I'm trying to connect using SSL, SSL is enabled on the server but I'm not able to connect using the rabbitmq-c client.
I took the amqps_connect_timeout.c example and this is the error that I'm getting at amqp_socket_open_noblock.
SSL peer cert verification failed
When using OpenSSL the connection and verification succeed.
openssl verify -CAfile cacert.pem cert.pem
cert.pem: OK
openssl s_client -connect www.example.com:25586 -CAfile cacert.pem
Verify return code: 0 (ok)
If I disable certificate verification the connection succeed.
amqp_ssl_socket_set_verify_peer(socket, 0);
What am I doing wrong?
I have found what was wrong, my CAfile was missing the intermediate certificate.
Probably openssl s_client is ignoring this by default.
After fixing the cacert file the connection was established from the rabbitmq-c library.
Related
Can't open config/certs/http_ca.crt for reading, No such file or directory
139762353411904:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('config/certs/http_ca.crt','r')
139762353411904:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load certificate
getting this issue does anybody help me to figure out this problem
https://www.elastic.co/guide/en/elasticsearch/reference/8.0/configuring-stack-security.html#_connect_clients_to_elasticsearch_5 ..... following this documentation for connecting of Elasticsearch to filebeat
$ sudo openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt
Instead of fingerprint you can also use the CA certificate (2nd option in the document) to establish SSL between Filebeat and Elasticsearch.
Try the below settings in your filebeat.yml for ES connection. Note: In case you want to disbale SSL, you can add the line "ssl.verification_mode: none"
output.elasticsearch:
hosts: ["https://localhost:9200"]
username: "elastic"
password: "xxxxxxxxxxxxxxxxxxxxxx"
ssl.certificate_authorities: "/etc/elasticsearch/certs/http_ca.crt"
index: "myindex"
pipeline: "mypipeline"
I can successfully access Snowflake via snowsql, and a browser using the same credentials. However, those credentials do not work with the Driver as laid out in odbc-mac guide. When I test according to "Step 3: Test the ODBC Driver" I get the following eperience:
$ "/Library/Application Support/iODBC/bin/iodbctest"
iODBC Demonstration program
This program shows an interactive SQL processor
Driver Manager: 03.52.1521.0607
Enter ODBC connect string (? shows list): dsn=SnowflakeDSII;pwd=[pwd]
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
OOB curl_easy_perform() failed: Problem with the SSL CA cert (path? access rights?)
1: SQLDriverConnect = [Snowflake][DSI] An error occurred while attempting to retrieve the error message for key 'SFRestRequestFailed' with message parameters ['[host]:443/session/v1/login-request?requestId=[id]&request_guid=[guid]&databaseName=[db_name]&warehouse=[wh]&roleName=[role]', 'CURLerror (curl_easy_perform() failed) - code=77 msg='Problem with the SSL CA cert (path? access rights?)' osCode=2 osMsg='No (-1) SQLSTATE=HY000
1: ODBC_Connect = [Snowflake][DSI] An error occurred while attempting to retrieve the error message for key 'SFRestRequestFailed' with message parameters ['[host]:443/session/v1/login-request?requestId=[id]&request_guid=[guid]&databaseName=[db]&warehouse=[wh]&roleName=[role]', 'CURLerror (curl_easy_perform() failed) - code=77 msg='Problem with the SSL CA cert (path? access rights?)' osCode=2 osMsg='No (-1) SQLSTATE=HY000
my odbc.ini file is
[ODBC Data Sources]
SnowflakeDSII = Snowflake
[SnowflakeDSII]
Server = [host account].[aws region].snowflakecomputing.com
UID = [user]
Role = [role]
Database = [db]
Warehouse = [warehouse]
Driver = /opt/snowflake/snowflakeodbc/lib/universal/libSnowflake.dylib
Also...
I installed the driver: snowflake_odbc_mac_arm64-2.25.0.dmg
I had to manually mkdir universal and cp lib/libSnowflake.dylib lib/universal/libSnowflake.dylib
(And the error files too)
Thank you for your time!
Update
Also note the system couldn't find the following error files:
"exceptionMessage": "CURLerror (curl_easy_perform() failed) - code=77 msg='Problem with the SSL CA cert (path? access rights?)' osCode=2 osMsg='No such file or directory'",
"request": "https://[host].us-east-1.snowflakecomputing.com:443/session/v1/login-request?requestId=b5ebf406-989e-4aab-a043-6b4b656961cd&request_guid=8b68691f-db12-44c3-9a91-1fc685cd87a5&databaseName=[db]&warehouse=[wh]&roleName=[role]",
"sqlState": "HY000"
"/opt/snowflake/snowflakeodbc/lib/universal/en-US/SFMessages.xml"
"/opt/snowflake/snowflakeodbc/lib/universal/SFMessages_en-US.xml"
So I touched them, but then the error said they were 'empty'
The issue was that many of the files that the system needs to be in /lib/universal are not there.
The solution is to either sym link, or move them from /opt/snowflake/snowflakeodbc
for example:
# I found
/opt/snowflake/snowflakeodbc/lib/universal/en-US/SFMessages.xml
in
/opt/snowflake/snowflakeodbc/ErrorMessages
Also
/opt/snowflake/snowflakeodbc/lib/cacert.pem
# needed to be moved to
/opt/snowflake/snowflakeodbc/lib/univeral/cacert.pem
Thank you, #Sergiu for the logging guidance!
I upgraded my react front end to use https. That broke the connection to my backend tokio socket server. I tried to run a test against the tokio-native-tls echo.rs example which uses an identity.p12 file after I ran these commands:
openssl pkcs12 -in identity.p12 -nocerts -out .conf/server.key
openssl pkcs12 -in identity.p12 -clcerts -nokeys -out server.crt
openssl rsa -in server.key -out .conf/server_d.key
SSL_CRT_FILE=.cert/server.crt
SSL_KEY_FILE=.cert/server_d.key
HTTPS=true
Front end runs under nginx which I configured to use https.
thread 'main' panicked at 'accept error: Ssl(Error { code: ErrorCode(1), cause: Some(Ssl(ErrorStack([Error
{ code: 336151574, library: "SSL routines", function: "ssl3_read_bytes",
reason: "sslv3 alert certificate unknown", file: "../ssl/record/rec_layer_s3.c",
line: 1528, data: "SSL alert number 46" }]))) },
X509VerifyResult { code: 0, error: "ok" })', tokio-native-tls/examples/echo.rs:33:34
I'm having trouble configuring the react client with the server using that identity.p12 file.
Any help would be appreciated.
I was able to resolve the issue by combining the echo example from https://github.com/tokio-rs/tls and https://github.com/snapview/tokio-tungstenite.
This addressed both the http and tls requirements.
I'm trying to make a client connect to some servers via https, using openssl library.
The call stack is something like this:
SSL_library_init();
SSL_load_error_strings();
SSL_CTX *ctx = SSL_CTX_new(TLSv1_method());
SSL_CTX_load_verify_locations(ctx, "file_with_trusted_certificates", NULL);
SSL *ssl = SSL_new(ctx);
BIO *bio = BIO_new_socket(...);
SSL_set_bio(ssl, bio, bio);
SSL_connect(ssl);
SSL_get_verify_result(ssl);
I have 2 servers with ssl certificates, which I have extracted using openssl tool and put into "file_with_trusted_certificates" file:
openssl s_client -showcerts -connect server_url:443
The problem is the following: one server is validated (though if not using file_with_trusted_certificates it fails with error 19: self signed certificate in certificate chain), but the check of the second server always fails with error 20: unable to get local issuer certificate. When passing
"-CAfile file_with_trusted_certificates"
to openssl tool, both servers get validated.
What I am doing wrong, why doesn't the second server also get validated?
The servers have different ciphers, and the one that succeeds has secure renegotiation enabled.
EDIT:
The C client runs on a arm device, which has libssl v0.9.8. The openssl tool run on the embedded device yields the same result as the C application: error 20 for first server and OK for the other. Using a linux environment, the openssl tool yield OK for both server, but then, maybe the version of the C application would do the same.
After some trial-error, I managed to find the problem.
I needed to add the certificate of the issuer of the root certificate in the chain in "file_with_trusted_certificates" file, but I added just the root certificate in the chain:
Common name: Baltimore CyberTrust Root -> I added this
Issuer: GTE CyberTrust Global Root -> I needed to add the certificate of this
Interestingly, it was working for the other server because the root certificate in the chain was self-signed and authorized:
Common name: AddTrust External CA Root
Issuer: AddTrust External CA Root
I installed a SSL certificate for my google app engine app and Google Apps domain. HTTPS is working ok, but when I try to use openssl cli tool I get this error:
$ openssl s_client -showcerts -connect mysite.com:443
CONNECTED(00000003)
140625875744448:error:1409E0E5:SSL **routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:**
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
Any insight on what could be the problem? From what I google'd, it could be a server config problem, but being Google App Engine server, I don't think I can do anything about it.
The main problem is that this prevents connecting securely via low level APIs like openssl, or programming languages (tried with python and it doesn't work). Strange thing is that the web can be accessed using HTTPS with no problems.
If it helps, here's the site: https://www.proofofexistence.com/
This usually happens when you have set up SNI SSL as this is not supported by default on openssl.
To make this work, just set the -servername flag to the name of the vhost you are testing.
$ openssl s_client -showcerts -servername www.proofofexistence.com -connect www.proofofexistence.com:443