I installed a SSL certificate for my google app engine app and Google Apps domain. HTTPS is working ok, but when I try to use openssl cli tool I get this error:
$ openssl s_client -showcerts -connect mysite.com:443
CONNECTED(00000003)
140625875744448:error:1409E0E5:SSL **routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:**
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
Any insight on what could be the problem? From what I google'd, it could be a server config problem, but being Google App Engine server, I don't think I can do anything about it.
The main problem is that this prevents connecting securely via low level APIs like openssl, or programming languages (tried with python and it doesn't work). Strange thing is that the web can be accessed using HTTPS with no problems.
If it helps, here's the site: https://www.proofofexistence.com/
This usually happens when you have set up SNI SSL as this is not supported by default on openssl.
To make this work, just set the -servername flag to the name of the vhost you are testing.
$ openssl s_client -showcerts -servername www.proofofexistence.com -connect www.proofofexistence.com:443
Related
I have deployed my project on a compute engine VM instance. React is running on some port and Spring Boot server is running on another port. I've downloaded certs for a subdomain on the VM. How do I apply them to the project so that it opens on HTTPS
We get PEM file from Let's Encrypt using certbot
certbot certonly -a standalone -d example.com
Create PKCS12 format using openssl
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
Add these properties to application.properties to add SSL certificate from Let's Encrypt
server.port: 443
security.require-ssl=true
server.ssl.key-store:/etc/letsencrypt/live/example.com/keystore.p12
server.ssl.key-store-password: store-password
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
You may install NGINX on your instance and use it as a reverse proxy to pass requests to each server depending on the subdomain, then you may update the configuration with SSL config.
If you plan on using certificates issued by Let's Encrypt, then you can use Certbot to amend the NGINX configuration with SSL config automatically.
I'm trying to connect using SSL, SSL is enabled on the server but I'm not able to connect using the rabbitmq-c client.
I took the amqps_connect_timeout.c example and this is the error that I'm getting at amqp_socket_open_noblock.
SSL peer cert verification failed
When using OpenSSL the connection and verification succeed.
openssl verify -CAfile cacert.pem cert.pem
cert.pem: OK
openssl s_client -connect www.example.com:25586 -CAfile cacert.pem
Verify return code: 0 (ok)
If I disable certificate verification the connection succeed.
amqp_ssl_socket_set_verify_peer(socket, 0);
What am I doing wrong?
I have found what was wrong, my CAfile was missing the intermediate certificate.
Probably openssl s_client is ignoring this by default.
After fixing the cacert file the connection was established from the rabbitmq-c library.
I'm trying to make a client connect to some servers via https, using openssl library.
The call stack is something like this:
SSL_library_init();
SSL_load_error_strings();
SSL_CTX *ctx = SSL_CTX_new(TLSv1_method());
SSL_CTX_load_verify_locations(ctx, "file_with_trusted_certificates", NULL);
SSL *ssl = SSL_new(ctx);
BIO *bio = BIO_new_socket(...);
SSL_set_bio(ssl, bio, bio);
SSL_connect(ssl);
SSL_get_verify_result(ssl);
I have 2 servers with ssl certificates, which I have extracted using openssl tool and put into "file_with_trusted_certificates" file:
openssl s_client -showcerts -connect server_url:443
The problem is the following: one server is validated (though if not using file_with_trusted_certificates it fails with error 19: self signed certificate in certificate chain), but the check of the second server always fails with error 20: unable to get local issuer certificate. When passing
"-CAfile file_with_trusted_certificates"
to openssl tool, both servers get validated.
What I am doing wrong, why doesn't the second server also get validated?
The servers have different ciphers, and the one that succeeds has secure renegotiation enabled.
EDIT:
The C client runs on a arm device, which has libssl v0.9.8. The openssl tool run on the embedded device yields the same result as the C application: error 20 for first server and OK for the other. Using a linux environment, the openssl tool yield OK for both server, but then, maybe the version of the C application would do the same.
After some trial-error, I managed to find the problem.
