前言:通過了解CPE與ACS的驗證過程,可以初步認識TR069的一些規則。本文只是在實驗中的一點經驗記錄,並未對協議有深入講解,某些觀點可能存在紕漏。僅適用於剛接觸TR069的筒子。
環境
系統:Ubuntu14.04LTS
CPE:easyCWMP
ACS:GenieACS
*其他開源ACS:
openACS:早已停止維護,源碼也被作者刪除了。目前有一個openACS的官網,此openACS非彼openACS,大家注意了.
freeACS:安裝很方便,腳本一鍵安裝,可自行瀏覽官網。
GenieACS:我知道最新的開源ACS,目前仍在維護。文檔全面,推薦用這個來搭建測試服務器。*
easyCWMP安裝
官方文檔寫的算是很詳細了,95%的步驟沒問題。這裏只提一下按照官方文檔可能會出錯的幾個地方:
libubox在make時,報錯:
blobmsg_json.c:78:2 error: implicit declaration of function 'is_error'
jshn.c:162:2: error: implicit declaration of function 'is_error'
解決辦法:在對應的文件加入以下代碼:
#define is_error(ptr) (ptr == NULL)
一共有2-3個文件有這個問題,都按上面添加。
運行easycwmp時報錯:
error while loading shared libraries: libjson-c.so.3: cannot open shared object file: No such file or directory
解決辦法:執行如下命令
ln -sf /usr/local/lib/libjson-c.so.3.0.0 /usr/lib/libjson-c.so.3
GenieACS安裝
GenieACS的文檔很是詳細,這裏不贅述安裝過程了,參見官網文檔吧,注意文檔中的版本,避免各種版本不兼容的問題。
認證流程
TR069的認證規則有多種,本文只描述了Digest認證過程。Digest認證既可以從CPE端發起,也可以從ACS端發起,下面我們會分開討論,但有一些公用的步驟,我們先在這裏說明。
GenieACS與CPE的通信默認是建立在非加密的連接上的,在實際使用時,我們肯定是要用一些手段的。因爲TR069上層使用http協議的,我們很容易想到要使用https,這就需要證書了。本文是實驗性質,肯定是要自己動手製作一個證書的,執行如下命令即可(確保已安裝openssl)
openssl genrsa 1024 > key.pem
openssl req -new -x509 -key key.pem > cert.pem
最簡單的步驟了,證書有效期30天。
此段內容參考GenieACS文檔。
注意:Component Name 填寫GenieACS所在PC的IP吧。
ACS端發起的Digest認證
認證流程如下:
CPE ACS
1.<------------------http(不帶auth頭信息)-------------
2.------------------ 401 Unauthorized---------------->
3.<------------------http get(帶auth頭信息)-----------
4.------------------200 OK--------------------------->
5.<-----------------100 continue----------------------
6.------------------6 connect request---------------->
7.<------------------200 OK---------------------------
GenieACS文檔傳送門
用GenieACS來測試ACS發起的Digest認證比較簡單。在GenieACS安裝根目錄的config文件夾下,有一個auth-sample.js文件:
+++ RECEIVED HTTP REQUEST +++
http_digest_auth_fail_response(336):: http_digest_auth_fail_response: header: Digest realm="realm@easycwmp",qop="auth",nonce="1057d42b5253defd585d849e59e803f70001b083",opaque="328458fab28345ae87ab3210a8513b14eff452a2"--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION FAILED +++
+++ RECEIVED HTTP REQUEST +++
http_digest_auth_check(379):: http_digest_auth_check: header: username="easycwmp",realm="realm@easycwmp",nonce="1057d42b5253defd585d849e59e803f70001b083",uri="/",qop=auth,nc=00000001,cnonce="0a4f113b",response="4055d3c9d9284a0ec0e1340065414342",opaque="328458fab28345ae87ab3210a8513b14eff452a2"
--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION SUCCESS +++
2018-05-03 15:37:04 [easycwmp] NOTICE - acs initiated connection
2018-05-03 15:37:04 [easycwmp] NOTICE - add event '6 CONNECTION REQUEST'
2018-05-03 15:37:04 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 15:37:04 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 15:37:04 [easycwmp] NOTICE - external script init
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute inform parameter
2018-05-03 15:37:04 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
<soap_env:Header>
<cwmp:ID soap_env:mustUnderstand="1">13</cwmp:ID>
</soap_env:Header>
<soap_env:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>easycwmp</Manufacturer>
<OUI>FFFFFF</OUI>
<ProductClass>easycwmp</ProductClass>
<SerialNumber>number1</SerialNumber>
</DeviceId>
<Event soap_enc:arrayType="cwmp:EventStruct[1]">
<EventStruct>
<EventCode>6 CONNECTION REQUEST</EventCode>
<CommandKey />
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2018-05-03T15:37:04+08:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
<ParameterValueStruct>
<Name>Device.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"></Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.Manufacturer</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ManufacturerOUI</Name>
<Value xsi:type="xsd:string">FFFFFF</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProductClass</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SerialNumber</Name>
<Value xsi:type="xsd:string">number1</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">example_hw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">example_sw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ConnectionRequestURL</Name>
<Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ParameterKey</Name>
<Value xsi:type="xsd:string">unsetCommandKey</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap_env:Body>
</soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#24)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2742
Expect: 100-continue
< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
<
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 24
