[zeromq-dev] stonehouse and ironhouse examples - crypto being ignored in examples?

Pieter Hintjens ph at imatix.com
Fri Mar 7 18:52:10 CET 2014


When I change the whitelist in ironhouse2 it fails as expected:

ZAUTH I: DENIED (not in whitelist) address=127.0.0.1
CURVE I: ZAP handler rejected client authentication

Otherwise it works as expected.

That's using github master of libzmq and czmq.

On Fri, Mar 7, 2014 at 6:49 PM, Pieter Hintjens <ph at imatix.com> wrote:
> You are testing this with CZMQ git master?
>
> On Fri, Mar 7, 2014 at 6:43 PM, Turkey Breast <turkeybreast at yahoo.com> wrote:
>> There's still a problem with ironhouse2 (the other examples work).
>>
>> genjix at debian7:~/czmq/examples/security$ ./ironhouse
>> I: PASSED (whitelist) address=127.0.0.1
>> I: ALLOWED (CURVE) client_key=wfvY}{1?v*S#DP7+n2}L:?!rWfY at L*GprRr>?Ig7
>> Ironhouse test OK
>> genjix at debian7:~/czmq/examples/security$ ./ironhouse2
>> Ironhouse test OK
>>
>> ironhouse2 is ignoring the auth settings still.
>>
>>
>>
>>
>>
>> On , Turkey Breast <turkeybreast at yahoo.com> wrote:
>> OK, I'll test the new release once it's ready.
>>
>>
>>
>>
>>
>>
>> On Friday, March 7, 2014 6:20 PM, Pieter Hintjens <ph at imatix.com> wrote:
>> OK... that took a little longer than I expected to hunt down.
>>
>> There is a not small error in the current CZMQ stable release. zauth.c
>> and zsockopt.c do not include platform.h, yet test HAVE_LIBSODIUM for
>> CURVE conditional code. As a result, no encryption is enabled in that
>> stable release, period.
>>
>> Easy to patch: add
>>
>> include "platform.h"
>>
>> to zsockopt.c and zauth.c
>>
>> Better, take GitHub master. I'll make a new stable release for CZMQ asap.
>>
>> Thanks for point me to this error.
>>
>> -Pieter
>>
>>
>> On Fri, Mar 7, 2014 at 5:43 PM, Turkey Breast <turkeybreast at yahoo.com> wrote:
>>> Relevant output using czmq git (but ZMQ 4.0.3 and libsodium 0.4.5):
>>>
>>> $ ./ironhouse
>>> I: DENIED (not in whitelist) address=127.0.0.1
>>> I: DENIED (not in whitelist) address=127.0.0.1
>>>
>>> And:
>>>
>>> $ ./ironhouse
>>> I: PASSED (whitelist) address=127.0.0.1
>>> I: DENIED (CURVE) client_key=4tFk&Q=V]MN4]b$IY]>*L/wc- at XetsEc:)O76PQP
>>> I: PASSED (whitelist) address=127.0.0.1
>>> I: DENIED (CURVE) client_key=4tFk&Q=V]MN4]b$IY]>*L/wc- at XetsEc:)O76PQP
>>>
>>> (as expected)
>>>
>>>
>>>
>>>
>>>
>>> On , Turkey Breast <turkeybreast at yahoo.com> wrote:
>>> Yes it works with czmq master.
>>>
>>> I noticed before that the zap handler (inproc://zeromq.zap.01) wasn't being called in the poller but it was working with plain. I thought maybe it was a ZMQ problem, but since it works with git seems to indicate a czmq problem.
>>>
>>> Also the HAVE_LIBSODIUM macro wasn't exposed in zsockopt.c so I added #include "platform.h" to get that working, but it still didn't help.
>>>
>>> Thanks.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Friday, March 7, 2014 5:26 PM, Pieter Hintjens <ph at imatix.com> wrote:
>>> I'm using the latest git master.
>>>
>>> Changing the zauth_allow() call as you suggest gives me this response:
>>>
>>> I: DENIED (not in whitelist) address=127.0.0.1
>>> CURVE I: ZAP handler rejected client authentication
>>> I: DENIED (not in whitelist) address=127.0.0.1
>>> CURVE I: ZAP handler rejected client authentication
>>> I: DENIED (not in whitelist) address=127.0.0.1
>>> ...
>>>
>>> (with "I: DENIED" trace output from libzmq, and CURVE I: output from CZMQ)
>>>
>>> I might prefix the libzmq output to make it clearer.
>>>
>>> Next step, I'll try the older packages.
>>>
>>> -Pieter
>>>
>>>
>>> On Fri, Mar 7, 2014 at 3:06 PM, Turkey Breast <turkeybreast at yahoo.com> wrote:
>>>> I've installed a brand new Debian wheezy, and installed these packages:
>>>>
>>>> czmq-2.0.3.tar.gz
>>>> libsodium-0.4.5.tar.gz
>>>> zeromq-4.0.3.tar.gz
>>>>
>>>> If I change the zauth_allow() call to a random IP address then the example still passes. Normally I expect it to refuse the connection from localhost since it isn't part of the whitelist:
>>>>
>>>>   zauth_allow (auth, "8.5.3.6");
>>>>
>>>> And in ironhouse2.c if I comment out the line where it saves the client's public key (which is loaded by the server_task), the server still accepts the client connection despite not having the public key!
>>>>
>>>> This is a standard Debian wheezy install from scratch (nothing configured) using all the latest stable packages.
>>>> _______________________________________________
>>>> zeromq-dev mailing list
>>>> zeromq-dev at lists.zeromq.org
>>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>



More information about the zeromq-dev mailing list