I needed to add the certificate of the issuer of the root certificate in the chain in "file_with_trusted_certificates" file, but I added just the root certificate in the chain:
Common name: Baltimore CyberTrust Root -> I added this
Issuer: GTE CyberTrust Global Root -> I needed to add the certificate of this
Interestingly, it was working for the other server because the root certificate in the chain was self-signed and authorized:
Common name: AddTrust External CA Root
Issuer: AddTrust External CA Root
I've trouble in connecting to a wss secured socket server via google appengine frontend with managed VM support.
buy default google exposes only port 8080 in docker image google/nodejs-runtime, Even if expose port 8443 in Dockerfile like below i can connect only to http://localhost:8080 not https://localhost:8443
FROM google/nodejs
WORKDIR /app
ADD package.json /app/
RUN npm install
ADD . /app
EXPOSE 8443
CMD []
ENTRYPOINT ["/nodejs/bin/npm", "start"]
Still i can see port 8080 include in the container
"/nodejs/bin/npm start 8443/tcp, 0.0.0.0:8080->8080/tcp
If i log in to my managed vm instance and run the container image with
docker run -d -p 8443:8443 nodejs.default.wss-check:latest
and try
$curl https://localhost:8443
I get curl: (60) SSL certificate problem: unable to get local issuer certificate, It looks like its connecting but i've to use realdomain name
I've created a issue in github aswell https://github.com/GoogleCloudPlatform/appengine-nodejs-quickstart/issues/13, but not that helpful.
Same set up works like a charm in normal compute instance. but it doesn't auto scale.
Any help on this issue will be appreciated.
The reason you can't curl to https on localhost (curl: (60) SSL certificate problem: unable to get local issuer certificate) is because "localhost" is unknown to any CA. You need to run curl -k https://localhost:8443 to get it to ignore the lack of a certificate for localhost.
Looks like currently Google Managed VM supports Websocket connection only on JAVA
Even if you try websocket connection on with nodejs on GMV it defaults to polling transport. if you wanna see this in live you can use set socket transports, deploy to live and look in to console- network and see which transport its using!
socket.set('transports', [
'websocket'
, 'flashsocket'
, 'htmlfile'
, 'xhr-polling'
, 'jsonp-polling'
]);
We have to wait untill google implements websocket support in Managed VM. If anyone get this working on GMV, Please comment here :)
I’ve trouble to use a browser for accessing my SSL/TLS enabled tomcat-6.0.36-windows-x64 server. It works fine with openssl but not with any browser.
Initializing looks fine:
16.01.2013 16:45:09 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Also openSSL:
openssl s_client -tls1 -connect localhost:8443:
Result:
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDH-ECDSA-AES256-SHA
Only web-browsers don’t work:
Firefox 15.0.1 says: ssl_error_no_cypher_overlap
Chrome 24.0.1312.52 m: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
That’s the tomcat configuration:
Connector port="8443" maxHttpHeaderSize="8192"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
scheme="https"
secure="true"
SSLProtocol="all"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
SSLEnabled="true"
SSLCertificateFile="../ecc_servercert.crt"
SSLCertificateKeyFile="../ec_serverkey.pem"
The certificate is based on a ecliptic curves algorithm:
openssl ecparam -out c:\ecc\ec_serverkey.pem -name secp256k1 -genkey
openssl req -new -x509 -nodes -days 365 -key c:\ecc\ec_serverkey.pem -out c:\ecc\ecc_servercert.crt
Hope someone has an idea? Accourding to hours of searching, the browers should support this configuariton ...
Ragards, Tobi
ashiii is incorrect, it's because the ecc curve secp256k1 is not supported in chrome or firefox.
prime256v1 and secp384r1 are good alternatives. see http://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use
I think that there are two possibilities:
Either you use the APR connector and Tomcat native libraries as well, so it will throw the error.(more info:http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File)
Or you use the same port for both http & https: in your connector you use 8443 which is usually used for http.(have you tried o use port="443" not "8443"?)