I am trying to run my IoT-client on Threadx-Os Client which doesn't have file- system/certificate trusted store kind of things like in linux. When i look into Wireshark the client closing connection with Fatal,Bad certificate error. I tried all possible options which are suggested in different forums to solve this issue. Which haven't solved my problem. The solution i tried mentioned below.
By using below API to added only above Baltimore root certificate available in cert.c.
IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_TRUSTED_CERT,
certificates);
it's not working for me because we don't have trusted store like linux.
ifdef SET_TRUSTED_CERT_IN_SAMPLES
// Setting the Trusted Certificate. This is only necessary on system with without
// built in certificate stores.
IoTHubDeviceClient_LL_SetOption(device_ll_handle, OPTION_TRUSTED_CERT, certificates);
endif // SET_TRUSTED_CERT_IN_SAMPLES
I need answers for two important questions.
1) Do i need to Add entire certificate string in cert.c (or) only first Baltimore root as CA root to my client.
2) Without trusted store, how client can tell to azure-cloud i have trusted root.
Any help would be appreciated.
Related
I have an OPC UA server based on open62541 that connects correctly with the client UAExpert of UnifiedAutomotion. I try to add a server certificate but the UAExpert cannot find it, even if I add it to the trust list from UAExpert>Certificate manager.
Is loaded correctly?
UA_Server *server = UA_Server_new();
UA_ServerConfig *config = UA_Server_getConfig(server);
config->serverCertificate = loadCertificate(); // Returns UA_ByteString of the file certificate.der
if(config->serverCertificate.length > 0)
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_SERVER, "Certificate loaded");
UA_ServerConfig_setDefault(config);
I don't know if the method UA_ServerConfig_setDefault is enough for loading certificate, because the examples I have seen uses UA_ServerConfig_setDefaultWithSecurityPolicies for setting the server configuration. I tried to test the example of server_encrypted.c but when I compile it throws exceptions of libraries and glibc versions.
Thanks in advance.
Welcome to stackoverflow.
I have no experience with open6254, but the client connects using an endpoint from the list of endpoints previously read from the server. The chosen endpoint should contain a certificate and when calling createession the server resends the certificate, if both certificates are not equal, the client must cancel the process, as required by the OPC UA specifications.
Maybe one of the two certificates is not being sent by the server or they are not equals.
I think you better ask here https://groups.google.com/forum/#!forum/open62541
I have been following the steps in Adding SSL to your custom domain but I am not seeing any changes yet. My website is still running with HTTP only.
I have entered all DNS information under Custom domains and I have a valid my-cert-1 under SSL Certificates but my site is not getting loaded if I go to https://www.my-unsecure-website.com
What could I be missing?
I have verified that I own this domain weeks ago, so it cannot be that I just have to wait 24 hours.
The process is really simple. Verify that you own the domain, upload your SSL certificate and assign a certificate to that domain.
Generally people miss the process of assigning certificate. Make sure to follow step 5 (documentation).
I am using libcurl for a small c application. The project uses https and requires a validation of both, server and client certificates. I cannot use an option to suppress the verification, since I work in an insecure environment.
I am currently trying to get the server side certificate validated. First attempts gave me an expected error:
Peer certificate cannot be authenticated with given CA certificates
As said an expected error, I understand what the message means. I dug into the documentation of libcurl and found that it supports "certificate bundles", and that younger versions do not come with a bundle all. All options I found (and also all explanations) refer to certificate files read at runtime and obviously suggest to include the required CA certificate in the local bundle.
Instead I would prefer to include a single certificate inline into the application, so compiled in. This does make sense for this special case, since the application only tries to access a single, hard coded url, so server. I accept that I'd have to replace all deployed copies of the application if the server certificate gets changed. However I do not find any options for that in the documentation. I would prefer this strategy, since it allows a much more compact deployment of the application: a single file instead of a structure and runtime configuration.
So my question is: does libcurl offer to include a CA certificate at compile time which can be used at runtime without having to rely on an external bundle?
