Webui on OpenVMS V9.2, issues configuring https with CACERT ssl certificate
Posted: Mon Oct 03, 2022 2:09 pm
This is a continuation of "Webui on OpenVMS V9.1-A (X86) No data displayed.", I'm now working with the V9.2 OS release and the current civetweb, lua., and webui kits.
I'm using an ssl certificate from cacert.org.
Webui seems fine when listening to http. But configured for https it is mostly broken. Every now and then I can browse using https after a restart of WEBUI, but usually it just hangs.
Http only config.
It will run for days, no problems.
But when configured for https, I have problems.
As long as I do not browse to https (stay on http), WEBUI performs fine.
My civetweb.conf with https:
Try to negotiate https, and things break.
Scanning for ssl-enum-cyphers will also cause WEBUI / civet to break.
Below - the first nmap kills civet, the 2nd nmap shows https being broken. (I did these command in close succession)
The errors resulting from the scan.
$ ty [-.logs]civetweb_errors.log
These are the error logs related to "did not start" or Browsing to https broke WEBUI. (pretty much the same as above?)
$product show product
------------------------------------ ----------- ---------
PRODUCT KIT TYPE STATE
------------------------------------ ----------- ---------
VMSPORTS X86VMS PERL534 T5.34-0 Full LP Installed
VSI X86VMS AVAIL_MAN_BASE V9.2 Full LP Installed
VSI X86VMS CIVETWEB V1.14-0D Full LP Installed
VSI X86VMS DECNET_PLUS V9.2-B Full LP Installed
VSI X86VMS DWMOTIF V1.8 Full LP Installed
VSI X86VMS DWMOTIF_SUPPORT V9.2 Full LP Installed
VSI X86VMS KERBEROS V3.3-2 Full LP Installed
VSI X86VMS LUA V5.3-5D Full LP Installed
VSI X86VMS OPENSSH V8.9-1B Full LP Installed
VSI X86VMS OPENVMS V9.2 Platform Installed
VSI X86VMS SSL111 V1.1-1N Full LP Installed
VSI X86VMS TCPIP X6.0-16 Full LP Installed
VSI X86VMS VMS V9.2 Oper System Installed
VSI X86VMS WEBUI V4.1-1 Full LP Installed
------------------------------------ ----------- ---------
14 items found
[/code]
I'm using an ssl certificate from cacert.org.
Webui seems fine when listening to http. But configured for https it is mostly broken. Every now and then I can browse using https after a restart of WEBUI, but usually it just hangs.
Http only config.
Code: Select all
$sea /mat=nor civetweb.conf #
listening_ports 80
document_root /civetweb$root/htdocs
url_rewrite_patterns /api/**=/civetweb$root/htdocs/api/api.lua
error_log_file /civetweb$root/logs/civetweb_errors.log
access_log_file /civetweb$root/logs/access.log
But when configured for https, I have problems.
As long as I do not browse to https (stay on http), WEBUI performs fine.
My civetweb.conf with https:
Code: Select all
$sea /mat=nor civetweb.conf;-1 #
listening_ports 80,443s
ssl_ca_path /civetweb$root/resources/ca/
ssl_certificate /civetweb$root/resources/cert/server.pem
document_root /civetweb$root/htdocs
url_rewrite_patterns /api/**=/civetweb$root/htdocs/api/api.lua
error_log_file /civetweb$root/logs/civetweb_errors.log
access_log_file /civetweb$root/logs/access.log
ssl_protocol_version 2
Code: Select all
logs/pthread_dump.log 1977/2705 73%
%DECthreads bugcheck (version V3.23-001), terminating execution.
%Reason: lckMcsLock: deadlock detected, cell = 0x261b280
%Running on OpenVMS V9.2 on Red Hat KVM, 7660Mb; 4 CPUs
% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image
% EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process
% 421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for
% all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel
% threads are disabled.
% The current thread sequence number is 3, at 0x261b280
% Current thread traceback:
Code: Select all
logs/CIVETWEB_EAGLE.LOG 1279/135K 0%
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Loading config file /civetweb$root/conf/civetweb.conf
Reading service details from /civetweb$root/conf/services.conf
Reading thread details from /civetweb$root/conf/threads.conf
3-OCT-2022 11:47:22.34: SL_CLI-I-ALRTINIT, Alert images loading:
SQL: opcom ok, intru ok, device ok, purge ok, term ok, init ok
%DECthreads bugcheck (version V3.23-001), terminating execution.
