0.11.2 does not appear to be handling the tls certificate bundle properly

#1

After an excruciating amount of testing im fairly confident that crossbar 0.11.2 and or autobahn 0.11.0 is not properly handling the tls certificate ca bundle properly

tls": {

“key”: “/certs/server.key”,

"certificate": "/certs/server.crt",

"dhparam": "/certs/dhparam.pem",

"ciphers": "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"

}

I can get an ssl connection but there are ca bundle errors

whereas I dont get the errors on our old 0.11.1

Im leaning towards this actually being an autobahn error as the autobahn version seems to be the main change which effects this

this is our current working build
Running on Linux and optimal reactor (epoll) was installed.
[33m[1m __ __ __ __ __ __ __ [0m
[33m[1m / |__)/ \/__/
`|) /\ |) |/ [0m
[33m[1m _,| \/././|)/~~| . |_/[0m
[33m[1m [0m
Crossbar.io : 0.11.1
Autobahn : 0.10.9
UTF8 Validator : wsaccel-0.6.2
XOR Masker : wsaccel-0.6.2
JSON Codec : ujson-1.33
MsgPack Codec : msgpack-python-0.4.6
Twisted : 15.4.0-EPollReactor[0m
Python : 2.7.10 CPython
OS : Linux-3.14.38-x86_64-with-debian-8.2
Machine : x86_64

This does not work

     __ __ __ __ __ __ __ __
    / `|__)/ \/__`/__`|__) /\ |__) |/ \
    \__,| \\__/.__/.__/|__)/~~\| \. |\__/

 Crossbar.io : 0.11.2
   Autobahn : 0.11.0
     UTF8 Validator : wsaccel-0.6.2
     XOR Masker : wsaccel-0.6.2
     JSON Codec : ujson-1.34
     MsgPack Codec : msgpack-python-0.4.6
   Twisted : 15.5.0-EPollReactor
   Python : 2.7.11/CPython
 OS : Linux-4.1.13-18.26.amzn1.x86_64-x86_64-with-debian-8.2
 Machine : x86_64

AM I missing something that I need to do with 0.11.2 for the ca bundle?

0 Likes

#2

Hi Greg,

> I can get an ssl connection but there are ca bundle errors

What errors exactly? Can you attach an openssl handshake log?

Compare: https://gist.github.com/oberstet/24d33ae7eb5fca2790bd

FWIW, we are running trunk on our own demo instance fine. Check out https://demo.crossbar.io/ws

or

https://cbdemo-eu-central-1.crossbar.io/ws
https://cbdemo-us-west-1.crossbar.io/ws

(the demo instance actually is 2 instances with DNS georouting)

You can look at SSL Labs rating here

https://www.ssllabs.com/ssltest/analyze.html?d=demo.crossbar.io&latest

(that will connect to the US instance)

This is using Let's Encrypt certificates and this config

             {
                "type": "web",
                "endpoint": {
                   "type": "tcp",
                   "port": 443,
                   "tls": {
                      "key": "privkey.pem",
                      "certificate": "cert.pem",
                      "chain_certificates": ["chain.pem"],
                      "dhparam": "dhparam.pem",
                      "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA"
                   }
                },
                "options": {
                   "access_log": false,
                   "display_tracebacks": false,
                   "hsts": true,
                   "hsts_max_age": 31536000
                },

Please note that the code on trunk disables anything but TLS v2. This is different from 0.11.2 release (which still allowed older versions). Trunk also disables TLS session resumption and (non-secure) renegotiation.

Cheers,
/Tobias

···

Am 19.01.2016 um 06:43 schrieb Greg Keys:

After an excruciating amount of testing im fairly confident that
crossbar 0.11.2 and or autobahn 0.11.0 is not properly handling the tls
certificate ca bundle properly

tls": {
        "key": "/certs/server.key",
"certificate": "/certs/server.crt",
"dhparam": "/certs/dhparam.pem",
"ciphers":
"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS"
}

I can get an ssl connection but there are ca bundle errors

whereas I dont get the errors on our old 0.11.1

Im leaning towards this actually being an autobahn error as the autobahn
version seems to be the main change which effects this

this is our current working build
Running on Linux and optimal reactor (epoll) was installed. [33m [1m __
__ __ __ __ __ __ __ [0m [33m [1m / `|__)/ \/__`/__`|__) /\ |__) |/ \
[0m [33m [1m \__,| \\__/.__/.__/|__)/~~\| \. |\__/ [0m [33m [1m [0m
Crossbar.io : 0.11.1 Autobahn : 0.10.9 UTF8 Validator : wsaccel-0.6.2
XOR Masker : wsaccel-0.6.2 JSON Codec : ujson-1.33 MsgPack Codec :
msgpack-python-0.4.6 Twisted : 15.4.0-EPollReactor [0m Python : 2.7.10
CPython OS : Linux-3.14.38-x86_64-with-debian-8.2 Machine : x86_64

