I upgraded my react front end to use https. That broke the connection to my backend tokio socket server. I tried to run a test against the tokio-native-tls echo.rs example which uses an identity.p12 file after I ran these commands:
openssl pkcs12 -in identity.p12 -nocerts -out .conf/server.key
openssl pkcs12 -in identity.p12 -clcerts -nokeys -out server.crt
openssl rsa -in server.key -out .conf/server_d.key
SSL_CRT_FILE=.cert/server.crt
SSL_KEY_FILE=.cert/server_d.key
HTTPS=true
Front end runs under nginx which I configured to use https.
thread 'main' panicked at 'accept error: Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error
{ code: 336151574, library: "SSL routines", function: "ssl3_read_bytes",
reason: "sslv3 alert certificate unknown", file: "../ssl/record/rec_layer_s3.c",
line: 1528, data: "SSL alert number 46" }]))) },
X509VerifyResult { code: 0, error: "ok" })', tokio-native-tls/examples/echo.rs:33:34
I'm having trouble configuring the react client with the server using that identity.p12 file.
Any help would be appreciated.
I was able to resolve the issue by combining the echo example from https://github.com/tokio-rs/tls and https://github.com/snapview/tokio-tungstenite.
This addressed both the http and tls requirements.
Related
Can't open config/certs/http_ca.crt for reading, No such file or directory
139762353411904:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('config/certs/http_ca.crt','r')
139762353411904:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load certificate
getting this issue does anybody help me to figure out this problem
https://www.elastic.co/guide/en/elasticsearch/reference/8.0/configuring-stack-security.html#_connect_clients_to_elasticsearch_5 ..... following this documentation for connecting of Elasticsearch to filebeat
$ sudo openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
Instead of fingerprint you can also use the CA certificate (2nd option in the document) to establish SSL between Filebeat and Elasticsearch.
Try the below settings in your filebeat.yml for ES connection. Note: In case you want to disbale SSL, you can add the line "ssl.verification_mode: none"
output.elasticsearch:
hosts: ["https://localhost:9200"]
username: "elastic"
password: "xxxxxxxxxxxxxxxxxxxxxx"
ssl.certificate_authorities: "/etc/elasticsearch/certs/http_ca.crt"
index: "myindex"
pipeline: "mypipeline"
I want to know how to start a react app which was made using the create-react-app command in https instead of HTTP?
Use something like Root SSL certificate
Generate a key
openssl genrsa -des3 -out rootCA.key 2048
With they key you can generate a certificate which is good for 1,024 days
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Open keychain access on your Mac and go to the certificates category and emport that rootCA.pem generated from the last step. Double click and under "When using this certiciate" select 'Always Trust'
Create an OpenSSL configuration file
server.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=US
ST=RandomState
L=RandomCity
O=RandomOrganization
OU=RandomOrganizationUnit
emailAddress=hello#example.com
CN = localhost
Create a v3.ext file to create a X509 v3 certificate.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
Create a certificate key for localhost using the configuration settings stored in server.csr.cnf. This key is stored in server.key.
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )
A certificate signing request is issued via the root SSL certificate we created earlier to create a domain certificate for localhost. The output is a certificate file called server.crt.
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
You’re now ready to secure your localhost with HTTPS. Move the server.key and server.crt files to an accessible location on your server and include them when starting your server.
In an Express app written in Node.js, here’s how you would do it. Make sure you do this only for your local environment. Do not use this in production.
var path = require('path')
var fs = require('fs')
var express = require('express')
var https = require('https')
var certOptions = {
key: fs.readFileSync(path.resolve('build/cert/server.key')),
cert: fs.readFileSync(path.resolve('build/cert/server.crt'))
}
var app = express()
var server = https.createServer(certOptions, app).listen(443)
Check https://github.com/dakshshah96/local-cert-generator/ for more detailed instructions
Adding on to the solution provided by Mark, to import the certificate you must click File > Import Items. Then, search for the certificate on your hard drive. After doing so you can proceed with the remaining steps.
Getting ready to move our IdentityServer4 setup from dev to test and I need to get the AddSignerCredentials() piece migrated from AddDeveloperCredentials(). I can generate a private and public RSASecurityKey but I'm unclear as to what RsaSecurityKey to pass to AddSignerCredentials(). The discovery endpoint somehow knows about the public key, but we'd want to sign tokens with the private key. Neither seems to work
Is there an example of how to use this somewhere in the documentation that I missed?
Use openSSL to create the certificate using the following demo command in your command prompt:
->OpenSSL req -x509 -newkey rsa:4096 -sha256 -nodes -keyout
IdentityServer4.key -out IdentityServer4.crt -subj
"/CN=IdentityServer4.com" -days 3650
->OpenSSL pkcs12 -export -out IdentityServer4.pfx -inkey
IdentityServer4.key -in IdentityServer4.crt -certfile IdentityServer4.crt
Install that certificate to your current user profile.
Replace
AddDeveloperSigningCredential()
with
AddSigningCredential("ThumbprintOfCertificate", StoreLocation.CurrentUser,NameType.Thumbprint)
That's it.
I'm trying to connect using SSL, SSL is enabled on the server but I'm not able to connect using the rabbitmq-c client.
I took the amqps_connect_timeout.c example and this is the error that I'm getting at amqp_socket_open_noblock.
SSL peer cert verification failed
When using OpenSSL the connection and verification succeed.
openssl verify -CAfile cacert.pem cert.pem
cert.pem: OK
openssl s_client -connect www.example.com:25586 -CAfile cacert.pem
Verify return code: 0 (ok)
If I disable certificate verification the connection succeed.
amqp_ssl_socket_set_verify_peer(socket, 0);
What am I doing wrong?
I have found what was wrong, my CAfile was missing the intermediate certificate.
Probably openssl s_client is ignoring this by default.
After fixing the cacert file the connection was established from the rabbitmq-c library.
I’ve trouble to use a browser for accessing my SSL/TLS enabled tomcat-6.0.36-windows-x64 server. It works fine with openssl but not with any browser.
Initializing looks fine:
16.01.2013 16:45:09 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Also openSSL:
openssl s_client -tls1 -connect localhost:8443:
Result:
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDH-ECDSA-AES256-SHA
Only web-browsers don’t work:
Firefox 15.0.1 says: ssl_error_no_cypher_overlap
Chrome 24.0.1312.52 m: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
That’s the tomcat configuration:
Connector port="8443" maxHttpHeaderSize="8192"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
scheme="https"
secure="true"
SSLProtocol="all"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
SSLEnabled="true"
SSLCertificateFile="../ecc_servercert.crt"
SSLCertificateKeyFile="../ec_serverkey.pem"
The certificate is based on a ecliptic curves algorithm:
openssl ecparam -out c:\ecc\ec_serverkey.pem -name secp256k1 -genkey
openssl req -new -x509 -nodes -days 365 -key c:\ecc\ec_serverkey.pem -out c:\ecc\ecc_servercert.crt
Hope someone has an idea? Accourding to hours of searching, the browers should support this configuariton ...
Ragards, Tobi
ashiii is incorrect, it's because the ecc curve secp256k1 is not supported in chrome or firefox.
prime256v1 and secp384r1 are good alternatives. see http://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use
I think that there are two possibilities:
Either you use the APR connector and Tomcat native libraries as well, so it will throw the error.(more info:http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File)
Or you use the same port for both http & https: in your connector you use 8443 which is usually used for http.(have you tried o use port="443" not "8443"?)