libmicrohttpd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] Problems with SSL/TLS


From: Jesse Anderton
Subject: Re: [libmicrohttpd] Problems with SSL/TLS
Date: Thu, 18 Feb 2010 13:27:34 -0500

Now for the https test results:

curl version: libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
SHA/TLS tests:
curl_easy_perform failed: `Couldn't use specified SSL cipher'
SHA/SSL3 tests:
curl_easy_perform failed: `Couldn't use specified SSL cipher'
Error: Handshake has failed (-12)
curl_easy_perform failed: `SSL connect error'
FAIL: tls_daemon_options_test
curl version: libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
PASS: mhds_multi_daemon_test
curl version: libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
PASS: mhds_get_test
curl version: libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
PASS: mhds_session_info_test
curl version: libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
PASS: tls_thread_mode_test
curl version: libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
PASS: tls_multi_thread_mode_test
PASS: tls_session_time_out_test
PASS: tls_cipher_change_test
PASS: tls_alert_test
Error: Handshake has failed (-21)
curl_easy_perform failed: `SSL connect error'
Error: Handshake has failed (-21)
curl_easy_perform failed: `SSL connect error'
Error: Handshake has failed (-21)
curl_easy_perform failed: `SSL connect error'
Error: Handshake has failed (-21)
curl_easy_perform failed: `SSL connect error'
FAIL: tls_extension_test
curl version: libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3
PASS: tls_authentication_test
======================================
2 of 11 tests failed
Please report to address@hidden
======================================

I'm working to identify the cause of these issues, but wanted to mention them in case someone knows of easy fixes.  Note that when I link to MHD and run a simple HTTPS service I get a similar "Handshake has failed" error.

Also: these tests didn't compile "out of the box" because they were missing a compiler flag: -I../../../src/daemon/https/minitasn1.  Just to get the tests rolling, I compiled these tests manually with the additional flag in place instead of using make.

Regards,

Jesse

On Thu, Feb 18, 2010 at 12:38 PM, Jesse Anderton <address@hidden> wrote:
Christian,

Got it working.  The problem was that the linker couldn't find libcurl's dependencies, since they were also in a non-standard directory.  The following command worked fine:

./configure --prefix /home/jesse/tmp/libLinux --enable-messages --with-libgcrypt-prefix=/home/jesse/tmp/libLinux --with-libcurl=/home/jesse/tmp/libLinux --enable-curl=yes LDFLAGS=-L/home/jesse/tmp/libLinux/lib 'LIBS=-lcurl -lssl -lcrypto' CPPFLAGS=-I/home/jesse/tmp/libLinux/include LD_LIBRARY_PATH=/home/jesse/tmp/libLinux/lib:$LD_LIBRARY_PATH

It still thought that curl-config was invalid, but it linked to libcurl and decided that was good enough.

Thanks,

Jesse

On Thu, Feb 18, 2010 at 6:37 AM, Christian Grothoff <address@hidden> wrote:
Jesse,

My best guess is that the reason for your trouble is that the configure script
does not support

 "--with-libcurl=/home/jesse/tmp/libLinux"

Try stuff like

export CFLAGS=-I/home/jesse/tmp/libLinux/include
export LDFLAGS=-L/home/jesse/tmp/libLinux/lib

to help the compiler find libcurl.  In any case, you should be able to find
the cause by inspecting "config.log" (grep for 'curl' and see what it tries to
do and why it fails).