This does not work

>__ __ __ __ __ __ __ __ / `|__)/ \/__`/__`|__) /\ |__) |/ \ \__,|
\\__/.__/.__/|__)/~~\| \. |\__/ Crossbar.io : 0.11.2 Autobahn : 0.11.0
UTF8 Validator : wsaccel-0.6.2 XOR Masker : wsaccel-0.6.2 JSON Codec :
ujson-1.34 MsgPack Codec : msgpack-python-0.4.6 Twisted :
15.5.0-EPollReactor Python : 2.7.11/CPython OS :
Linux-4.1.13-18.26.amzn1.x86_64-x86_64-with-debian-8.2 Machine : x86_64|

AM I missing something that I need to do with 0.11.2 for the ca bundle?

--
You received this message because you are subscribed to the Google
Groups "Crossbar" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to crossbario+...@googlegroups.com
<mailto:crossbario+...@googlegroups.com>.
To post to this group, send email to cross...@googlegroups.com
<mailto:cross...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com
<https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#3

AFAIK Crossbar v0.11.2 does not send to clients the certificate with full CA chain.

This may cause problems with outdated user agents.

The master branch is not affected since a new tls option has been added to solve this issue.

···

On Jan 19, 2016 8:02 AM, “Tobias Oberstein” tobias.o...@gmail.com wrote:

Hi Greg,

I can get an ssl connection but there are ca bundle errors

What errors exactly? Can you attach an openssl handshake log?

Compare: https://gist.github.com/oberstet/24d33ae7eb5fca2790bd

FWIW, we are running trunk on our own demo instance fine. Check out https://demo.crossbar.io/ws

or

https://cbdemo-eu-central-1.crossbar.io/ws

https://cbdemo-us-west-1.crossbar.io/ws

(the demo instance actually is 2 instances with DNS georouting)

You can look at SSL Labs rating here

https://www.ssllabs.com/ssltest/analyze.html?d=demo.crossbar.io&latest

(that will connect to the US instance)

This is using Let’s Encrypt certificates and this config

        {

           "type": "web",

           "endpoint": {

              "type": "tcp",

              "port": 443,

              "tls": {

                 "key": "privkey.pem",

                 "certificate": "cert.pem",

                 "chain_certificates": ["chain.pem"],

                 "dhparam": "dhparam.pem",

                 "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA"

              }

           },

           "options": {

              "access_log": false,

              "display_tracebacks": false,

              "hsts": true,

              "hsts_max_age": 31536000

           },

Please note that the code on trunk disables anything but TLS v2. This is different from 0.11.2 release (which still allowed older versions). Trunk also disables TLS session resumption and (non-secure) renegotiation.

Cheers,

/Tobias

Am 19.01.2016 um 06:43 schrieb Greg Keys:

After an excruciating amount of testing im fairly confident that

crossbar 0.11.2 and or autobahn 0.11.0 is not properly handling the tls

certificate ca bundle properly

tls": {

    "key": "/certs/server.key",

“certificate”: “/certs/server.crt”,

“dhparam”: “/certs/dhparam.pem”,

“ciphers”:

“ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS”

}

I can get an ssl connection but there are ca bundle errors

whereas I dont get the errors on our old 0.11.1

Im leaning towards this actually being an autobahn error as the autobahn

version seems to be the main change which effects this

this is our current working build

Running on Linux and optimal reactor (epoll) was installed. [33m [1m __

__ __ __ __ __ __ __ [0m [33m [1m / |__)/ \/__/`|) /\ |__) |/ \

[0m [33m [1m _,| \/././|)/~~| . |_/ [0m [33m [1m [0m

Crossbar.io : 0.11.1 Autobahn : 0.10.9 UTF8 Validator : wsaccel-0.6.2

XOR Masker : wsaccel-0.6.2 JSON Codec : ujson-1.33 MsgPack Codec :

msgpack-python-0.4.6 Twisted : 15.4.0-EPollReactor [0m Python : 2.7.10

CPython OS : Linux-3.14.38-x86_64-with-debian-8.2 Machine : x86_64

This does not work

__ __ __ __ __ __ __ __ / |__)/ \/__/`|) /\ |__) |/ \ __,|

\/././|)/~~| . |__/ Crossbar.io : 0.11.2 Autobahn : 0.11.0

UTF8 Validator : wsaccel-0.6.2 XOR Masker : wsaccel-0.6.2 JSON Codec :

ujson-1.34 MsgPack Codec : msgpack-python-0.4.6 Twisted :

15.5.0-EPollReactor Python : 2.7.11/CPython OS :

Linux-4.1.13-18.26.amzn1.x86_64-x86_64-with-debian-8.2 Machine : x86_64|

AM I missing something that I need to do with 0.11.2 for the ca bundle?

You received this message because you are subscribed to the Google

Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to crossbario+...@googlegroups.com

mailto:crossbario+...@googlegroups.com.

