As development team we try to upgrade the openssl libraries in our product. Unfortunately we are stuck with a problem when linking agains openssl 1.1.1. The error we phase is
verify_callback: [-10] Could not complete SSL handshake: Certificate error: General verification, self signed certificate [18]
As if we cannot use the self signed certificates anymore. In our code we access the google mail server using a TLS connection. This was working fine with the older version of openssl.
My question:
Is there a way to get around this error? Are there build options to get a library which is compatible with older Openssl libs?
Help is very much appreciated
Jasper de Keijzer
After studying the new API of OpenSSL I found out that you can define the maximum protocol to be used. In case of self-signed certificates I use now
SSL_set_max_proto_version(ssl, TLS1_2_VERSION);
This solves the handshake error which I got when using the default TLS setting. This happens to be TLS1.3.
Related
I try to do ssl connection for my server in c.
i have take this code : https://wiki.openssl.org/index.php/Simple_TLS_Server and I have generated certificate with certbot:
sudo certbot certonly --standalone
I have copy cert.pem and privkey.pem present in /etc/letsencrypt/live/MY_DOMAIN/ on my program directory.
but when I try to connect with curl, I get this error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
and my server print :
1996193792:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1407:SSL alert number 48
thank you for your help !
That oversimple server does not handle a chain cert (or certs), also called intermediate, which every real CA this century requires, including LE. It is suitable only for test certs you generate yourself, or some limited environments like the intranet of a company that runs its own private CA.
Replace SSL_CTX_use_certificate_file on the cert.pem file with SSL_CTX_use_certificate_chain_file on the fullchain.pem file.
Also, SSLv23* methods have (finally!) been replaced by TLS* methods as of 1.1.0 in 2016, although the obsolete names remain as synonyms for now.
I am currently trying to make an imap client with libcurl on a windows application.
I am using a prebuilt version of libCurl built with NSS support but no OpenSSL support ( that was decided by an higher up), and when I try to connect to my server with the URL imaps://serveraddress/inbox, with CURLOPT_USE_SSL set to CURLUSESSL_ALL, and CURLOPT_CAINFO to my certificate nickname in cert8.db I get
* Trying servAdress...
* TCP_NODELAY set
Connected to servAdress (servAdress) port portn(#0)
WARNING: failed to load NSS PEM library libnsspem.so. Using OpenSSL PEM certificates will not work.
CAfile: certname
CApath: none
*Closing connection 0
curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
I tried setting CURLOPT_SSLCERT to my certName instead I get the same error except that line is added :
* Initializing NSS with certpath: sql:C:\Users\mlegros\SSL_DB\
my question is is there a way to use NSS db Certificate with imap in libcurl?
also is it normal that a windows dll try to load a .so file (it is a linux format if I am not mistaken)?
ps: here are my version info
curl version 7.58.0
NSS 3.34.1
compilator: MSVC 14.12.25827
Hope you can help me.
So the problem was within libcurl
the libraries name are hard-coded with the linux name and if libnssckbi is not loaded we cannot load another certificate the second part as been modified according to this https://github.com/curl/curl/pull/3016.
a quickfix if you don't want to recompile libcurl is to rename nssckbi.dll to libnssckbi.so
I am trying to create a service account app so that I can access Google Analytics api using Python.
Two things are confusing me. First, when I use the following code:
`from oauth2client.client import SignedJwtAssertionCredentials
client_email = "#####client_email#######.gserviceaccount.com"
with open("XXXXXX.p12") as f:
private_key = f.read()
credentials = SignedJwtAssertionCredentials(client_email, private_key,'https://www.googleapis.com/auth/sqlservice.admin')`
I get the following error:
`oauth2client.client.CryptoUnavailableError: No crypto library available`
After doing a little research I found that this might have to do with granting the app domain-wide authority to the service account. However, when I log on to the Google Developers Console I cannot locate the security icon or the more-options button. Any help much appreciated thank you.
This did the trick for me (without converting to PEM):
pip install PyOpenSSL
pip freeze says I have version 0.15.1
That error probably means you need the python-openssl package.
apt-get install python-openssl
Even if you are installed pycrypto & python-ssl libraries in your development environment, You need to add this pycrypto library in your application's app.yaml file.
libraries:
- name: pycrypto
version: "latest"
I just recently set this up but opted to go with PyCrypto 2.6.1, but you can also use python-openssl as mentioned in the previous answer.
The only problem I had and I can't pinpoint this down, but the P12 key generated by the Google Developer Console wasn't working with my Service Account API call (to the Content API for Shopping), and I had to switch the key to the PEM format to get things going.
My setup: (Win7, python 2.7.x, PyCrypto 2.6.1)
The error I got when trying to use the P12 key, but later resolved when converting it to PEM:
Error 3: PKCS12 format is not supported by the PyCrypto library.
NotImplementedError: PKCS12 format is not supported by the PyCrypto library. Try converting to a “PEM” (openssl pkcs12 -in xxxxx.p12 -nodes -nocerts > privatekey.pem) or using PyOpenSSL if native code is an option.
One important thing, don't forget to go inside Google Analytics and grant the appropriate permissions for the client email address that is created during the creation of the Service Account.
OSX 10.11 El Capitan does not distribute OpenSSL anymore. I was able to install cryptography using Homebrew and static build:
env CRYPTOGRAPHY_OSX_NO_LINK_FLAGS=1 LDFLAGS="$(brew --prefix openssl)/lib/libssl.a $(brew --prefix openssl)/lib/libcrypto.a" CFLAGS="-I$(brew --prefix openssl)/include" pip install cryptography
More info
http://cryptography.readthedocs.org/en/latest/installation/
I wrote a code that worked for me great, I don't remember modifying it..
I compiled it today and tried to run it, but I got this error:
error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
I also tried to connect to the host name with the openssl client, but I've got and error says: Linked closed ping timeout..
I also tried to Install openssl again, and even install an older version but it didn't work..
Any solutions?
I also tried to connect to the host name with the openssl client, but I've got and error says: Linked closed..
It sounds like the remote host is not available. If you can't connect to the remote host using command line tools, then there's nothing you can do with your code to make it work. Verify that the remote host is responding correctly first.
When I used openssl APIs to validate server certificate (self signed), I got following error :
error 19 at 1 depth lookup:self signed certificate in certificate
chain
As per openssl documentation, this error (19) is
"X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in
certificate chain - the certificate chain could be built up using the
untrusted certificates but the root could not be found locally."
Why this error occurs ? Any problems with my server certificate ?
You have a certificate which is self-signed, so it's non-trusted by default, that's why OpenSSL complains. This warning is actually a good thing, because this scenario might also rise due to a man-in-the-middle attack.
To solve this, you'll need to install it as a trusted server. If it's signed by a non-trusted CA, you'll have to install that CA's certificate as well.
Have a look at this link about installing self-signed certificates.
Here is one-liner to verify certificate to be signed by specific CA:
openssl verify -verbose -x509_strict -CAfile ca.pem certificate.pem
This doesn't require to install CA anywhere.
See How does an SSL certificate chain bundle work? for details and correct certificate chain handling.
If you're running Charles and trying to build a docker container then you'll most likely get this error.
Make sure to disable Charles (macos) proxy under proxy -> macOS proxy
Charles is an
HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
So anything similar may cause the same issue.
The solution for the error is to add this line at the top of the code:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
if you are testing your end points using Postman, just go to settings and disable "Enable SSL certificate verification"