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2742
Expect: 100-continue
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 523
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="ed1d383f6e52e056" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=ed1d383f6e52e056
<
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">13</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 15:37:04 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x6f90d0
* Re-using existing connection! (#25) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=ed1d383f6e52e056
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0
< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
<
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 15:37:04 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute apply service
2018-05-03 15:37:04 [easycwmp] NOTICE - external script exit
2018-05-03 15:37:04 [easycwmp] NOTICE - end session success
以上日誌較長,主要內容在前幾十行,嚴格的遵循的上面的ACS發起的Digest認證流程。
CPE端發起的Digest認證
認證流程如下:
CPE ACS
1.------------------inform(http不帶auth頭)----------->
2.<------------------401(http不帶auth頭)--------------
3.------------------inform(http帶auth頭)------------->
4.<------------------200 OK---------------------------
5.------------------ Content-Length: 0--------------->
我們發現這個流程甚至比ACS發起的認證還要簡單,但是因爲GenieACS目前還不支持CPE到ACS的認證,只能通過nginx代理來實現,因此要麻煩一點。
官方文檔傳送門
這裏簡介一下文檔內容,請務必要讀官網文檔。主要包含如下幾個步驟:
修改GenieACS的配置文件genieacs/config/config.json,將各IP都配爲內網IP,127.0.0.1:
{
"MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
"REDIS_PORT" : "6379",
"REDIS_HOST" : "127.0.0.1",
"CWMP_INTERFACE" : "127.0.0.1",
"CWMP_PORT" : 7547,
"NBI_INTERFACE" : "127.0.0.1",
"NBI_PORT" : 7557,
"FS_INTERFACE" : "127.0.0.1",
"FS_PORT" : 7567,
"FS_HOSTNAME" : "tr069.tdt.de",
"FS_SSL" : true,
"LOG_INFORMS" : true,
"DEBUG" : false
}
安裝nginx:
sudo apt-get install nginx <- install nginx
touch /etc/nginx/sites-available/tr069.tdt.de <- add new nginx config
ln -s /etc/nginx/sites-available/tr069.tdt.de /etc/nginx/sites-enabled/tr069.tdt.de <- enable config
修改nginx配置文件/etc/nginx/nginx.conf,重定向訪問uri:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
server {
listen 10.10.2.226:7557;
server_name example.de;
ssl on;
ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
access_log /var/log/nginx/example.de.nbi.log combined;
error_log /var/log/nginx/example.de.nbi.log;
location / {
proxy_pass http://127.0.0.1:7557;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 10.10.2.226:7547;
server_name example.de;
ssl on;
ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
access_log /var/log/nginx/example.de.cwmp.log combined;
error_log /var/log/nginx/example.de.cwmp.log;
location / {
proxy_pass http://127.0.0.1:7547;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 10.10.2.226:7567;
server_name example.de;
ssl on;
ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
access_log /var/log/nginx/example.de.fs.log combined;
error_log /var/log/nginx/example.de.fs.log;
location / {
proxy_pass https://127.0.0.1:7567;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
}
簡短解釋一下就是把對10.10.2.26的訪問都重定向到127.0.0.1了,之前我們修改GenieACS的配置,把ACS的IP都設爲了127.0.0.1。
所以如果你在一臺電腦上測試,通過127.0.0.1也是可以訪問ACS的,但是就繞過了nginx,是無法認證的。因此我們還要修改easyCWMP的配置文件/etc/config/easycwmp,將acs部分的IP修改爲10.10.2.226,如下:
config local
option interface 'eth0'
option port '7548'
option ubus_socket '/var/run/ubus.sock'
option date_format '%FT%T%z'
option username 'easycwmp'
option password 'easycwmp'
option logging_level '3'
config acs
option url 'https://10.10.2.226:7547'
option ssl_verify 'enabled'
option ssl_cert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
option ssl_cacert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
option username 'zzj'
option password '123456'
option periodic_enable '1'
option periodic_time '0001-01-01T00:00:00Z'
option parameter_key 'unsetCommandKey'
option periodic_interval '1800'
config device
option manufacturer 'easycwmp'
option oui 'FFFFFF'
option product_class 'easycwmp'
option serial_number 'number1'
option hardware_version 'example_hw_version'
option software_version 'example_sw_version'
在上面修改nginx配置是,有一個參數爲auth_basic_user_file,這是一個存放username,password的文件,因此我們要創建一個ms-htpasswd文件。官網是有給一個鏈接來講解如何製作這個文件,如果你看的不是很懂,可以參考這篇文章。
最後我們還需要對easyCWMP的源碼做一點點修改,http.c的http_client_init函數中加入對證書key的設置:
if (config->acs->ssl_cert) {
curl_easy_setopt(curl, CURLOPT_SSLCERT, config->acs->ssl_cert);
curl_easy_setopt(curl, CURLOPT_SSLKEY, "/home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem");
}
我也搞不清楚爲啥acs結構體中沒有對key的定義。也許是因爲我的證書是用key生成的,所以必須要有key才能驗證?