To post to this group, send email to cross...@googlegroups.com

mailto:cross...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com

<https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+...@googlegroups.com.

To post to this group, send email to cross...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/569DDF75.5000401%40gmail.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#4

Some things have changed in both Twisted and Crossbar.io. In the past, the certificates had to be concatenated and provided to CB as one file. With CB master, there now is a server cert and a list of server chain certs to be provided.

···

Am Dienstag, 19. Januar 2016 08:54:05 UTC+1 schrieb Sergio Santoro:

AFAIK Crossbar v0.11.2 does not send to clients the certificate with full CA chain.

This may cause problems with outdated user agents.

The master branch is not affected since a new tls option has been added to solve this issue.

On Jan 19, 2016 8:02 AM, “Tobias Oberstein” tobias.o...@gmail.com wrote:

After an excruciating amount of testing im fairly confident that

crossbar 0.11.2 and or autobahn 0.11.0 is not properly handling the tls

certificate ca bundle properly

tls": {

    "key": "/certs/server.key",

“certificate”: “/certs/server.crt”,

“dhparam”: “/certs/dhparam.pem”,

“ciphers”:

“ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS”

}

I can get an ssl connection but there are ca bundle errors

whereas I dont get the errors on our old 0.11.1

Im leaning towards this actually being an autobahn error as the autobahn

version seems to be the main change which effects this

this is our current working build

Running on Linux and optimal reactor (epoll) was installed. [33m [1m __

__ __ __ __ __ __ __ [0m [33m [1m / |__)/ \/__/`|) /\ |__) |/ \

[0m [33m [1m _,| \/././|)/~~| . |_/ [0m [33m [1m [0m

Crossbar.io : 0.11.1 Autobahn : 0.10.9 UTF8 Validator : wsaccel-0.6.2

XOR Masker : wsaccel-0.6.2 JSON Codec : ujson-1.33 MsgPack Codec :

msgpack-python-0.4.6 Twisted : 15.4.0-EPollReactor [0m Python : 2.7.10

CPython OS : Linux-3.14.38-x86_64-with-debian-8.2 Machine : x86_64

This does not work

__ __ __ __ __ __ __ __ / |__)/ \/__/`|) /\ |__) |/ \ __,|

\/././|)/~~| . |__/ Crossbar.io : 0.11.2 Autobahn : 0.11.0

UTF8 Validator : wsaccel-0.6.2 XOR Masker : wsaccel-0.6.2 JSON Codec :

ujson-1.34 MsgPack Codec : msgpack-python-0.4.6 Twisted :

15.5.0-EPollReactor Python : 2.7.11/CPython OS :

Linux-4.1.13-18.26.amzn1.x86_64-x86_64-with-debian-8.2 Machine : x86_64|

AM I missing something that I need to do with 0.11.2 for the ca bundle?

You received this message because you are subscribed to the Google

Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to crossbario+unsubscribe@googlegroups.com

mailto:crossbario+unsub...@googlegroups.com.

To post to this group, send email to cross...@googlegroups.com

mailto:crossbario@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com

<https://groups.google.com/d/msgid/crossbario/761abdca-ff32-4212-b623-a7bca77a7095%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

Hi Greg,

I can get an ssl connection but there are ca bundle errors

What errors exactly? Can you attach an openssl handshake log?

Compare: https://gist.github.com/oberstet/24d33ae7eb5fca2790bd

FWIW, we are running trunk on our own demo instance fine. Check out https://demo.crossbar.io/ws

or

https://cbdemo-eu-central-1.crossbar.io/ws

https://cbdemo-us-west-1.crossbar.io/ws

(the demo instance actually is 2 instances with DNS georouting)

You can look at SSL Labs rating here

https://www.ssllabs.com/ssltest/analyze.html?d=demo.crossbar.io&latest

(that will connect to the US instance)

This is using Let’s Encrypt certificates and this config

        {

           "type": "web",

           "endpoint": {

              "type": "tcp",

              "port": 443,

              "tls": {

                 "key": "privkey.pem",

                 "certificate": "cert.pem",

                 "chain_certificates": ["chain.pem"],

                 "dhparam": "dhparam.pem",

                 "ciphers": "ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA"

              }

           },

           "options": {

              "access_log": false,

              "display_tracebacks": false,

              "hsts": true,

              "hsts_max_age": 31536000

           },

Please note that the code on trunk disables anything but TLS v2. This is different from 0.11.2 release (which still allowed older versions). Trunk also disables TLS session resumption and (non-secure) renegotiation.

Cheers,

/Tobias

Am 19.01.2016 um 06:43 schrieb Greg Keys:

You received this message because you are subscribed to the Google Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+unsubscribe@googlegroups.com.

To post to this group, send email to cross...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/569DDF75.5000401%40gmail.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#5

ah yes i forgot about that, thanks.

0 Likes