non-hosted asyncio TLS client certificate auth config?

#1

I’ve struggled for a while with that now. I’ve created my own CA and then a client key & certificate using that. The crossbar router is using a certificate from LetsEncrypt.

The server certificate config works ok, but for some reason, I am stuck with the asyncio WAMP client certificate auth. Trying to authenticate, I get the error:

wamp.error.no_auth_method: cannot authenticate using any of the offered authmethods [‘anonymous’]

So it’s as if the client needs to specifically request some auth method? How?

The docs & examples I’ve found for TLS client certificate auth seem to always use a WAMP component hosted by crossbar. But that’s not my use case - the WAMP components connect remotely (what’s the point of using TLS for a hosted local component, anyway?)

For what it’s worth, here’s what I’ve already followed to the best of my ability:

http://crossbar.io/docs/Secure-WebSocket-and-HTTPS/

http://crossbar.io/docs/TLS-Certificates/

http://crossbar.io/docs/TLS-Client-Certificate-Authentication/

And checked various examples:

https://github.com/crossbario/autobahn-python/blob/master/examples/asyncio/wamp/pubsub/tls/backend_selfsigned.py

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

I also found this, with some nuggets:

https://github.com/crossbario/crossbar/pull/537

0 Likes

#2

To clarify, what I am trying to do is static TLS Client Certificate authentication. Here’s the crossbar transport config:

(with obfuscated file names, changed SHA etc.)

transports:
- type: websocket
auth:
tls:
type: static
principals:
tms_29344008:
certificate-sha1: “5C:CE:3E:90:00:0F:5D:9F:93:45:3E:94:CE:13:FD:00:8B:AA:DB:83”
role: tms
endpoint:
type: tcp
port: 443
tls:
key: /etc/letsencrypt/live/xxx.com/privkey.pem
certificate: /etc/letsencrypt/live/xxx.com/cert.pem
chain_certificates: ["/etc/letsencrypt/live/xxx.com/chain.pem"]
ca_certificates: [“xxx-integrations.cert.pem”]

``

And here’s the ssl context passed as ‘ssl’ to ApplicationRunner:

ssl_c = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_c.load_cert_chain(certfile='client.crt', keyfile='client.key')
ssl_c.load_verify_locations(cafile='xxx.com.cert'

``

So… I wonder what am I missing?

Thanks!

tiistai 29. marraskuuta 2016 13.13.28 UTC+2 pe...@koodaamo.fi kirjoitti:

···

I’ve struggled for a while with that now. I’ve created my own CA and then a client key & certificate using that. The crossbar router is using a certificate from LetsEncrypt.

The server certificate config works ok, but for some reason, I am stuck with the asyncio WAMP client certificate auth. Trying to authenticate, I get the error:

wamp.error.no_auth_method: cannot authenticate using any of the offered authmethods [‘anonymous’]

So it’s as if the client needs to specifically request some auth method? How?

The docs & examples I’ve found for TLS client certificate auth seem to always use a WAMP component hosted by crossbar. But that’s not my use case - the WAMP components connect remotely (what’s the point of using TLS for a hosted local component, anyway?)

For what it’s worth, here’s what I’ve already followed to the best of my ability:

http://crossbar.io/docs/Secure-WebSocket-and-HTTPS/

http://crossbar.io/docs/TLS-Certificates/

http://crossbar.io/docs/TLS-Client-Certificate-Authentication/

And checked various examples:

https://github.com/crossbario/autobahn-python/blob/master/examples/asyncio/wamp/pubsub/tls/backend_selfsigned.py

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

I also found this, with some nuggets:

https://github.com/crossbario/crossbar/pull/537

0 Likes

#3

I also noticed my client was missing the “authid” passed to ApplicationRunner as part of the “extra” parameter. But seems that does not make any difference.

Here’s also the pertinent entry of the crossbar debug log:

crossbar.router.session.RouterSession] client requested valid, but unconfigured authentication method anonymous

``

tiistai 29. marraskuuta 2016 13.21.42 UTC+2 pe...@koodaamo.fi kirjoitti:

···

To clarify, what I am trying to do is static TLS Client Certificate authentication. Here’s the crossbar transport config:

(with obfuscated file names, changed SHA etc.)

transports:
- type: websocket
auth:
tls:
type: static
principals:
tms_29344008:
certificate-sha1: “5C:CE:3E:90:00:0F:5D:9F:93:45:3E:94:CE:13:FD:00:8B:AA:DB:83”
role: tms
endpoint:
type: tcp
port: 443
tls:
key: /etc/letsencrypt/live/xxx.com/privkey.pem
certificate: /etc/letsencrypt/live/xxx.com/cert.pem
chain_certificates: ["/etc/letsencrypt/live/xxx.com/chain.pem"]
ca_certificates: [“xxx-integrations.cert.pem”]

``

And here’s the ssl context passed as ‘ssl’ to ApplicationRunner:

ssl_c = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_c.load_cert_chain(certfile='client.crt', keyfile='client.key')
ssl_c.load_verify_locations(cafile='xxx.com.cert'

``

So… I wonder what am I missing?

Thanks!

tiistai 29. marraskuuta 2016 13.13.28 UTC+2 pe...@koodaamo.fi kirjoitti:

I’ve struggled for a while with that now. I’ve created my own CA and then a client key & certificate using that. The crossbar router is using a certificate from LetsEncrypt.

The server certificate config works ok, but for some reason, I am stuck with the asyncio WAMP client certificate auth. Trying to authenticate, I get the error:

wamp.error.no_auth_method: cannot authenticate using any of the offered authmethods [‘anonymous’]

So it’s as if the client needs to specifically request some auth method? How?

The docs & examples I’ve found for TLS client certificate auth seem to always use a WAMP component hosted by crossbar. But that’s not my use case - the WAMP components connect remotely (what’s the point of using TLS for a hosted local component, anyway?)

For what it’s worth, here’s what I’ve already followed to the best of my ability:

http://crossbar.io/docs/Secure-WebSocket-and-HTTPS/

http://crossbar.io/docs/TLS-Certificates/

http://crossbar.io/docs/TLS-Client-Certificate-Authentication/

And checked various examples:

https://github.com/crossbario/autobahn-python/blob/master/examples/asyncio/wamp/pubsub/tls/backend_selfsigned.py

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

I also found this, with some nuggets:

https://github.com/crossbario/crossbar/pull/537

0 Likes

#4

Hi,

here is a complete example (Twisted though) of client cert based authentication:

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

Maybe this helps,
/Tobias

PS: This example runs the component embedded in the router to simplify starting the whole example.

···

Am 29.11.2016 um 13:06 schrieb pe...@koodaamo.fi:

I also noticed my client was missing the "authid" passed to
ApplicationRunner as part of the "extra" parameter. But seems that does not
make any difference.

Here's also the pertinent entry of the crossbar debug log:

crossbar.router.session.RouterSession] client requested valid, but
unconfigured authentication method anonymous

tiistai 29. marraskuuta 2016 13.21.42 UTC+2 pe...@koodaamo.fi kirjoitti:

To clarify, what I am trying to do is static TLS Client Certificate
authentication. Here's the crossbar transport config:

(with obfuscated file names, changed SHA etc.)

  transports:
    - type: websocket
      auth:
        tls:
          type: static
          principals:
            tms_29344008:
              certificate-sha1:
"5C:CE:3E:90:00:0F:5D:9F:93:45:3E:94:CE:13:FD:00:8B:AA:DB:83"
              role: tms
      endpoint:
        type: tcp
        port: 443
        tls:
          key: /etc/letsencrypt/live/xxx.com/privkey.pem
          certificate: /etc/letsencrypt/live/xxx.com/cert.pem
          chain_certificates: ["/etc/letsencrypt/live/xxx.com/chain.pem"]
          ca_certificates: ["xxx-integrations.cert.pem"]

And here's the ssl context passed as 'ssl' to ApplicationRunner:

    ssl_c = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
    ssl_c.load_cert_chain(certfile='client.crt', keyfile='client.key')
    ssl_c.load_verify_locations(cafile='xxx.com.cert'

So... I wonder what am I missing?

Thanks!

tiistai 29. marraskuuta 2016 13.13.28 UTC+2 pe...@koodaamo.fi kirjoitti:

I've struggled for a while with that now. I've created my own CA and then
a client key & certificate using that. The crossbar router is using a
certificate from LetsEncrypt.

The server certificate config works ok, but for some reason, I am stuck
with the asyncio WAMP client certificate auth. Trying to authenticate, I
get the error:

wamp.error.no_auth_method: cannot authenticate using any of the offered

authmethods ['anonymous']

So it's as if the client needs to specifically request some auth method?
How?

The docs & examples I've found for TLS client certificate auth seem to
always use a WAMP component hosted by crossbar. But that's not my use case
- the WAMP components connect remotely (what's the point of using TLS for a
hosted local component, anyway?)

For what it's worth, here's what I've already followed to the best of my
ability:

http://crossbar.io/docs/Secure-WebSocket-and-HTTPS/
http://crossbar.io/docs/TLS-Certificates/
http://crossbar.io/docs/TLS-Client-Certificate-Authentication/

And checked various examples:

https://github.com/crossbario/autobahn-python/blob/master/examples/asyncio/wamp/pubsub/tls/backend_selfsigned.py

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

I also found this, with some nuggets:

https://github.com/crossbario/crossbar/pull/537

0 Likes

#5

Thanks Tobias, that I had already checked. Does not help unfortunately- as you said, it’s Twisted and runs in router, whereas I have a standalone Asyncio app…

···

Tobias Oberstein tobias.o...@gmail.com kirjoitti 29.11.2016 kello 14.40:

Hi,

here is a complete example (Twisted though) of client cert based authentication:

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

Maybe this helps,
/Tobias

PS: This example runs the component embedded in the router to simplify starting the whole example.

Am 29.11.2016 um 13:06 schrieb pe...@koodaamo.fi:

I also noticed my client was missing the “authid” passed to
ApplicationRunner as part of the “extra” parameter. But seems that does not
make any difference.

Here’s also the pertinent entry of the crossbar debug log:

crossbar.router.session.RouterSession] client requested valid, but
unconfigured authentication method anonymous

tiistai 29. marraskuuta 2016 13.21.42 UTC+2 pe…@koodaamo.fi kirjoitti:

To clarify, what I am trying to do is static TLS Client Certificate
authentication. Here’s the crossbar transport config:

(with obfuscated file names, changed SHA etc.)

transports:

  • type: websocket
    auth:
    tls:
    type: static
    principals:
    tms_29344008:
    certificate-sha1:
    “5C:CE:3E:90:00:0F:5D:9F:93:45:3E:94:CE:13:FD:00:8B:AA:DB:83”
    role: tms
    endpoint:
    type: tcp
    port: 443
    tls:
    key: /etc/letsencrypt/live/xxx.com/privkey.pem
    certificate: /etc/letsencrypt/live/xxx.com/cert.pem
    chain_certificates: ["/etc/letsencrypt/live/xxx.com/chain.pem"]
    ca_certificates: [“xxx-integrations.cert.pem”]

And here’s the ssl context passed as ‘ssl’ to ApplicationRunner:

ssl_c = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
ssl_c.load_cert_chain(certfile=‘client.crt’, keyfile=‘client.key’)
ssl_c.load_verify_locations(cafile=‘xxx.com.cert’

So… I wonder what am I missing?

Thanks!

tiistai 29. marraskuuta 2016 13.13.28 UTC+2 pe…@koodaamo.fi kirjoitti:

I’ve struggled for a while with that now. I’ve created my own CA and then
a client key & certificate using that. The crossbar router is using a
certificate from LetsEncrypt.

The server certificate config works ok, but for some reason, I am stuck
with the asyncio WAMP client certificate auth. Trying to authenticate, I
get the error:

wamp.error.no_auth_method: cannot authenticate using any of the offered

authmethods [‘anonymous’]

So it’s as if the client needs to specifically request some auth method?
How?

The docs & examples I’ve found for TLS client certificate auth seem to
always use a WAMP component hosted by crossbar. But that’s not my use case

  • the WAMP components connect remotely (what’s the point of using TLS for a
    hosted local component, anyway?)

For what it’s worth, here’s what I’ve already followed to the best of my
ability:

http://crossbar.io/docs/Secure-WebSocket-and-HTTPS/
http://crossbar.io/docs/TLS-Certificates/
http://crossbar.io/docs/TLS-Client-Certificate-Authentication/

And checked various examples:

https://github.com/crossbario/autobahn-python/blob/master/examples/asyncio/wamp/pubsub/tls/backend_selfsigned.py

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

I also found this, with some nuggets:

https://github.com/crossbario/crossbar/pull/537


You received this message because you are subscribed to a topic in the Google Groups “Crossbar” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/crossbario/0dJ9-TcHYMM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to crossbario+...@googlegroups.com.
To post to this group, send email to cross...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/6d1d66cd-e07b-b4a6-725f-0c8b84c6a40a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#6

Thanks Tobias, that I had already checked. Does not help unfortunately- as you said, it's Twisted and runs in router, whereas I have a standalone Asyncio app...

So this is actually an AutobahnPython/asyncio question .. forwarding .. to the Autobahn list ..

···

Am 29.11.2016 um 14:12 schrieb Petri Savolainen:

Tobias Oberstein <tobias.o...@gmail.com> kirjoitti 29.11.2016 kello 14.40:

Hi,

here is a complete example (Twisted though) of client cert based authentication:

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

Maybe this helps,
/Tobias

PS: This example runs the component embedded in the router to simplify starting the whole example.

Am 29.11.2016 um 13:06 schrieb pe...@koodaamo.fi <mailto:pe...@koodaamo.fi>:

I also noticed my client was missing the "authid" passed to
ApplicationRunner as part of the "extra" parameter. But seems that does not
make any difference.

Here's also the pertinent entry of the crossbar debug log:

crossbar.router.session.RouterSession] client requested valid, but
unconfigured authentication method anonymous

tiistai 29. marraskuuta 2016 13.21.42 UTC+2 pe...@koodaamo.fi kirjoitti:

To clarify, what I am trying to do is static TLS Client Certificate
authentication. Here's the crossbar transport config:

(with obfuscated file names, changed SHA etc.)

transports:
   - type: websocket
     auth:
       tls:
         type: static
         principals:
           tms_29344008:
             certificate-sha1:
"5C:CE:3E:90:00:0F:5D:9F:93:45:3E:94:CE:13:FD:00:8B:AA:DB:83"
             role: tms
     endpoint:
       type: tcp
       port: 443
       tls:
         key: /etc/letsencrypt/live/xxx.com/privkey.pem
         certificate: /etc/letsencrypt/live/xxx.com/cert.pem
         chain_certificates: ["/etc/letsencrypt/live/xxx.com/chain.pem"]
         ca_certificates: ["xxx-integrations.cert.pem"]

And here's the ssl context passed as 'ssl' to ApplicationRunner:

   ssl_c = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
   ssl_c.load_cert_chain(certfile='client.crt', keyfile='client.key')
   ssl_c.load_verify_locations(cafile='xxx.com.cert'

So... I wonder what am I missing?

Thanks!

tiistai 29. marraskuuta 2016 13.13.28 UTC+2 pe...@koodaamo.fi kirjoitti:

I've struggled for a while with that now. I've created my own CA and then
a client key & certificate using that. The crossbar router is using a
certificate from LetsEncrypt.

The server certificate config works ok, but for some reason, I am stuck
with the asyncio WAMP client certificate auth. Trying to authenticate, I
get the error:

wamp.error.no_auth_method: cannot authenticate using any of the offered

authmethods ['anonymous']

So it's as if the client needs to specifically request some auth method?
How?

The docs & examples I've found for TLS client certificate auth seem to
always use a WAMP component hosted by crossbar. But that's not my use case
- the WAMP components connect remotely (what's the point of using TLS for a
hosted local component, anyway?)

For what it's worth, here's what I've already followed to the best of my
ability:

http://crossbar.io/docs/Secure-WebSocket-and-HTTPS/
http://crossbar.io/docs/TLS-Certificates/
http://crossbar.io/docs/TLS-Client-Certificate-Authentication/

And checked various examples:

https://github.com/crossbario/autobahn-python/blob/master/examples/asyncio/wamp/pubsub/tls/backend_selfsigned.py

https://github.com/crossbario/crossbarexamples/tree/master/authentication/tls/static

I also found this, with some nuggets:

https://github.com/crossbario/crossbar/pull/537

--
You received this message because you are subscribed to a topic in the Google Groups "Crossbar" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/crossbario/0dJ9-TcHYMM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to crossbario+...@googlegroups.com.
To post to this group, send email to cross...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/6d1d66cd-e07b-b4a6-725f-0c8b84c6a40a%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

0 Likes