Webui on OpenVMS V9.2, issues configuring https with CACERT ssl certificate

Discuss WebUI, a GUI and a RESTful API for remote OpenVMS management. Use this forum to review the app, report its issues, and share your ideas for new features.
Post Reply

Topic author
connersegh
Contributor
Posts: 11
Joined: Thu Jul 22, 2021 1:28 pm
Reputation: 0
Status: Offline

Webui on OpenVMS V9.2, issues configuring https with CACERT ssl certificate

Post by connersegh » Mon Oct 03, 2022 2:09 pm

This is a continuation of "Webui on OpenVMS V9.1-A (X86) No data displayed.", I'm now working with the V9.2 OS release and the current civetweb, lua., and webui kits.

I'm using an ssl certificate from cacert.org.

Webui seems fine when listening to http. But configured for https it is mostly broken. Every now and then I can browse using https after a restart of WEBUI, but usually it just hangs.

Http only config.

Code: Select all

$sea /mat=nor civetweb.conf #
listening_ports 80
document_root /civetweb$root/htdocs
url_rewrite_patterns /api/**=/civetweb$root/htdocs/api/api.lua
error_log_file /civetweb$root/logs/civetweb_errors.log
access_log_file /civetweb$root/logs/access.log
It will run for days, no problems.

But when configured for https, I have problems.
As long as I do not browse to https (stay on http), WEBUI performs fine.

My civetweb.conf with https:

Code: Select all

$sea /mat=nor civetweb.conf;-1 #
listening_ports 80,443s
ssl_ca_path /civetweb$root/resources/ca/
ssl_certificate /civetweb$root/resources/cert/server.pem
document_root /civetweb$root/htdocs
url_rewrite_patterns /api/**=/civetweb$root/htdocs/api/api.lua
error_log_file /civetweb$root/logs/civetweb_errors.log
access_log_file /civetweb$root/logs/access.log
ssl_protocol_version 2
Try to negotiate https, and things break.

Code: Select all

logs/pthread_dump.log                                                                                                  1977/2705               73%
%DECthreads bugcheck (version V3.23-001), terminating execution.

%Reason:  lckMcsLock: deadlock detected, cell = 0x261b280

%Running on OpenVMS V9.2 on Red Hat KVM, 7660Mb; 4 CPUs

% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image
%  EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process
%  421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for
%  all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel
%  threads are disabled.
% The current thread sequence number is 3, at 0x261b280
% Current thread traceback:

Code: Select all

logs/CIVETWEB_EAGLE.LOG                                                                                                1279/135K                0%
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Loading config file /civetweb$root/conf/civetweb.conf
Reading service details from /civetweb$root/conf/services.conf
Reading thread details from /civetweb$root/conf/threads.conf
 3-OCT-2022 11:47:22.34: SL_CLI-I-ALRTINIT, Alert images loading:
        SQL: opcom ok, intru ok, device ok, purge ok, term ok, init ok
%DECthreads bugcheck (version V3.23-001), terminating execution.

% Reason:  lckMcsLock: deadlock detected, cell = 0x261b280

% Running on OpenVMS V9.2() on Red Hat KVM, 7660Mb; 4 CPUs, pid 1057

% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image

%  EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process

%  421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for

%  all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel

%  threads are disabled.

% The current thread sequence number is 3, at 0x261b280

% Current thread traceback:
Scanning for ssl-enum-cyphers will also cause WEBUI / civet to break.
Below - the first nmap kills civet, the 2nd nmap shows https being broken. (I did these command in close succession)

Code: Select all

[david@fauci ~]$ nmap --script ssl-enum-ciphers -p 443 eagle
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-03 13:17 EDT
Nmap scan report for eagle (192.168.1.69)
Host is up (0.00035s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|     compressors: 
| 
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 28.52 seconds
[david@fauci ~]$ nmap --script ssl-enum-ciphers -p 443 eagle
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-03 13:18 EDT
Nmap scan report for eagle (192.168.1.69)
Host is up (0.00050s latency).

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 30.78 seconds
[david@fauci ~]$ 
The errors resulting from the scan.
$ ty [-.logs]civetweb_errors.log

Code: Select all

[1664817414] [error] [client 192.168.1.34] sslize error: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
[1664817414] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
[1664817415] [error] [client 192.168.1.34] sslize error: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
[1664817415] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
[1664817416] [error] [client 192.168.1.34] sslize error: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
[1664817416] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817416] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817416] [error] [client 192.168.1.34] SSL syscall error 0
These are the error logs related to "did not start" or Browsing to https broke WEBUI. (pretty much the same as above?)

Code: Select all

CIVETWEB_EAGLE.LOG                                                                                                
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Loading config file /civetweb$root/conf/civetweb.conf
Reading service details from /civetweb$root/conf/services.conf
Reading thread details from /civetweb$root/conf/threads.conf
 3-OCT-2022 11:47:22.34: SL_CLI-I-ALRTINIT, Alert images loading:
        SQL: opcom ok, intru ok, device ok, purge ok, term ok, init ok
%DECthreads bugcheck (version V3.23-001), terminating execution.

% Reason:  lckMcsLock: deadlock detected, cell = 0x261b280

% Running on OpenVMS V9.2() on Red Hat KVM, 7660Mb; 4 CPUs, pid 1057

% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image

%  EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process

%  421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for

%  all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel

%  threads are disabled.

% The current thread sequence number is 3, at 0x261b280

% Current thread traceback:

%     0:  PC 0x7a785b6, SP 0x2617510, ICTX        0x2617510

Code: Select all

[b]pthread_dump.log    [/b]                                                                                              1977/2705               73%
%DECthreads bugcheck (version V3.23-001), terminating execution.

%Reason:  lckMcsLock: deadlock detected, cell = 0x261b280

%Running on OpenVMS V9.2 on Red Hat KVM, 7660Mb; 4 CPUs

% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image
%  EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process
%  421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for
%  all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel
%  threads are disabled.
% The current thread sequence number is 3, at 0x261b280
% Current thread traceback:
%     0:  PC 0x7a785b6, SP 0x2617510, ICTX        0x2617510


$sh sys
OpenVMS V9.2  on node EAGLE    3-OCT-2022 13:56:36.97   Uptime  0 02:09:28

$product show product
------------------------------------ ----------- ---------
PRODUCT KIT TYPE STATE
------------------------------------ ----------- ---------
VMSPORTS X86VMS PERL534 T5.34-0 Full LP Installed
VSI X86VMS AVAIL_MAN_BASE V9.2 Full LP Installed
VSI X86VMS CIVETWEB V1.14-0D Full LP Installed
VSI X86VMS DECNET_PLUS V9.2-B Full LP Installed
VSI X86VMS DWMOTIF V1.8 Full LP Installed
VSI X86VMS DWMOTIF_SUPPORT V9.2 Full LP Installed
VSI X86VMS KERBEROS V3.3-2 Full LP Installed
VSI X86VMS LUA V5.3-5D Full LP Installed
VSI X86VMS OPENSSH V8.9-1B Full LP Installed
VSI X86VMS OPENVMS V9.2 Platform Installed
VSI X86VMS SSL111 V1.1-1N Full LP Installed
VSI X86VMS TCPIP X6.0-16 Full LP Installed
VSI X86VMS VMS V9.2 Oper System Installed
VSI X86VMS WEBUI V4.1-1 Full LP Installed
------------------------------------ ----------- ---------
14 items found
[/code]

Post Reply