当前位置: 首页 > 工具软件 > tr069-lib > 使用案例 >

TR069之CPE与ACS的Digest验证

苏硕
2023-12-01

前言:通过了解CPE与ACS的验证过程,可以初步认识TR069的一些规则。本文只是在实验中的一点经验记录,并未对协议有深入讲解,某些观点可能存在纰漏。仅适用于刚接触TR069的筒子。

环境

系统:Ubuntu14.04LTS
CPE:easyCWMP
ACS:GenieACS

*其他开源ACS:
openACS:早已停止维护,源码也被作者删除了。目前有一个openACS的官网,此openACS非彼openACS,大家注意了.
freeACS:安装很方便,脚本一键安装,可自行浏览官网。
GenieACS:我知道最新的开源ACS,目前仍在维护。文档全面,推荐用这个来搭建测试服务器。*

easyCWMP安装

官方文档写的算是很详细了,95%的步骤没问题。这里只提一下按照官方文档可能会出错的几个地方:
libubox在make时,报错

blobmsg_json.c:78:2 error: implicit declaration of function 'is_error'
jshn.c:162:2: error: implicit declaration of function 'is_error'

解决办法:在对应的文件加入以下代码:

#define is_error(ptr) (ptr == NULL)

一共有2-3个文件有这个问题,都按上面添加。

运行easycwmp时报错

error while loading shared libraries: libjson-c.so.3: cannot open shared object file: No such file or directory

解决办法:执行如下命令

ln -sf /usr/local/lib/libjson-c.so.3.0.0 /usr/lib/libjson-c.so.3

GenieACS安装

GenieACS的文档很是详细,这里不赘述安装过程了,参见官网文档吧,注意文档中的版本,避免各种版本不兼容的问题。

认证流程

TR069的认证规则有多种,本文只描述了Digest认证过程。Digest认证既可以从CPE端发起,也可以从ACS端发起,下面我们会分开讨论,但有一些公用的步骤,我们先在这里说明。
GenieACS与CPE的通信默认是建立在非加密的连接上的,在实际使用时,我们肯定是要用一些手段的。因为TR069上层使用http协议的,我们很容易想到要使用https,这就需要证书了。本文是实验性质,肯定是要自己动手制作一个证书的,执行如下命令即可(确保已安装openssl)

openssl genrsa 1024 > key.pem
openssl req -new -x509 -key key.pem > cert.pem

最简单的步骤了,证书有效期30天。
此段内容参考GenieACS文档
注意:Component Name 填写GenieACS所在PC的IP吧。

ACS端发起的Digest认证

认证流程如下:

CPE                                              ACS

1.<------------------http(不带auth头信息)-------------

2.------------------ 401 Unauthorized---------------->

3.<------------------http get(带auth头信息)-----------

4.------------------200 OK--------------------------->

5.<-----------------100 continue----------------------

6.------------------6 connect request---------------->

7.<------------------200 OK---------------------------

GenieACS文档传送门
用GenieACS来测试ACS发起的Digest认证比较简单。在GenieACS安装根目录的config文件夹下,有一个auth-sample.js文件:

