前言:通过了解CPE与ACS的验证过程,可以初步认识TR069的一些规则。本文只是在实验中的一点经验记录,并未对协议有深入讲解,某些观点可能存在纰漏。仅适用于刚接触TR069的筒子。
环境
系统:Ubuntu14.04LTS
CPE:easyCWMP
ACS:GenieACS
*其他开源ACS:
openACS:早已停止维护,源码也被作者删除了。目前有一个openACS的官网,此openACS非彼openACS,大家注意了.
freeACS:安装很方便,脚本一键安装,可自行浏览官网。
GenieACS:我知道最新的开源ACS,目前仍在维护。文档全面,推荐用这个来搭建测试服务器。*
easyCWMP安装
官方文档写的算是很详细了,95%的步骤没问题。这里只提一下按照官方文档可能会出错的几个地方:
libubox在make时,报错:
blobmsg_json.c:78:2 error: implicit declaration of function 'is_error'
jshn.c:162:2: error: implicit declaration of function 'is_error'解决办法:在对应的文件加入以下代码:
#define is_error(ptr) (ptr == NULL)一共有2-3个文件有这个问题,都按上面添加。
运行easycwmp时报错:
error while loading shared libraries: libjson-c.so.3: cannot open shared object file: No such file or directory解决办法:执行如下命令
ln -sf /usr/local/lib/libjson-c.so.3.0.0 /usr/lib/libjson-c.so.3GenieACS安装
GenieACS的文档很是详细,这里不赘述安装过程了,参见官网文档吧,注意文档中的版本,避免各种版本不兼容的问题。
认证流程
TR069的认证规则有多种,本文只描述了Digest认证过程。Digest认证既可以从CPE端发起,也可以从ACS端发起,下面我们会分开讨论,但有一些公用的步骤,我们先在这里说明。
GenieACS与CPE的通信默认是建立在非加密的连接上的,在实际使用时,我们肯定是要用一些手段的。因为TR069上层使用http协议的,我们很容易想到要使用https,这就需要证书了。本文是实验性质,肯定是要自己动手制作一个证书的,执行如下命令即可(确保已安装openssl)
openssl genrsa 1024 > key.pem
openssl req -new -x509 -key key.pem > cert.pem最简单的步骤了,证书有效期30天。
此段内容参考GenieACS文档。
注意:Component Name 填写GenieACS所在PC的IP吧。
ACS端发起的Digest认证
认证流程如下:
CPE ACS
1.<------------------http(不带auth头信息)-------------
2.------------------ 401 Unauthorized---------------->
3.<------------------http get(带auth头信息)-----------
4.------------------200 OK--------------------------->
5.<-----------------100 continue----------------------
6.------------------6 connect request---------------->
7.<------------------200 OK---------------------------GenieACS文档传送门
用GenieACS来测试ACS发起的Digest认证比较简单。在GenieACS安装根目录的config文件夹下,有一个auth-sample.js文件:
+++ RECEIVED HTTP REQUEST +++
http_digest_auth_fail_response(336):: http_digest_auth_fail_response: header: Digest realm="realm@easycwmp",qop="auth",nonce="1057d42b5253defd585d849e59e803f70001b083",opaque="328458fab28345ae87ab3210a8513b14eff452a2"--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION FAILED +++
+++ RECEIVED HTTP REQUEST +++
http_digest_auth_check(379):: http_digest_auth_check: header: username="easycwmp",realm="realm@easycwmp",nonce="1057d42b5253defd585d849e59e803f70001b083",uri="/",qop=auth,nc=00000001,cnonce="0a4f113b",response="4055d3c9d9284a0ec0e1340065414342",opaque="328458fab28345ae87ab3210a8513b14eff452a2"
--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION SUCCESS +++
2018-05-03 15:37:04 [easycwmp] NOTICE - acs initiated connection
2018-05-03 15:37:04 [easycwmp] NOTICE - add event '6 CONNECTION REQUEST'
2018-05-03 15:37:04 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 15:37:04 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 15:37:04 [easycwmp] NOTICE - external script init
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute inform parameter
2018-05-03 15:37:04 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
<soap_env:Header>
<cwmp:ID soap_env:mustUnderstand="1">13</cwmp:ID>
</soap_env:Header>
<soap_env:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>easycwmp</Manufacturer>
<OUI>FFFFFF</OUI>
<ProductClass>easycwmp</ProductClass>
<SerialNumber>number1</SerialNumber>
</DeviceId>
<Event soap_enc:arrayType="cwmp:EventStruct[1]">
<EventStruct>
<EventCode>6 CONNECTION REQUEST</EventCode>
<CommandKey />
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2018-05-03T15:37:04+08:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
<ParameterValueStruct>
<Name>Device.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"></Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.Manufacturer</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ManufacturerOUI</Name>
<Value xsi:type="xsd:string">FFFFFF</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProductClass</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SerialNumber</Name>
<Value xsi:type="xsd:string">number1</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">example_hw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">example_sw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ConnectionRequestURL</Name>
<Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ParameterKey</Name>
<Value xsi:type="xsd:string">unsetCommandKey</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap_env:Body>
</soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#24)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2742
Expect: 100-continue
< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
<
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 24
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2742
Expect: 100-continue
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 523
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="ed1d383f6e52e056" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=ed1d383f6e52e056
<
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">13</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 15:37:04 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x6f90d0
* Re-using existing connection! (#25) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=ed1d383f6e52e056
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0
< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
<
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 15:37:04 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute apply service
2018-05-03 15:37:04 [easycwmp] NOTICE - external script exit
2018-05-03 15:37:04 [easycwmp] NOTICE - end session success以上日志较长,主要内容在前几十行,严格的遵循的上面的ACS发起的Digest认证流程。
CPE端发起的Digest认证
认证流程如下:
CPE ACS
1.------------------inform(http不带auth头)----------->
2.<------------------401(http不带auth头)--------------
3.------------------inform(http带auth头)------------->
4.<------------------200 OK---------------------------
5.------------------ Content-Length: 0--------------->我们发现这个流程甚至比ACS发起的认证还要简单,但是因为GenieACS目前还不支持CPE到ACS的认证,只能通过nginx代理来实现,因此要麻烦一点。
官方文档传送门
这里简介一下文档内容,请务必要读官网文档。主要包含如下几个步骤:
修改GenieACS的配置文件genieacs/config/config.json,将各IP都配为内网IP,127.0.0.1:
{
"MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
"REDIS_PORT" : "6379",
"REDIS_HOST" : "127.0.0.1",
"CWMP_INTERFACE" : "127.0.0.1",
"CWMP_PORT" : 7547,
"NBI_INTERFACE" : "127.0.0.1",
"NBI_PORT" : 7557,
"FS_INTERFACE" : "127.0.0.1",
"FS_PORT" : 7567,
"FS_HOSTNAME" : "tr069.tdt.de",
"FS_SSL" : true,
"LOG_INFORMS" : true,
"DEBUG" : false
}安装nginx:
sudo apt-get install nginx <- install nginx
touch /etc/nginx/sites-available/tr069.tdt.de <- add new nginx config
ln -s /etc/nginx/sites-available/tr069.tdt.de /etc/nginx/sites-enabled/tr069.tdt.de <- enable config修改nginx配置文件/etc/nginx/nginx.conf,重定向访问uri:
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
server {
listen 10.10.2.226:7557;
server_name example.de;
ssl on;
ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
access_log /var/log/nginx/example.de.nbi.log combined;
error_log /var/log/nginx/example.de.nbi.log;
location / {
proxy_pass http://127.0.0.1:7557;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 10.10.2.226:7547;
server_name example.de;
ssl on;
ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
access_log /var/log/nginx/example.de.cwmp.log combined;
error_log /var/log/nginx/example.de.cwmp.log;
location / {
proxy_pass http://127.0.0.1:7547;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
server {
listen 10.10.2.226:7567;
server_name example.de;
ssl on;
ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
access_log /var/log/nginx/example.de.fs.log combined;
error_log /var/log/nginx/example.de.fs.log;
location / {
proxy_pass https://127.0.0.1:7567;
#proxy_http_version 1.1;
#proxy_set_header Upgrade $http_upgrade;
#proxy_set_header Connection 'upgrade';
#proxy_set_header Host $host;
#proxy_cache_bypass $http_upgrade;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/ms-htpasswd;
}
}
}简短解释一下就是把对10.10.2.26的访问都重定向到127.0.0.1了,之前我们修改GenieACS的配置,把ACS的IP都设为了127.0.0.1。
所以如果你在一台电脑上测试,通过127.0.0.1也是可以访问ACS的,但是就绕过了nginx,是无法认证的。因此我们还要修改easyCWMP的配置文件/etc/config/easycwmp,将acs部分的IP修改为10.10.2.226,如下:
config local
option interface 'eth0'
option port '7548'
option ubus_socket '/var/run/ubus.sock'
option date_format '%FT%T%z'
option username 'easycwmp'
option password 'easycwmp'
option logging_level '3'
config acs
option url 'https://10.10.2.226:7547'
option ssl_verify 'enabled'
option ssl_cert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
option ssl_cacert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
option username 'zzj'
option password '123456'
option periodic_enable '1'
option periodic_time '0001-01-01T00:00:00Z'
option parameter_key 'unsetCommandKey'
option periodic_interval '1800'
config device
option manufacturer 'easycwmp'
option oui 'FFFFFF'
option product_class 'easycwmp'
option serial_number 'number1'
option hardware_version 'example_hw_version'
option software_version 'example_sw_version'在上面修改nginx配置是,有一个参数为auth_basic_user_file,这是一个存放username,password的文件,因此我们要创建一个ms-htpasswd文件。官网是有给一个链接来讲解如何制作这个文件,如果你看的不是很懂,可以参考这篇文章。
最后我们还需要对easyCWMP的源码做一点点修改,http.c的http_client_init函数中加入对证书key的设置:
if (config->acs->ssl_cert) {
curl_easy_setopt(curl, CURLOPT_SSLCERT, config->acs->ssl_cert);
curl_easy_setopt(curl, CURLOPT_SSLKEY, "/home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem");
}我也搞不清楚为啥acs结构体中没有对key的定义。也许是因为我的证书是用key生成的,所以必须要有key才能验证?
验证
GenieACS的开启是有一点麻烦,这里我把要开启的命令列出来:
开启mongodb: /usr/bin/mongod
开启redis-server: /usr/bin/redis-server
开启acs: ./genieacs/bin/genieacs-cwmp
开启nbi: ./genieacs/bin/genieacs-nbi
开启acs-gui: 在genieacs-gui目录执行rails s
启动easyCWMP:
sudo /usr/sbin/easycwmpd -f查看easyCWMP的日志:
zzj@sed:/opt/dev/easycwmp$ sudo /usr/sbin/easycwmpd -f
2018-05-03 16:54:43 [easycwmp] NOTICE - add event '1 BOOT'
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
config_init_local(58):: easycwmp.@local[0].interface=eth0
config_init_local(68):: easycwmp.@local[0].port=7548
config_init_local(86):: easycwmp.@local[0].ubus_socket=/var/run/ubus.sock
config_init_local(74):: easycwmp.@local[0].username=easycwmp
config_init_local(80):: easycwmp.@local[0].password=easycwmp
config_init_local(97):: easycwmp.@local[0].logging_level=3
config_init_acs(162):: easycwmp.@acs[0].url=https://10.10.2.226:7547
config_init_acs(220):: easycwmp.@acs[0].ssl_verify=1
config_init_acs(205):: easycwmp.@acs[0].ssl_cert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(210):: easycwmp.@acs[0].ssl_cacert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(168):: easycwmp.@acs[0].username=zzj
config_init_acs(174):: easycwmp.@acs[0].password=123456
config_init_acs(180):: easycwmp.@acs[0].periodic_enable=1
config_init_acs(193):: easycwmp.@acs[0].periodic_time=0001-01-01T00:00:00Z
config_init_acs(186):: easycwmp.@acs[0].periodic_interval=1800
2018-05-03 16:54:43 [easycwmp] NOTICE - init periodic inform: reference time = -62135625943, interval = 1800
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute update_value_change
2018-05-03 16:54:43 [easycwmp] NOTICE - daemon started
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform device_id
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - interface eth0 has ip 10.10.2.226
main(329): ubus initialization failed
+++ HTTP SERVER CONFIGURATION +++
ip: '10.10.2.226'
port: '7548'
--- HTTP SERVER CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - http server initialized
2018-05-03 16:54:43 [easycwmp] NOTICE - entering main loop
2018-05-03 16:54:43 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform parameter
2018-05-03 16:54:43 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
<soap_env:Header>
<cwmp:ID soap_env:mustUnderstand="1">1</cwmp:ID>
</soap_env:Header>
<soap_env:Body>
<cwmp:Inform>
<DeviceId>
<Manufacturer>easycwmp</Manufacturer>
<OUI>FFFFFF</OUI>
<ProductClass>easycwmp</ProductClass>
<SerialNumber>number1</SerialNumber>
</DeviceId>
<Event soap_enc:arrayType="cwmp:EventStruct[1]">
<EventStruct>
<EventCode>1 BOOT</EventCode>
<CommandKey />
</EventStruct>
</Event>
<MaxEnvelopes>1</MaxEnvelopes>
<CurrentTime>2018-05-03T16:54:43+08:00</CurrentTime>
<RetryCount>0</RetryCount>
<ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
<ParameterValueStruct>
<Name>Device.DeviceInfo.SpecVersion</Name>
<Value xsi:type="xsd:string">1.0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProvisioningCode</Name>
<Value xsi:type="xsd:string"></Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.Manufacturer</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ManufacturerOUI</Name>
<Value xsi:type="xsd:string">FFFFFF</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.ProductClass</Name>
<Value xsi:type="xsd:string">easycwmp</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SerialNumber</Name>
<Value xsi:type="xsd:string">number1</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.HardwareVersion</Name>
<Value xsi:type="xsd:string">example_hw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.DeviceInfo.SoftwareVersion</Name>
<Value xsi:type="xsd:string">example_sw_version</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ConnectionRequestURL</Name>
<Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
</ParameterValueStruct>
<ParameterValueStruct>
<Name>Device.ManagementServer.ParameterKey</Name>
<Value xsi:type="xsd:string">unsetCommandKey</Value>
</ParameterValueStruct>
</ParameterList>
</cwmp:Inform>
</soap_env:Body>
</soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#0)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* common name: 10.10.2.226 (matched)
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; [email protected]
* SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2727
Expect: 100-continue
< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
<
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 0
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
* Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* successfully set certificate verify locations:
* CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* start date: 2018-05-03 01:58:02 GMT
* expire date: 2018-06-02 01:58:02 GMT
* common name: 10.10.2.226 (matched)
* issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=[email protected]
* SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2727
Expect: 100-continue
< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 522
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="e5fd17b60f6b9a3c" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=e5fd17b60f6b9a3c
<
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">1</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 16:54:43 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x156e970
* Re-using existing connection! (#1) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=e5fd17b60f6b9a3c
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0
< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
<
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 16:54:43 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute apply service
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - end session success从日志中我们可以看到“好像”是做了认证,但是和上面介绍的流程又稍有不同,因为这里的CPE到ACS的认证并不是Digest认证,而是Basic认证?官网原文如下:
For this workaround it is only possible to make a auth with username/password the deviceid will not be checked!结束
大致就这么些内容了,写的也不算特别详细。有错误或者问题的话,可以留言一起讨论。
*参考文章:
http://www.cnblogs.com/myblesh/p/6225665.html
https://www.cnblogs.com/AloneSword/p/5086918.html
https://github.com/genieacs/genieacs/wiki/GenieACS-SSL*