In libcurl the part that verifies certificates is handled by openssl. You could use SSL_CTX_use_certificate to install your certificate at runtime or use SSL_CTX_set_verify to overwrite the SSL verification function with your own.
Check curlx.c for an example.
This may be a stupid question but I just can't find the answer.
What I would like to do:
I have a WCF service hosted by IIS. It is working perfectly, I can access the wsdl, I have a self-signed certificate for the server etc. I would like to call this service from a WPF client.
The problem is, since I have a self-signed certificate, I get the following exception when calling the service:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'.
If I access the site (or the service) from a browser, it is no problem, because the browser warns me about the certificate, and gives me the choice of viewing the page anyway. But the WPF client just throws an exception.
I don't want to completely turn off the authentication process, I simply would like to give the users the option of ignoring this warning (as browsers do).
Can anyone provide some code for this? If you ran into a good, detailed tutorial about this, it would be awesome too. (See, my problem with the tutorials I've found is the lack of details)
Here's the minimum amount of code you need to make WCF client accept an arbitrary certificate. This is not secure. Use for testing only. Don't blame me if this code goes berserk and eats your little kitten.
ServicePointManager.ServerCertificateValidationCallback +=
new System.Net.Security.RemoteCertificateValidationCallback(EasyCertCheck);
The call back:
bool EasyCertCheck(object sender, X509Certificate cert,
X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
}
Code shamelessly lifted from the least helpful answer to Is it possible to force the WCF test client to accept a self-signed certificate?
You can register the certificate yourself. If load the certificate in the client as well, and then register the it as trusted you shouldn't get that warning.
You need to find a X509CertificateCollection and add the certificate to that collection. I had this kind of problem with a SmtpClient running over Ssl.
By hooking the System.Net.ServicePointManager.ServerCertificateValidationCallback or implementing System.Net.ICertificatePolicy and identify my own installed certificate as valid/trusted (attached to the System.Net.ServicePointManager.CertificatePolicy).
This is not WCF stuff per se, but from what I could tell, this should translate to WCF as well. It all depends what WCF is uses under the hood.
I have a C++ application that makes a HTTPS connection to one of our servers.
In my ideal world, I would like the following to occur:
App Starts
App makes Windows trust the server's root CA (no GUI please, just system calls)
App talks to server, does its work, etc.
App makes windows forget about the server's root CA
done
I do NOT want this root CA to necessarily be trusted by other apps. Therefore I don't want to install the cert system-wide.
I also would like it if the user did not need Admin privileges.
My initial plan was to create an in-memory (CERT_STORE_PROV_MEMORY) store, add my cert to that, then add that in-memory store to the system store using CertAddStoreToCollection.
While all the CryptoAPI function calls succeed, WinHttp does not like it.
Here is the skeleton of what I'm doing - perhaps someone knows a trick?
Or perhaps this is wrong-headed in the first place?
hMemStore = CertOpenStore(CERT_STORE_PROV_MEMORY, ...);
pCert = CertCreateCertificateContext(..., pCertBytes, ...);
CertAddCertificateContextToStore(hMemStore, pCert, ...);
hRootStore = CertOpenSystemStore(NULL, "ROOT");
CertAddStoreToCollection(hRootStore, hMemStore, ...);
// Then later on...
WinHttpSendRequest(...)
A few notes:
Everything works when I use WinHttp's SECURITY_FLAG_IGNORE_UNKNOWN_CA, so I'm fairly sure this really is the issue.
I have already seen this SO question - it is close, but does not address the issue of making the cert only temporarily trusted, while the app runs.
Thanks!
Since you don't want other applications to trust this cert, you need to do part of the certificate validation yourself. Disable the CA check with the option SECURITY_FLAG_IGNORE_UNKNOWN_CA and then get the call back for connecting to the server WINHTTP_CALLBACK_STATUS_CONNECTING_TO_SERVER. In that callback fetch the cert with WINHTTP_OPTION_SERVER_CERT_CONTEXT and do your validation. Cancel/Close the request if it's not who you want, continue the request if it's correct.