+++ RECEIVED HTTP REQUEST +++
http_digest_auth_fail_response(336):: http_digest_auth_fail_response: header: Digest realm="realm@easycwmp",qop="auth",nonce="1057d42b5253defd585d849e59e803f70001b083",opaque="328458fab28345ae87ab3210a8513b14eff452a2"--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION FAILED +++
+++ RECEIVED HTTP REQUEST +++
http_digest_auth_check(379):: http_digest_auth_check: header: username="easycwmp",realm="realm@easycwmp",nonce="1057d42b5253defd585d849e59e803f70001b083",uri="/",qop=auth,nc=00000001,cnonce="0a4f113b",response="4055d3c9d9284a0ec0e1340065414342",opaque="328458fab28345ae87ab3210a8513b14eff452a2"
--- RECEIVED HTTP REQUEST ---
+++ HTTP SERVER CONNECTION SUCCESS +++
2018-05-03 15:37:04 [easycwmp] NOTICE - acs initiated connection
2018-05-03 15:37:04 [easycwmp] NOTICE - add event '6 CONNECTION REQUEST'
2018-05-03 15:37:04 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 15:37:04 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 15:37:04 [easycwmp] NOTICE - external script init
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute inform parameter 
2018-05-03 15:37:04 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
  <soap_env:Header>
   <cwmp:ID soap_env:mustUnderstand="1">13</cwmp:ID>
  </soap_env:Header>
  <soap_env:Body>
   <cwmp:Inform>
    <DeviceId>
     <Manufacturer>easycwmp</Manufacturer>
     <OUI>FFFFFF</OUI>
     <ProductClass>easycwmp</ProductClass>
     <SerialNumber>number1</SerialNumber>
    </DeviceId>
    <Event soap_enc:arrayType="cwmp:EventStruct[1]">
     <EventStruct>
      <EventCode>6 CONNECTION REQUEST</EventCode>
      <CommandKey />
     </EventStruct>
    </Event>
    <MaxEnvelopes>1</MaxEnvelopes>
    <CurrentTime>2018-05-03T15:37:04+08:00</CurrentTime>
    <RetryCount>0</RetryCount>
    <ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SpecVersion</Name>
      <Value xsi:type="xsd:string">1.0</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProvisioningCode</Name>
      <Value xsi:type="xsd:string"></Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.Manufacturer</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ManufacturerOUI</Name>
      <Value xsi:type="xsd:string">FFFFFF</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProductClass</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SerialNumber</Name>
      <Value xsi:type="xsd:string">number1</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.HardwareVersion</Name>
      <Value xsi:type="xsd:string">example_hw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SoftwareVersion</Name>
      <Value xsi:type="xsd:string">example_sw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ConnectionRequestURL</Name>
      <Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ParameterKey</Name>
      <Value xsi:type="xsd:string">unsetCommandKey</Value>
     </ParameterValueStruct>
    </ParameterList>
   </cwmp:Inform>
  </soap_env:Body>
 </soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#24)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2742
Expect: 100-continue

< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
< 
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 24
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2742
Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 523
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="ed1d383f6e52e056" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=ed1d383f6e52e056
< 
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">13</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 15:37:04 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x6f90d0
* Re-using existing connection! (#25) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#25)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=ed1d383f6e52e056
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0

< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 07:37:04 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
< 
* Connection #25 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 15:37:04 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 15:37:04 [easycwmp] NOTICE - external: execute apply service 
2018-05-03 15:37:04 [easycwmp] NOTICE - external script exit
2018-05-03 15:37:04 [easycwmp] NOTICE - end session success

以上日志较长,主要内容在前几十行,严格的遵循的上面的ACS发起的Digest认证流程。

CPE端发起的Digest认证

认证流程如下:

CPE                                                ACS

1.------------------inform(http不带auth头)----------->

2.<------------------401(http不带auth头)--------------

3.------------------inform(http带auth头)------------->

4.<------------------200 OK---------------------------

5.------------------ Content-Length: 0--------------->

我们发现这个流程甚至比ACS发起的认证还要简单,但是因为GenieACS目前还不支持CPE到ACS的认证,只能通过nginx代理来实现,因此要麻烦一点。
官方文档传送门
这里简介一下文档内容,请务必要读官网文档。主要包含如下几个步骤:
修改GenieACS的配置文件genieacs/config/config.json,将各IP都配为内网IP,127.0.0.1:

{
  "MONGODB_CONNECTION_URL" : "mongodb://127.0.0.1/genieacs",
  "REDIS_PORT" : "6379",
  "REDIS_HOST" : "127.0.0.1",
  "CWMP_INTERFACE" : "127.0.0.1",
  "CWMP_PORT" : 7547,
  "NBI_INTERFACE" : "127.0.0.1",
  "NBI_PORT" : 7557,
  "FS_INTERFACE" : "127.0.0.1",
  "FS_PORT" : 7567,
  "FS_HOSTNAME" : "tr069.tdt.de",
  "FS_SSL" : true,
  "LOG_INFORMS" : true,
  "DEBUG" : false
}

安装nginx:

sudo apt-get install nginx <- install nginx
touch /etc/nginx/sites-available/tr069.tdt.de <- add new nginx config
ln -s /etc/nginx/sites-available/tr069.tdt.de /etc/nginx/sites-enabled/tr069.tdt.de <- enable config

修改nginx配置文件/etc/nginx/nginx.conf,重定向访问uri:

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    server {
    listen 10.10.2.226:7557;
    server_name example.de;
    ssl on;
    ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
    ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;

    access_log /var/log/nginx/example.de.nbi.log combined;
    error_log /var/log/nginx/example.de.nbi.log;

    location / {
        proxy_pass http://127.0.0.1:7557;
        #proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection 'upgrade';
        #proxy_set_header Host $host;
        #proxy_cache_bypass $http_upgrade;
        proxy_set_header Authorization "";
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/ms-htpasswd;
    }
     }

     server {
    listen 10.10.2.226:7547;
    server_name example.de;
    ssl on;
    ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
    ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;
    access_log /var/log/nginx/example.de.cwmp.log combined;
    error_log /var/log/nginx/example.de.cwmp.log;

        location / {
        proxy_pass http://127.0.0.1:7547;
        #proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection 'upgrade';
        #proxy_set_header Host $host;
        #proxy_cache_bypass $http_upgrade;
        proxy_set_header Authorization "";
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/ms-htpasswd;
        }

     }

     server {
    listen 10.10.2.226:7567;
    server_name example.de;
    ssl on;
    ssl_certificate_key /home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem;
    ssl_certificate /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem;

    access_log /var/log/nginx/example.de.fs.log combined;
    error_log /var/log/nginx/example.de.fs.log;

    location / {
        proxy_pass https://127.0.0.1:7567;
        #proxy_http_version 1.1;
        #proxy_set_header Upgrade $http_upgrade;
        #proxy_set_header Connection 'upgrade';
        #proxy_set_header Host $host;
        #proxy_cache_bypass $http_upgrade;
        proxy_set_header Authorization "";
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/ms-htpasswd;
    }
     }
}

简短解释一下就是把对10.10.2.26的访问都重定向到127.0.0.1了,之前我们修改GenieACS的配置,把ACS的IP都设为了127.0.0.1。
所以如果你在一台电脑上测试,通过127.0.0.1也是可以访问ACS的,但是就绕过了nginx,是无法认证的。因此我们还要修改easyCWMP的配置文件/etc/config/easycwmp,将acs部分的IP修改为10.10.2.226,如下:

config local
    option interface 'eth0'
    option port '7548'
    option ubus_socket '/var/run/ubus.sock'
    option date_format '%FT%T%z'
    option username 'easycwmp'
    option password 'easycwmp'
    option logging_level '3'

config acs
    option url 'https://10.10.2.226:7547'
    option ssl_verify 'enabled'
    option ssl_cert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
    option ssl_cacert '/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem'
    option username 'zzj'
    option password '123456'
    option periodic_enable '1'
    option periodic_time '0001-01-01T00:00:00Z'
    option parameter_key 'unsetCommandKey'
    option periodic_interval '1800'

config device
    option manufacturer 'easycwmp'
    option oui 'FFFFFF'
    option product_class 'easycwmp'
    option serial_number 'number1'
    option hardware_version 'example_hw_version'
    option software_version 'example_sw_version'

在上面修改nginx配置是,有一个参数为auth_basic_user_file,这是一个存放username,password的文件,因此我们要创建一个ms-htpasswd文件。官网是有给一个链接来讲解如何制作这个文件,如果你看的不是很懂,可以参考这篇文章
最后我们还需要对easyCWMP的源码做一点点修改,http.c的http_client_init函数中加入对证书key的设置:

if (config->acs->ssl_cert) {
        curl_easy_setopt(curl, CURLOPT_SSLCERT, config->acs->ssl_cert);
        curl_easy_setopt(curl, CURLOPT_SSLKEY, "/home/zzj/OpenWRT/genicacs/genieacs-gui/config/key.pem");
    }

我也搞不清楚为啥acs结构体中没有对key的定义。也许是因为我的证书是用key生成的,所以必须要有key才能验证?

验证

GenieACS的开启是有一点麻烦,这里我把要开启的命令列出来:
开启mongodb: /usr/bin/mongod
开启redis-server: /usr/bin/redis-server
开启acs: ./genieacs/bin/genieacs-cwmp
开启nbi: ./genieacs/bin/genieacs-nbi
开启acs-gui: 在genieacs-gui目录执行rails s

