bb2013 wrote on Friday, May 31, 2013:
Can somebody shed insight on why when I try to go into the latest dev version it doesn’t let me log in? I installed from XAMPP successfully. I put in admin, pass as default login credentials. It seems as though it is trying to login but then kicks me out.
Thanks for any help on this.
yehster wrote on Friday, May 31, 2013:
It’s most likely a bug somewhere with the recent code changes for security.
Any detail you can provide about your XAMPP package version or error_log entries would be helpful in trying to figure this out.
yehster wrote on Friday, May 31, 2013:
Brady,
The development demo at http://demo.open-emr.org:2089/ is showing similar behavior, and I get something similar when using the automated install with the development appliance.
However, if I re-run setup on the development appliance, all is well. My suspicion is that the mechanism the dev demo and the appliance use to create the initial user wasn’t updated for the new schema.
There’s a bug in the authentication code though in that a non-existent user behaves differently than a valid user with an incorrect password. Non-existent user seems to login, but then is kicked out vs. incorrect password going directly to login screen with an error message. Should be an easy fix.
yehster wrote on Friday, May 31, 2013:
Here’s the fix. It’s embarrassing to have a bug like this, but the good news is that it confirms that the other layers of security are working.
yehster wrote on Friday, May 31, 2013:
The fix has been pushed to the official repository BTW.
sunsetsystems wrote on Friday, May 31, 2013:
Kevin, one more thing to fix that I just ran into while doing a bleeding-edge install for a client’s testing. Please remove the trailing white space from library/authentication/common_operations.php; it causes logout to crash when it attempts to write a HTTP header. Thanks!
yehster wrote on Friday, May 31, 2013:
Rod, done…
yehster wrote on Saturday, June 01, 2013:
Ok. I Figured out how the auto installer works.
It needs to include the password hashing PHP file here to create the initial user. I will plan to make the update later when I am on a real machine instead of my tablet.
yehster wrote on Saturday, June 01, 2013:
I’ve made the corrections and pushed to sourceforge. I have successfully tested the auto installer script locally. I’ll double check the development demo after it updates tomorrow.
yehster wrote on Saturday, June 01, 2013:
It also looks like XAMPP is not typically configured with OPENSSL by default
This is needed for the RSA encryption/decryption algorithms.
bradymiller wrote on Monday, June 03, 2013:
Hi,
Here’s some testing info on issue to help out(using xampp 1.8.0 which is version included with the OpenEMR-4.1.1-xampp package):
When try to login, nothing happens and get the following error in php error log:
PHP Fatal error: Call to undefined function openssl_pkey_new() in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 47
Then if enable openssl in php xampp per following instructions (I just added these instructions):
http://www.open-emr.org/wiki/index.php/OpenEMR_4.1.1_XAMPP_Package_Installation#Enable_openssl
Then when try to login, get “Invalid username or password” and following errors in error log:
[03-Jun-2013 05:54:44 UTC] PHP Warning: openssl_pkey_get_details() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 48
[03-Jun-2013 05:54:44 UTC] PHP Warning: openssl_pkey_export(): cannot get key from parameter 1 in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 50
[03-Jun-2013 05:54:45 UTC] PHP Warning: openssl_private_decrypt(): key parameter is not a valid private key in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 87
[03-Jun-2013 05:54:54 UTC] PHP Warning: openssl_pkey_get_details() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 48
[03-Jun-2013 05:54:54 UTC] PHP Warning: openssl_pkey_export(): cannot get key from parameter 1 in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 50
[03-Jun-2013 05:54:54 UTC] PHP Warning: openssl_private_decrypt(): key parameter is not a valid private key in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 87
[03-Jun-2013 05:54:59 UTC] PHP Warning: openssl_pkey_get_details() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 48
[03-Jun-2013 05:54:59 UTC] PHP Warning: openssl_pkey_export(): cannot get key from parameter 1 in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 50
[03-Jun-2013 05:55:00 UTC] PHP Warning: openssl_private_decrypt(): key parameter is not a valid private key in C:\xampp\htdocs\openemr\library\authentication\rsa.php on line 87
The database elements look ok. Was gonna try to manually place a salt/hash for ‘pass’ and see if that would work, but forgot where you placed it on the github comments. Was hoping to get it from you again to try it out.
-brady
OpenEMR
bradymiller wrote on Monday, June 03, 2013:
Hi,
I also manually re-updated the development demo (it got hung up today on the early am auto refresh when it couldn’t grab the translations from github (this happens when github goes down). And not able to login via generic credentials; guessing there is a minor bug somewhere. Regarding above bug, should consider what we should do when the openssl module is not installed (and if installed, testing if it working correctly); if not, then need to at least state the OpenEMR will not work until the module is installed (and not even allow login attempts) with considerations of a work around (not sure what it would be but something that requires minimal work and also issues a huge WARNING statement that would be best to install openssl).
-brady
OpenEMR
bradymiller wrote on Monday, June 03, 2013:
Regarding xampp bug, guessing that the openssl_pkey_new() call is returning false rather than a key pair.
bradymiller wrote on Monday, June 03, 2013:
I seriously hope this is not the issue:
http://www.apachefriends.org/f/viewtopic.php?p=198305&sid=ad4411d744c9d4f4248024ee36c67017
bradymiller wrote on Monday, June 03, 2013:
Hi,
I think the following will be very helpful here now that we are including a module that may cause issues (I do think keeping the openssl pass use is worth the work though):
-brady
OpenEMR
sunsetsystems wrote on Monday, June 03, 2013:
Brady, here’s what Kevin posted on github at https://github.com/yehster/openemr/commit/0b093d863a3ea8970c639b21718c9b74e4b7c425#commitcomment-3241093 :
$2a$05$dVOzFEH3Pi4llgdwJQaEB.qZ3VlunBh77ZXSJr9pFBmF48URl4DUi for password and
$2a$05$dVOzFEH3Pi4llgdwJQaEB$ for salt
matches ‘pass’ 
yehster wrote on Monday, June 03, 2013:
One part of what is going on with the setup in the Dev appliance is the AutoInstaller uses the Suhosin patch, which does have CRYPT_BLOWFISH, but then Suhosin is disabled, which removes it. So the autoinstaller creates the initial users with blowfish based passwords, but then OpenEMR is unable to understand them.
The autoinstaller needs to disable the Suhosin patch/extension before running the OpenEMR installer.
yehster wrote on Monday, June 03, 2013:
Restated… The sequence of event/system state in the dev appliance (and presumably the dev demo server) is as follows.
At this point if you:
Re-enable Suhosin patch by editing /etc/php.d/Z98_suhosin.ini, login with the initial user is possible.
sunsetsystems wrote on Monday, June 03, 2013:
So to get blowfish you need either Suhosin or PHP 5.3? Do I have that right?
yehster wrote on Monday, June 03, 2013:
Yes, except the developer appliance which comes pre-loaded with Suhosin, explicitly disables it at install with a warning
“Disabling suhosin patch which is not compatible with OpenEMR”
I do not know the details of why that is the case.