% Reason: lckMcsLock: deadlock detected, cell = 0x261b280
% Running on OpenVMS V9.2() on Red Hat KVM, 7660Mb; 4 CPUs, pid 1057
% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image
% EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process
% 421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for
% all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel
% threads are disabled.
% The current thread sequence number is 3, at 0x261b280
% Current thread traceback:
Below - the first nmap kills civet, the 2nd nmap shows https being broken. (I did these command in close succession)
Code: Select all
[david@fauci ~]$ nmap --script ssl-enum-ciphers -p 443 eagle
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-03 13:17 EDT
Nmap scan report for eagle (192.168.1.69)
Host is up (0.00035s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| compressors:
|
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 28.52 seconds
[david@fauci ~]$ nmap --script ssl-enum-ciphers -p 443 eagle
Starting Nmap 7.70 ( https://nmap.org ) at 2022-10-03 13:18 EDT
Nmap scan report for eagle (192.168.1.69)
Host is up (0.00050s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 30.78 seconds
[david@fauci ~]$
$ ty [-.logs]civetweb_errors.log
Code: Select all
[1664817414] [error] [client 192.168.1.34] sslize error: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
[1664817414] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
[1664817415] [error] [client 192.168.1.34] sslize error: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
[1664817415] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817415] [error] [client 192.168.1.34] sslize error: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
[1664817416] [error] [client 192.168.1.34] sslize error: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low
[1664817416] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817416] [error] [client 192.168.1.34] sslize error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
[1664817416] [error] [client 192.168.1.34] SSL syscall error 0
Code: Select all
CIVETWEB_EAGLE.LOG
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
Loading config file /civetweb$root/conf/civetweb.conf
Reading service details from /civetweb$root/conf/services.conf
Reading thread details from /civetweb$root/conf/threads.conf
3-OCT-2022 11:47:22.34: SL_CLI-I-ALRTINIT, Alert images loading:
SQL: opcom ok, intru ok, device ok, purge ok, term ok, init ok
%DECthreads bugcheck (version V3.23-001), terminating execution.
% Reason: lckMcsLock: deadlock detected, cell = 0x261b280
% Running on OpenVMS V9.2() on Red Hat KVM, 7660Mb; 4 CPUs, pid 1057
% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image
% EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process
% 421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for
% all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel
% threads are disabled.
% The current thread sequence number is 3, at 0x261b280
% Current thread traceback:
% 0: PC 0x7a785b6, SP 0x2617510, ICTX 0x2617510
Code: Select all
[b]pthread_dump.log [/b] 1977/2705 73%
%DECthreads bugcheck (version V3.23-001), terminating execution.
%Reason: lckMcsLock: deadlock detected, cell = 0x261b280
%Running on OpenVMS V9.2 on Red Hat KVM, 7660Mb; 4 CPUs
% The bugcheck occurred at 03-OCT-2022 11:47:23.07, running image
% EAGLE$DKA100:[SYS0.SYSCOMMON.civetweb.][bin]civetweb.exe;1 in process
% 421 (named "CIVETWEB"), under username "SYSTEM". AST delivery is enabled for
% all modes; ASTs are active in user. Upcalls are disabled. Multiple kernel
% threads are disabled.
% The current thread sequence number is 3, at 0x261b280
% Current thread traceback:
% 0: PC 0x7a785b6, SP 0x2617510, ICTX 0x2617510
$sh sys
OpenVMS V9.2 on node EAGLE 3-OCT-2022 13:56:36.97 Uptime 0 02:09:28
------------------------------------ ----------- ---------
PRODUCT KIT TYPE STATE
------------------------------------ ----------- ---------
VMSPORTS X86VMS PERL534 T5.34-0 Full LP Installed
VSI X86VMS AVAIL_MAN_BASE V9.2 Full LP Installed
VSI X86VMS CIVETWEB V1.14-0D Full LP Installed
VSI X86VMS DECNET_PLUS V9.2-B Full LP Installed
VSI X86VMS DWMOTIF V1.8 Full LP Installed
VSI X86VMS DWMOTIF_SUPPORT V9.2 Full LP Installed
VSI X86VMS KERBEROS V3.3-2 Full LP Installed
VSI X86VMS LUA V5.3-5D Full LP Installed
VSI X86VMS OPENSSH V8.9-1B Full LP Installed
VSI X86VMS OPENVMS V9.2 Platform Installed
VSI X86VMS SSL111 V1.1-1N Full LP Installed
VSI X86VMS TCPIP X6.0-16 Full LP Installed
VSI X86VMS VMS V9.2 Oper System Installed
VSI X86VMS WEBUI V4.1-1 Full LP Installed
------------------------------------ ----------- ---------
14 items found
[/code]