innovaphone Forum

You are here

Help with Search (new window)
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Tuesday, 4 August 2020, 04:54 PM
HAWK authentication
Hello,

I would like to use the IHTTPClient in combination with HAWK authentication.

Postman works and suggests the following wget request:

wget --no-check-certificate --quiet --method GET --timeout=0
--header 'Authorization: Hawk id="87644ab98ba1f2dee1b92bf", ts="1596541461", nonce="RieT_w", mac="DkPwis9BoQu6tnHtMw3wNZ7u+9HhqZk="'
'https://website.com/api/v1/example-request/'

Please note the --no-check-certificate option!

In my inno App I tried with:

httpClient->SetCustomHeaderField("Authorization", authHeader.c_str());
httpClient->Connect("https://website.com", nullptr, nullptr, HTTP_AUTH_NONE);

The http client connects, but after SetRequestType + Send, the following error occurs:

OpenSSLInstance::HandleSSLCallResult OpenSSL error 0 1 336151576:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

Is it possible to use HAWK authentication with innovaphone's http client?
How?

Thank you,
Best regards,
Sam

Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Tuesday, 4 August 2020, 05:24 PM
Re: HAWK authentication
Hi Sam,

I don't think the SSL error is related to your HAWK authentication.

Your webserver doesn't like the client certificate which is sent within the HTTP client request. The sent certificate is the installed default certificate of the AP and this is just a self signed certificate which doesn't match the host etc.

The integrated HTTP client doesn't support the use of any additional authentication (just digest, basic and ntlm).
It also doesn't support sending specific client certificates.

Greetings,
Daniel


Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Wednesday, 5 August 2020, 07:38 AM
Re: HAWK authentication
Hey Daniel,

Thanks for your reply.

Indeed, the SSL error also occurs without the HAWK authentication.

Would it be possible to use libcurl as a solution?
Or is it not possible/allowed to bypass the socket provider?

Regards,
Sam
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Wednesday, 5 August 2020, 07:50 AM
Re: HAWK authentication
Hi Sam,

libcurl is not installed on the AP, so you'd need to ship it yourself with your app (what would then require to build libcurl for armv7 or x86_64 yourself).

Technically it is possible to bypass the socket provider but then you're outside of the asynchronous iomux handling.
If you then do a synchronous HTTP request within the main thread, you'd block the whole app until the request is finished.
So either you need to perform these requests within a thread and you sync this thread with iomux (which is possible, as iomux supports SetExecLocked calls from other threads) or you can use libcurl async from the start (no idea, never took a look at this lib).

Greetings,
Daniel
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Wednesday, 5 August 2020, 07:57 AM in response to Sam 4951
Re: HAWK authentication
Another thought: I talked to a colleague yesterday and within 13r2 it seems it will be possible to implement another authentication on top of the existing HTTPClient yourself.
But there is no release date for 13r2 yet ...

Greetings,
Daniel
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Wednesday, 5 August 2020, 09:08 AM
Re: HAWK authentication
Hey Daniel,

Thanks for your support.

The web-server certificate is issued by Amazon.
How can the app verify that this is a valid certificate?
Do I have to add it to the PBX Certificates Trust List?
Will it suffice to add only the root CA certificate?

Do you have some sample code/doc available about how to use https in an App?

Many thanks,
Sam
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Wednesday, 5 August 2020, 09:24 AM
Re: HAWK authentication
Hello Daniel,

Is it possible/allowed to set a custom Authorization header with the SetCustomHeaderField method?

Regards,
Sam
Picture of Marc Schodermayr (innovaphone)
Moderator Registered 9 years 194 days
Marc Schodermayr (innovaphone) Wednesday, 5 August 2020, 09:36 AM
Re: HAWK authentication
Yes, it is. The problem is, that for now the HTTPClient won't pass the unauthorized (401) HTTP response to the app. However, in a further update, that function will be available so you can develop whatever HTTP authentication you want.
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Wednesday, 5 August 2020, 04:01 PM
Re: HAWK authentication
Hi Marc,

If I can attach the correct Authorization header, then the server will reply immediately with a 200 OK. It's not a two-step process with a 401 in between.

The problem is that the method SetCustomHeaderField doesn't work.

I tested with following code:

httpClient->Connect("http://10.0.0.108:8080");

And in the HTTPClientConnectComplete override:

httpClient->SetCustomHeaderField("Authorization", authHeader.c_str());
httpClient->SetCustomHeaderField("Hello", "World");
httpClient->SetRequestType(HTTP_GET, "/api/v1/");
httpClient->Send();

Attached is the resulting capture, w/o custom headers sad

Best regards,
Sam

PS The reason I'm using my laptop as webserver, is because I didn't find a way to trace the http messages that are sent by the App. I tried with PBX>Maintenance>Tracing w/o success. Also tried several Diagnose trace flags in the App Manager.
NoCustomHeaders.pcapng
Picture of Marc Schodermayr (innovaphone)
Moderator Registered 9 years 194 days
Marc Schodermayr (innovaphone) Thursday, 6 August 2020, 11:07 AM
Re: HAWK authentication
SetRequestType() prepares for a new request. Thus all other stuff will be reset, which means, that the custom header fields will be deleted. You first need to call SetRequestType() and then SetCustomHeaderField().

I've looked to the documentation and saw, that this fact hasn't been documented. Sorry for the inconvenience here. But if you change the order, the header fields you set will be send.
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Friday, 7 August 2020, 08:17 AM
Re: HAWK authentication
Hey Marc,

Thanks for your help, this is working now!

Best regards,
Sam
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Wednesday, 5 August 2020, 09:47 AM in response to Sam 4951
Re: HAWK authentication
Hi Sam,

the issue is not the webserver certificate. Our HTTP client accepts the webserver certificate automatically.

