ConnectionRequest Digest ACS - curl not the same


I try to make a connection request from the GenieACS but I always get the “Incorrect connection request credentials” message.

I read the other thread about this problem but my problem is not the same.

If I made a call with curl from the same machine, it triggers the connection request :
curl -i -u USERNAME:PASSWORD http://MY_CPE_IP:7547/cpe --digest

Answer :
HTTP/1.1 401 Unauthorized
Server: YAPS
WWW-Authenticate: Digest realm=“YapsieWorld”, qop=“auth”, nonce=“3d8ceffbe336ca61b1f983ae8325f8fc”, opaque=“e7c334cb94a7595234eaf7995785f445”
Content-Length: 0
Connection: close

HTTP/1.1 200 OK
Server: YAPS
Content-Length: 0
Connection: close

And I can see in the geniacs-cwmp that the connection request has been triggered immediatly.

I used wireshark to capture the difference between the curl query and the GenieACS one, the only difference I see is the cnonce with curl is much bigger :

GenieACS :
Digest username=“USERNAME”,realm=“YapsieWorld”,nonce=“32857f8d6076974084b2c9bb23c0655f”,uri="/cpe",qop=auth,nc=00000001,cnonce=“690cb04b5a5de2e7”,response=“cd5988750e35ab5f6031b5b0b833f633”,opaque=“1d83896d386c34d863a8d888cbdb9338”

Curl :
Digest username=“USERNAME”,realm=“YapsieWorld”,nonce=“0384f9417161ce3c5c826b1c15d0a751”,uri="/cpe",qop=auth,nc=00000001,cnonce=“MGM1N2VjMjE3M2ZhM2FiN2FlZTE4NmY2ZjE1NzNjYmE=”,response=“4e0293b12cd04a63501d728ede5beefa”,opaque=“d428476e9c92879e4cccc04e096b96ea”

Is there a config to set to solve this issue in GenieACS ?

Thank you and have a nice day !

There’s no config option for the length of the cnonce value. But you change it in the code in auth.ts line 146.

Thanks for your reply.

The only problem is that I installed GenieACS not from source, but from npm install (as described in the documentation), so I don’t really know where the files are stored. I tried to find them in the /usr/local/lib/node_modules/genieacs/ folder without success.

Can you tell me if it is possible to modify the code with a npm install or it’s only from source ?

Thank you and have a nice day !


I found the problem : the issue comes from the encoding of cnonce in the auth.ts file.

I changed this line :

 const cnonce = randomBytes(8).toString("hex");

By this one :

 const cnonce = randomBytes(8).toString("base64");

And now it works.

I found in the RFC 2069 that it is recommended to encode the nonce in base64. I think that the CPE I’m using is using the base64 encoding :

 A server-specified data string which may be uniquely generated each
 time a 401 response is made.  It is recommended that this string be
 base64 or hexadecimal data.  Specifically, since the string is
 passed in the header lines as a quoted string, the double-quote
 character is not allowed.

I don’t know if there is a way to fix this issue in a future release of GenieACS !

Thank you for your help !

The cnonce value is just a string that’s opaque to the server so I don’t see it’s attempting to parse and read it. This is definitely an issue that should be raised to the device manufacturer.

I have the same problem. With GenieACS 1.2.2 I receive “Incorrect connection request credentials”, and with the same credentials with curl ( curl -i -u username:password http://1x.x.x.x:7547/cpe --digest ) works…
I also installed genieacs via npm, how can I recompile it by putting the change in auth.ts file?