启动easyCWMP:

sudo /usr/sbin/easycwmpd -f

查看easyCWMP的日志:

zzj@sed:/opt/dev/easycwmp$ sudo /usr/sbin/easycwmpd -f
2018-05-03 16:54:43 [easycwmp] NOTICE - add event '1 BOOT'
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
config_init_local(58):: easycwmp.@local[0].interface=eth0
config_init_local(68):: easycwmp.@local[0].port=7548
config_init_local(86):: easycwmp.@local[0].ubus_socket=/var/run/ubus.sock
config_init_local(74):: easycwmp.@local[0].username=easycwmp
config_init_local(80):: easycwmp.@local[0].password=easycwmp
config_init_local(97):: easycwmp.@local[0].logging_level=3
config_init_acs(162):: easycwmp.@acs[0].url=https://10.10.2.226:7547
config_init_acs(220):: easycwmp.@acs[0].ssl_verify=1
config_init_acs(205):: easycwmp.@acs[0].ssl_cert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(210):: easycwmp.@acs[0].ssl_cacert=/home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
config_init_acs(168):: easycwmp.@acs[0].username=zzj
config_init_acs(174):: easycwmp.@acs[0].password=123456
config_init_acs(180):: easycwmp.@acs[0].periodic_enable=1
config_init_acs(193):: easycwmp.@acs[0].periodic_time=0001-01-01T00:00:00Z
config_init_acs(186):: easycwmp.@acs[0].periodic_interval=1800
2018-05-03 16:54:43 [easycwmp] NOTICE - init periodic inform: reference time = -62135625943, interval = 1800
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute update_value_change  
2018-05-03 16:54:43 [easycwmp] NOTICE - daemon started
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform device_id 
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - interface eth0 has ip 10.10.2.226
main(329): ubus initialization failed
+++ HTTP SERVER CONFIGURATION +++
ip: '10.10.2.226'
port: '7548'
--- HTTP SERVER CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - http server initialized
2018-05-03 16:54:43 [easycwmp] NOTICE - entering main loop
2018-05-03 16:54:43 [easycwmp] NOTICE - start session
+++ HTTP CLIENT CONFIGURATION +++
http_client_init(51):: url: https://10.10.2.226:7547
http_client_init(53):: ssl_cert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
http_client_init(55):: ssl_cacert: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
--- HTTP CLIENT CONFIGURATION ---
2018-05-03 16:54:43 [easycwmp] NOTICE - configured acs url https://10.10.2.226:7547
2018-05-03 16:54:43 [easycwmp] NOTICE - external script init
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute inform parameter 
2018-05-03 16:54:43 [easycwmp] NOTICE - send Inform
+++ SEND HTTP REQUEST +++
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <soap_env:Envelope
xmlns:soap_env="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soap_enc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:cwmp="urn:dslforum-org:cwmp-1-2">
  <soap_env:Header>
   <cwmp:ID soap_env:mustUnderstand="1">1</cwmp:ID>
  </soap_env:Header>
  <soap_env:Body>
   <cwmp:Inform>
    <DeviceId>
     <Manufacturer>easycwmp</Manufacturer>
     <OUI>FFFFFF</OUI>
     <ProductClass>easycwmp</ProductClass>
     <SerialNumber>number1</SerialNumber>
    </DeviceId>
    <Event soap_enc:arrayType="cwmp:EventStruct[1]">
     <EventStruct>
      <EventCode>1 BOOT</EventCode>
      <CommandKey />
     </EventStruct>
    </Event>
    <MaxEnvelopes>1</MaxEnvelopes>
    <CurrentTime>2018-05-03T16:54:43+08:00</CurrentTime>
    <RetryCount>0</RetryCount>
    <ParameterList soap_enc:arrayType="cwmp:ParameterValueStruct[10]">
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SpecVersion</Name>
      <Value xsi:type="xsd:string">1.0</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProvisioningCode</Name>
      <Value xsi:type="xsd:string"></Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.Manufacturer</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ManufacturerOUI</Name>
      <Value xsi:type="xsd:string">FFFFFF</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.ProductClass</Name>
      <Value xsi:type="xsd:string">easycwmp</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SerialNumber</Name>
      <Value xsi:type="xsd:string">number1</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.HardwareVersion</Name>
      <Value xsi:type="xsd:string">example_hw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.DeviceInfo.SoftwareVersion</Name>
      <Value xsi:type="xsd:string">example_sw_version</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ConnectionRequestURL</Name>
      <Value xsi:type="xsd:string">http://10.10.2.226:7548/</Value>
     </ParameterValueStruct>
     <ParameterValueStruct>
      <Name>Device.ManagementServer.ParameterKey</Name>
      <Value xsi:type="xsd:string">unsetCommandKey</Value>
     </ParameterValueStruct>
    </ParameterList>
   </cwmp:Inform>
  </soap_env:Body>
 </soap_env:Envelope>
--- SEND HTTP REQUEST ---
* Rebuilt URL to: https://10.10.2.226:7547/
* Hostname was NOT found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#0)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    common name: 10.10.2.226 (matched)
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    SSL certificate verify ok.
> POST / HTTP/1.1
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
SOAPAction:
Content-Length: 2727
Expect: 100-continue

