[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [libmicrohttpd] digest auth TLS and POST
From: |
Christian Grothoff |
Subject: |
Re: [libmicrohttpd] digest auth TLS and POST |
Date: |
Sat, 04 Jan 2014 01:07:28 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10 |
On 01/04/2014 12:48 AM, A. Mark wrote:
> Hello,
>
> I'm using digest auth and TLS curently and I run into the issue with POST
> requests. This is how my acces_handler works currently:
>
> access_handler(...){
>
> check_initial_call...{
> setup POST processor
> setup other request specific structs}
>
> successive_calls{
> check digest auth and fail if necessary...
> handle requests POST,GET,DELETE etc...
> return html/xml pages}
> }
>
>
> I'm getting these:
>
> "Failed to receive data: A TLS fatal alert has been received."
>
> once in a while on GET requests.
You might want to give details on what TLS implementation you're using for
the client --- and talk to the GnuTLS developers, as MHD really just leaves
the handshake to GnuTLS.
> I'm also getting:
>
> MHD_INVALID_NONCE from MHD_digest_auth_check once in a while, not sure that
> this is normal for every other request. Seems like the client is not
> generating cnonce properly?
Maybe, I don't know anything about your client. Note that nonces also
expire (eventually).
> POSTs always fails with:
>
> "Internal application error, closing connection."
>
> due to MHD_NO returned by MHD_queue_auth_fail_response.
Well, it's a bit hard for me to analyze based on this --- you should
probably first look at MHD_queue_auth_fail_response to figure out
why/where you get the error code from...
> I'm able to run everything the if I run the access handler this way:
>
> access_handler(...){
>
> check_initial_call...{
> setup POST processor
> setup other request specific structs...
> check digest auth and fail if necessary{}
> }
>
> successive_calls{
> handle requests POST,GET,DELETE etc...}
> }
>
> however obviously each requests is handled by a new connection, not ideal...
I'm not sure I understand, but note that the "MHD_Connection" is actually
mostly inaptly named --- "MHD_Connection" should really be called
"MHD_Request",
as the same TCP connection may persist over multiple "MHD_Connections". As
an application, you can currently not even really always tell if a second
request is using a fresh TCP/SSL connection, or using pipelining.
> The way it should work is that each request is authenticated once on the
> same connection context. Any suggestions are appreciated.
I'm not sure I understand what you mean by "connection context".
Finally, you might want to clue us into which version of MHD you're using,
and you might want to clarify if the issue disappears if you disable the
use of TLS. Naturally, providing a test case would also help me understand
your issue better.
Happy hacking!
Christian