The issue is, that your webserver, which you are using to make an HTTP client request to, doesn't accept our client certificate! Our HTTP client doesn't support mutual TLS.

Of course, you could create an own TLS socket and talk HTTP yourself.

class ISocketProvider * tlsSocketProvider; // this is already generated within your app-main.cpp!

class ISocketContext * socketContext = tlsSocketProvider->CreateSocketContext(log);
socketContext->SetClientCertificate(certBuffer, certBufferLen); // client certificate in PEM format)
class ISocket * socket = tlsSocketProvider->CreateSocket(iomux, socketUser, log, false, socketContext);

It all depends on the certificate which you want to use as client certificate.
We could quite easily make the HTTP client capable of handing a specific ISocketContext which you can create yourself.
You could test it first with a simple socket connect (see code above to create such a socket with a specific client certificate) and if you're fine with this, we could enhance the http client.

Greetings,
Daniel
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Wednesday, 5 August 2020, 10:02 AM
Re: HAWK authentication
Hey Daniel,

But I don't want to send a client certificate.
How to skip this?

Mutual TLS is not required.
It's sufficient to accept the webserver certificate.

Best regards,
Sam
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Wednesday, 5 August 2020, 10:16 AM
Re: HAWK authentication
Hi Sam,

maybe I didn't make it clear enough ;)
You are receiving this SSL error because:
  • you are connecting to a remote webserver (not a webserver of innovaphone, no idea which webserver you are connecting to)
  • our HTTP client uses a self signed certificate
  • your webserver doesn't accept this self signed certificate
You have two options:
  • you reconfigure your webserver to accept self signed client certifcicates
  • you hand a valid client certificate to the HTTP client ...
To make sure, that I'm not on a wrong track, you can enable Remote PCAP inside your AP Manager (open the AP Manager, click on the AP Manager on the left side, click on Diagnostics and enable RPCAP).
Use wireshark to remote capture on the IP address of your AP.
You should see, that your webserver cancels the TLS connection, not our TLS implementation.

Greetings,
Daniel
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Wednesday, 5 August 2020, 01:43 PM
Re: HAWK authentication
Hey Daniel, Marc,

The following code succeeds:

httpClient->Connect("https://www.google.com");
httpClient->SetRequestType(HTTP_GET, "/");
httpClient->Send();

SetRequestType & Send are called from within the HTTPClientConnectComplete override.

But this code fails with the "unknown ca" TLS error:

httpClient->Connect("https://secure-provisioning.snomlab.com");
httpClient->SetRequestType(HTTP_GET, "/api/v1/");
httpClient->Send();

But this second test does succeed with wget, see attached log (one http GET, immediately followed by a 200 OK).

Is it possible that the "Let's Encrypt Authority X3" certificate from the snomlab server is rejected?

Best regards,
Sam

PS there is no requirement to send a client certificate, only accept the certificate from the server.
snom_wget_200.txt
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Wednesday, 5 August 2020, 03:28 PM
Re: HAWK authentication
Hi Sam,

we can now verify the issue on our side with this server. We do not know yet, why it fails and due to the summer holidays, you may need to wait until we are able to resolve the issue.

Greetings,
Daniel
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Friday, 7 August 2020, 08:40 AM in response to Sam 4951
Re: HAWK authentication
Hi Sam,

as far as I can judge by now, it's not a fault in our SDK.

You can also reproduce this with wget if you tell wget to use the same client certificate for the request which we are using by default:

wget --no-check-certificate --certificate=/home/root/ssl_cert/server.pem --private-key=/home/root/ssl_cert/server.key https://secur
e-provisioning.snomlab.com/api/v1/

In this case, wget doesn't get any data from the server and the server closes the connection (see the wireshark trace).
I also tried to use a "real" signed certificate, but this changes nothing, the server rejects the TLS request, if the client sends any certificate, no matter which one.

It's the same with our firmware, where we have a totally differnt TLS implementation. The only difference here is, that the server issues a real TLS Alert himself here.

Do you happen to have any connections to the server hoster to ask if they know anything about this?

Greetings,
Daniel

snom_wget_fail.pcapng
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Friday, 7 August 2020, 08:55 AM
Re: HAWK authentication
Hey Daniel,

In my opinion mutual authentication (= sending up a client certificate to the server) is not a good default setting. Most HTTP clients (browsers, Postman, ...) don't do this by default.

Is there a way to disable the use of a client certificate?

Best regards,
Sam


Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 114 days
Daniel Deterding (innovaphone) Friday, 7 August 2020, 10:52 AM
Re: HAWK authentication
Hi Sam,

yes, maybe you're right.
We're introducing a workaround for this in SR17, which will be released in September.

Until then, you can download the following zip file:
http://build-dfs.innovaphone.com/13r1/apps/sdk/132498/sdk.zip

The zip file contains an sdk folder. Please replace the sdk folder inside your app project folder with this one.

Change your code of the HTTPClient creation a bit (of course you must use your own variables):

class ISocketContext * socketContext = aTlsSocketProvider->CreateSocketContext(log);
socketContext->DisableClientCertificate();
// create the httpClient instance
this->httpClient = IHTTPClient::Create(iomux, aTcpSocketProvider, aTlsSocketProvider, this, log, nullptr, socketContext);

Greetings,
Daniel
Picture of Sam 4951
Registered 4 years 362 days
Sam 4951 Tuesday, 11 August 2020, 04:40 PM
Re: HAWK authentication
Thanks Daniel, it's working now with this special sdk-build.

Best regards,
Sam
← You can define your color theme preference here