驗證
GenieACS的開啓是有一點麻煩,這裏我把要開啓的命令列出來:
開啓mongodb: /usr/bin/mongod
開啓redis-server: /usr/bin/redis-server
開啓acs: ./genieacs/bin/genieacs-cwmp
開啓nbi: ./genieacs/bin/genieacs-nbi
開啓acs-gui: 在genieacs-gui目錄執行rails s
啓動easyCWMP:
sudo /usr/sbin/easycwmpd -f
查看easyCWMP的日誌:
zzj@sed:/opt/dev/easycwmp$ sudo /usr/sbin/easycwmpd -f
2018-05-03 16:54:43 [easycwmp] NOTICE - add event '1 BOOT'
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
config_init_local(58):: easycwmp.@local[0].interface=eth0
config_init_local(68):: easycwmp.@local[0].port=7548
config_init_local(86):: easycwmp.@local[0].ubus_socket=/var/run/ubus.sock
config_init_local(74):: easycwmp.@local[0].username=easycwmp
config_init_local(80):: easycwmp.@local[0].password=easycwmp
config_init_local(97):: easycwmp.@local[0].logging_level=3
config_init_acs(162):: easycwmp.@acs[0].url=https://10.10.2.226:7547
config_init_acs(220):: easycwmp.@acs[0].ssl_verify=1
config_init_acs(205):: easycwmp.@acs[0].ssl_cert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(210):: easycwmp.@acs[0].ssl_cacert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(168):: easycwmp.@acs[0].username=zzj
config_init_acs(174):: easycwmp.@acs[0].password=123456
config_init_acs(180):: easycwmp.@acs[0].periodic_enable=1
config_init_acs(193):: easycwmp.@acs[0].periodic_time=0001-01-01T00:00:00Z
config_init_acs(186):: easycwmp.@acs[0].periodic_interval=1800
2018-05-03 16:54:43 [easycwmp] NOTICE - init periodic inform: reference time = -62135625943, interval = 1800
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute update_value_change
2018-05-03 16:54:43 [easycwmp] NOTICE - daemon started
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform device_id
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - interface eth0 has ip 10.10.2.226
main(329): ubus initialization failed
+++ HTTP SERVER CONFIGURATION +++
ip: '10.10.2.226'
port: '7548'
--- HTTP SERVER CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - http server initialized
2018-05-03 16:54:43 [easycwmp] NOTICE - entering main loop
2018-05-03 16:54:43 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform parameter
2018-05-03 16:54:43 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
<soap_env:Header>
<cwmp:ID soap_env:mustUnderstand="1">1</cwmp:ID>
</soap_env:Header>
<soap_env:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>easycwmp</Manufacturer>
<OUI>FFFFFF</OUI>
<ProductClass>easycwmp</ProductClass>
<SerialNumber>number1</SerialNumber>
</DeviceId>
<Event soap_enc:arrayType="cwmp:EventStruct[1]">
<EventStruct>
<EventCode>1 BOOT</EventCode>
<CommandKey />
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2018-05-03T16:54:43+08:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
<ParameterValueStruct>
<Name>Device.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"></Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.Manufacturer</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ManufacturerOUI</Name>
<Value xsi:type="xsd:string">FFFFFF</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProductClass</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SerialNumber</Name>
<Value xsi:type="xsd:string">number1</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">example_hw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">example_sw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ConnectionRequestURL</Name>
<Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ParameterKey</Name>
<Value xsi:type="xsd:string">unsetCommandKey</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap_env:Body>
</soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#0)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* common name: 10.10.2.226 (matched)
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2727
Expect: 100-continue
< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
<
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 0
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* common name: 10.10.2.226 (matched)
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2727
Expect: 100-continue
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 522
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="e5fd17b60f6b9a3c" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=e5fd17b60f6b9a3c
<
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">1</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 16:54:43 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x156e970
* Re-using existing connection! (#1) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=e5fd17b60f6b9a3c
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0
< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
<
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 16:54:43 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute apply service
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - end session success
從日誌中我們可以看到“好像”是做了認證,但是和上面介紹的流程又稍有不同,因爲這裏的CPE到ACS的認證並不是Digest認證,而是Basic認證?官網原文如下:
For this workaround it is only possible to make a auth with username/password the deviceid will not be checked!
結束
大致就這麼些內容了,寫的也不算特別詳細。有錯誤或者問題的話,可以留言一起討論。
*參考文章:
http://www.cnblogs.com/myblesh/p/6225665.html
https://www.cnblogs.com/AloneSword/p/5086918.html
https://github.com/genieacs/genieacs/wiki/GenieACS-SSL*