< HTTP/1.1 401 Unauthorized
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/html
< Content-Length: 203
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Restricted"
< 
* Excess found in a non pipelined read: excess = 203 url = / (zero-length body)
* Closing connection 0
* Issue another request to this URL: 'https://10.10.2.226:7547/'
* Hostname was found in DNS cache
*   Trying 10.10.2.226...
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* successfully set certificate verify locations:
*   CAfile: /home/zzj/OpenWRT/genicacs/genieacs-gui/config/cert.pem
  CApath: /etc/ssl/certs
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    start date: 2018-05-03 01:58:02 GMT
*    expire date: 2018-06-02 01:58:02 GMT
*    common name: 10.10.2.226 (matched)
*    issuer: C=AU; ST=SZ; L=shenzhen; O=sedwt; CN=10.10.2.226; emailAddress=123@qq.com
*    SSL certificate verify ok.
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 2727
Expect: 100-continue

< HTTP/1.1 100 Continue
< HTTP/1.1 200 OK
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Type: text/xml; charset="utf-8"
< Content-Length: 522
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
* Added cookie session="e5fd17b60f6b9a3c" for domain 10.10.2.226, path /, expire 0
< Set-Cookie: session=e5fd17b60f6b9a3c
< 
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED HTTP RESPONSE +++
<?xml version="1.0" encoding="UTF-8"?>
<soap-env:Envelope xmlns:soap-enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cwmp="urn:dslforum-org:cwmp-1-2"><soap-env:Header><cwmp:ID soap-env:mustUnderstand="1">1</cwmp:ID></soap-env:Header><soap-env:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></soap-env:Body></soap-env:Envelope>
--- RECEIVED HTTP RESPONSE ---
2018-05-03 16:54:43 [easycwmp] NOTICE - receive InformResponse from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - send empty message to the ACS
+++ SEND EMPTY HTTP REQUEST +++
* Found bundle for host 10.10.2.226: 0x156e970
* Re-using existing connection! (#1) with host 10.10.2.226
* Connected to 10.10.2.226 (10.10.2.226) port 7547 (#1)
* Server auth using Basic with user 'zzj'
> POST / HTTP/1.1
Authorization: Basic enpqOjEyMzQ1Ng==
Host: 10.10.2.226:7547
Cookie: session=e5fd17b60f6b9a3c
User-Agent: easycwmp
Content-Type: text/xml; charset="utf-8"
Content-Length: 0

< HTTP/1.1 204 No Content
* Server nginx/1.4.6 (Ubuntu) is not blacklisted
< Server: nginx/1.4.6 (Ubuntu)
< Date: Thu, 03 May 2018 08:54:43 GMT
< Content-Length: 0
< Connection: keep-alive
< SOAPServer: GenieACS/1.1.2
< 
* Connection #1 to host 10.10.2.226 left intact
+++ RECEIVED EMPTY HTTP RESPONSE +++
2018-05-03 16:54:43 [easycwmp] NOTICE - receive empty message from the ACS
2018-05-03 16:54:43 [easycwmp] NOTICE - external: execute apply service 
2018-05-03 16:54:43 [easycwmp] NOTICE - external script exit
2018-05-03 16:54:43 [easycwmp] NOTICE - end session success

从日志中我们可以看到“好像”是做了认证,但是和上面介绍的流程又稍有不同,因为这里的CPE到ACS的认证并不是Digest认证,而是Basic认证?官网原文如下:

For this workaround it is only possible to make a auth with username/password the deviceid will not be checked!

结束

大致就这么些内容了,写的也不算特别详细。有错误或者问题的话,可以留言一起讨论。



*参考文章:
http://www.cnblogs.com/myblesh/p/6225665.html
https://www.cnblogs.com/AloneSword/p/5086918.html
https://github.com/genieacs/genieacs/wiki/GenieACS-SSL*

 类似资料: