Page MenuHomeVyOS Platform

Check bind port before assign service HTTPS API and openconnect
In progress, Requires assessmentPublicBUG

Description

Check listen port before commit service https api and vpn openconnect

Configure API:

set service https api gql
set service https api keys id KID key 'foo'
set service https api socket

Check ports:

[email protected]# sudo netstat -tulpn | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      15283/nginx: master 
tcp6       0      0 :::443                  :::*                    LISTEN      15283/nginx: master 
[edit]
[email protected]#

Configure openconnect:

set vpn openconnect authentication local-users username foo password 'bar'
set vpn openconnect authentication mode local 'password'
set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
set vpn openconnect ssl ca-certificate 'ca-ocserv'
set vpn openconnect ssl certificate 'srv-ocserv'
commit

Check ports and status:

[email protected]# sudo netstat -tulpn | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      15283/nginx: master 
tcp6       0      0 :::443                  :::*                    LISTEN      15283/nginx: master 
[edit]
[email protected]# sudo systemctl status ocserv.service
● ocserv.service - OpenConnect SSL VPN server
     Loaded: loaded (/lib/systemd/system/ocserv.service; disabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/ocserv.service.d
             └─override.conf
     Active: failed (Result: exit-code) since Fri 2022-08-05 14:36:51 EEST; 9s ago
       Docs: man:ocserv(8)
    Process: 15405 ExecStart=/usr/sbin/ocserv --foreground --pid-file /run/ocserv/ocserv.pid --config /run/ocserv/ocserv.conf (code=exited, status=1/FAILURE)
   Main PID: 15405 (code=exited, status=1/FAILURE)
        CPU: 6ms

Aug 05 14:36:51 r14 ocserv[15405]: main: CN=vyos.io,O=VyOS,L=Dnipro,ST=Denwer,C=US certificate key usage prevents key encipherment; unable to support the RSA ciphersuites; if that is not intentiona>
Aug 05 14:36:51 r14 ocserv[15405]: error connecting to sec-mod socket '/run/ocserv/ocserv.socket.e4a4a64e': No such file or directory
Aug 05 14:36:51 r14 ocserv[15405]: note: setting 'file' as supplemental config option
Aug 05 14:36:51 r14 ocserv[15405]: listening (TCP) on 0.0.0.0:443...
Aug 05 14:36:51 r14 ocserv[15405]: bind() failed: Address already in use
Aug 05 14:36:51 r14 ocserv[15405]: listening (TCP) on [::]:443...
Aug 05 14:36:51 r14 ocserv[15405]: bind() failed: Address already in use
Aug 05 14:36:51 r14 ocserv[15405]: Could not listen to any TCP or UNIX ports
Aug 05 14:36:51 r14 systemd[1]: ocserv.service: Main process exited, code=exited, status=1/FAILURE
Aug 05 14:36:51 r14 systemd[1]: ocserv.service: Failed with result 'exit-code'.
lines 1-20/20 (END)

Requires this check https://github.com/vyos/vyos-1x/blob/2a10ffa4b5074be27458159fa94d6227d0e5c7f7/python/vyos/util.py#L939

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202208020217
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)