Best,

Christian

On Thursday 18 February 2010 12:53:19 am Jesse Anderton wrote:
> Christian,
>
> I've finally found time to get back to TLS support in my web server.  I'm
> having trouble getting it working either in Linux on an x86 or in Solaris
>  on a SPARC.  I decided to start tackling the problem by making sure the
>  curl TLS tests all pass, so I downloaded and installed openssl and
>  libcurl. However, I seem to have done something wrong: MHD's configure
>  can't find libcurl.
>
> I'm working in Linux, and have built all these libraries with --prefix
> /home/jesse/tmp/libLinux.  If I run:
>
> $ ./configure --prefix /home/jesse/tmp/libLinux --enable-messages
> --enable-curl --with-libgcrypt-prefix=/home/jesse/tmp/libLinux
> --with-libcurl=/home/jesse/tmp/libLinux
>
>
> I get:
>
> ...
> checking for /home/jesse/tmp/libLinux/bin/curl-config... no
> checking whether libcurl is usable... no
> ...
> configure: Configuration Summary:
>   Operating System:  linux-gnu
>   Target directory:  /home/jesse/tmp/libLinux
>   Messages:          yes
>   libgcrypt:         yes
>   libcurl (testing): no, many unit tests will not run
>   HTTPS support:     yes
>
> configure: HTTPS subsystem configuration:
>   Client code dep.:  disabled. running some test cases won't be possible
>   License         :  LGPL only
>
>
> Curl is installed, however:
>
> $ /home/jesse/tmp/libLinux/bin/curl-config --version
> libcurl 7.19.7
>
>
> $ /home/jesse/tmp/libLinux/bin/curl-config --feature
> SSL
> IPv6
> libz
> NTLM
>
>
> Any idea what I should check to make configure see the library?  For
> reference, I am using libmicrohttpd-0.4.5.
>
> Thanks,
>
> Jesse
>
> On Tue, Jan 5, 2010 at 2:46 PM, Jesse Anderton <address@hidden> wrote:
> > Christian,
> >
> > Thanks a lot for checking this out for me!  I'm not sure what I'm doing
> > differently, but now I know that the code should work.  I was a little
> > concerned since the documentation for MHD_USE_SSL at
> > http://www.gnu.org/software/libmicrohttpd/microhttpd.html#SEC2 indicates
> > that SSL is not yet supported.  Most likely that comment just needs to be
> > updated.
> >
> > Here's what happens when I attempt to duplicate your test:
> >
> > 1. I copied the server.* files you sent along with the latest
> > tlsauthentication.c from svn HEAD into a folder.  I added MHD_USE_DEBUG
> > in order to get the output below (it fails either way).
> >
> > 2. I compiled the program like so (using g++ 3.3.3):
> >
> > gcc -o fs tlsauthentication.c -Iinclude -lmicrohttpd -lgcrypt -lgpg-error
> >
> >> -lsocket -lpthread -L~/dev/ext/lib/solaris_gcc3/static
> >
> > Note that I am linking statically, so I had to add a couple more
> > libraries. I am also not using make install (because of company policies)
> > so I have to provide an explicit path to these libraries.
> >
> > 3. I start the program and browse to
> > https://testhost:8888/something.html. The browser appears to wait
> > indefinitely to complete the SSL handshake.
> >
> > 4. I press Enter on the terminal running fs to stop it.  The browser
> > immediately gives up.  fs outputs the following:
> >
> > Error: Handshake has failed (-28)
> >
> >
> > I tried this with MHD_USE_THREAD_PER_CONNECTION and with
> > MHD_USE_SELECT_INTERNALLY and got the same results in both modes.
> >
> > Perhaps I'm missing a library?  I ran ldd on fs so you could compare it
> > to yours and got:
> >
> > $ldd fs
> >
> >         libsocket.so.1 =>        /usr/lib/libsocket.so.1
> >
> >         libpthread.so.1 =>       /usr/lib/libpthread.so.1
> >
> >         libc.so.1 =>     /usr/lib/libc.so.1
> >
> >         libnsl.so.1 =>   /usr/lib/libnsl.so.1
> >
> >         libdl.so.1 =>    /usr/lib/libdl.so.1
> >
> >         libmp.so.2 =>    /usr/lib/libmp.so.2
> >
> >         libthread.so.1 =>        /usr/lib/libthread.so.1
> >
> >         /usr/platform/SUNW,Sun-Fire-V210/lib/libc_psr.so.1
> >
> >
> > In case it's relevant, I'm compiling with g++ 3.3.3.
> >
> > Kind regards,
> >
> > Jesse
> >
> > On Tue, Jan 5, 2010 at 10:37 AM, Christian Grothoff <
> >
> > address@hidden> wrote:
> >> Dear Jesse,
> >>
> >> I've just tried this myself, and it worked as expected.  I first used
> >> openssl
> >> to generate the KEY, PEM and CERT files:
> >>
> >> $ cd svn/libmicrohttpd/doc/examples/
> >> $ openssl genrsa 1024 > server.key
> >> $ openssl req -new -x509 -nodes -sha1 -days 365 -key server.key >
> >> server.cert
> >> $ cat server.cert server.key > server.pem
> >>
> >> Then I compiled the example
> >>
> >> $ gcc -o fs tlsauthentication.c -I ~/include/ -I ../../src/include/ -I
> >> ../.. -
> >> I ../daemon/https/ -lmicrohttpd
> >>
> >> Started fs
> >>
> >> $ ./fs
> >>
> >> and then accessed https://localhost:8888/ using firefox (3.5.6).  It
> >> "warned"
> >> me about the self-signed cert (also attached for your reference), I
> >> confirmed
> >> that I knew what I was doing, then was prompted for username & password
> >> (entered those from the source code) and then got the "secret" page.
> >>
> >> So I cannot confirm your problem.  This was on Ubuntu GNU/linux (karmic)
> >> using
> >> the example as given in SVN HEAD.
> >>
> >> I hope this helps...
> >>
> >> Best,
> >>
> >> Christian
>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]