py", line 956, in _send_request
    self.endheaders(body)
  File "/usr/pkg/lib/python3.1/http/client.py", line 914, in endheaders
    self._send_output(message_body)
  File "/usr/pkg/lib/python3.1/http/client.py", line 768, in _send_output
    self.send(msg)
  File "/usr/pkg/lib/python3.1/http/client.py", line 716, in send
    self.connect()
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 88, in connect
    ca_certs=self.ca_certs)
  File "/usr/pkg/lib/python3.1/ssl.py", line 381, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/pkg/lib/python3.1/ssl.py", line 135, in __init__
    raise x
  File "/usr/pkg/lib/python3.1/ssl.py", line 131, in __init__
    self.do_handshake()
  File "/usr/pkg/lib/python3.1/ssl.py", line 327, in do_handshake
    self._sslobj.do_handshake()
socket.error: [Errno 54] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 119, in run
    if not self.login_to_cmdctl():
  File "/home/reed/opt/bind10/lib/python3.1/site-packages/bindctl/bindcmd.py", line 188, in login_to_cmdctl
    raise FailToLogin()
bindctl.exception.FailToLogin: Fail to login to cmdctl

comment:9 Changed 9 years ago by jreed

similar problem if missing cmdctl-certfile.pem

comment:10 Changed 9 years ago by zhanglikun

Ticket 260 is fixing the noisy problem.

comment:11 Changed 9 years ago by jreed

  • Resolution set to fixed
  • Status changed from reviewing to closed

Looks like this can be closed as other problem was fixed in #260.

Note: See TracTickets for help on using tickets.