I’ve trouble to use a browser for accessing my SSL/TLS enabled tomcat-6.0.36-windows-x64 server. It works fine with openssl but not with any browser.
Initializing looks fine:
16.01.2013 16:45:09 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Also openSSL:
openssl s_client -tls1 -connect localhost:8443:
Result:
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDH-ECDSA-AES256-SHA
Only web-browsers don’t work:
Firefox 15.0.1 says: ssl_error_no_cypher_overlap
Chrome 24.0.1312.52 m: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
That’s the tomcat configuration:
Connector port="8443" maxHttpHeaderSize="8192"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150"
scheme="https"
secure="true"
SSLProtocol="all"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
SSLEnabled="true"
SSLCertificateFile="../ecc_servercert.crt"
SSLCertificateKeyFile="../ec_serverkey.pem"
The certificate is based on a ecliptic curves algorithm:
openssl ecparam -out c:\ecc\ec_serverkey.pem -name secp256k1 -genkey
openssl req -new -x509 -nodes -days 365 -key c:\ecc\ec_serverkey.pem -out c:\ecc\ecc_servercert.crt
Hope someone has an idea? Accourding to hours of searching, the browers should support this configuariton ...
Ragards, Tobi
ashiii is incorrect, it's because the ecc curve secp256k1 is not supported in chrome or firefox.
prime256v1 and secp384r1 are good alternatives. see http://security.stackexchange.com/questions/78621/which-elliptic-curve-should-i-use
I think that there are two possibilities:
Either you use the APR connector and Tomcat native libraries as well, so it will throw the error.(more info:http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File)
Or you use the same port for both http & https: in your connector you use 8443 which is usually used for http.(have you tried o use port="443" not "8443"?)
Related
I'm setting up a https certificate for my react web page using create-react-app, and I've managed to make it work using an autosigned rsa certificate but not with an elliptic curve autosigned certificate (nor with a real certificate using ec signed by a ca).
I've made .key and .crt with openssl:
rsa (works):
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out my_rsa.crt -keyout my_rsa.key
ecc (does not work):
openssl ecparam -genkey -name secp384r1 | openssl ec -out my_ecc.key && openssl req -x509 -new -key my_ecc.key -out my_ecc.crt
Also i've made a signed by ca certificate with elliptic curve as explained in:
https://www.namecheap.com/support/knowledgebase/article.aspx/9446/14/generating-csr-on-apache-opensslmodsslnginx-heroku/
But it's not working either.
I'm using a .env.development file with the enviroment variables:
HTTPS=true
SSL_CRT_FILE=../../.ssl/my_.xxx.crt
SSL_KEY_FILE=../../.ssl/my_xxx.key
but when trying execute npm start y get this error:
The certificate "/home/ba/.ssl/my_ecc.crt" is invalid.
error:0608B096:digital envelope routines:EVP_PKEY_encrypt_init:operation not supported for this keytype
Any help?
Thanks.
Getting ready to move our IdentityServer4 setup from dev to test and I need to get the AddSignerCredentials() piece migrated from AddDeveloperCredentials(). I can generate a private and public RSASecurityKey but I'm unclear as to what RsaSecurityKey to pass to AddSignerCredentials(). The discovery endpoint somehow knows about the public key, but we'd want to sign tokens with the private key. Neither seems to work
Is there an example of how to use this somewhere in the documentation that I missed?
Use openSSL to create the certificate using the following demo command in your command prompt:
->OpenSSL req -x509 -newkey rsa:4096 -sha256 -nodes -keyout
IdentityServer4.key -out IdentityServer4.crt -subj
"/CN=IdentityServer4.com" -days 3650
->OpenSSL pkcs12 -export -out IdentityServer4.pfx -inkey
IdentityServer4.key -in IdentityServer4.crt -certfile IdentityServer4.crt
Install that certificate to your current user profile.
Replace
AddDeveloperSigningCredential()
with
AddSigningCredential("ThumbprintOfCertificate", StoreLocation.CurrentUser,NameType.Thumbprint)
That's it.
I have a VPN server runs apache2 and i am trying to generate server keys that will work with the SSL.
I am using this command lines:
openssl req -new -newkey rsa:2048 -nodes -keyout polszmata.pl.key -out polszmata.pl.csr
openssl x509 -req -days 365 -in polszmata.pl.csr -signkey polszmata.pl.key -out polszmata.pl.crt
I did set up a Vhost:
<VirtualHost *:443>
DocumentRoot /var/www/polszmata
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/polszmata.pl.crt
SSLCertificateKeyFile /etc/ssl/polszmata.pl.key
SSLCACertificateFile /etc/ssl/intermediate.crt
</VirtualHost>
apache2 log looks fine no problems but the SSL certyficate not working right. Can someone point my mestake ?
Just a quick heads-up:
Your certificte keychain to some CA every browser knows and trusts is non existant. You have to create a CA first, and thrust that one in your browser, or import the public key that you created into the browser, so that trust is established.
Or you have to buy a key off a CA (or get one from https://letsencrypt.org/), and use that instead.
You can use the key you created to create a Certificate Signing Request, I'd guess that letsencrypt accepts those, signs them, and then you have to import that signature, and voila, the trust chain is there, and should work with many browsers, too (some may exclude the trust to letsencrypt, though... not an option for commercial use).
I installed a SSL certificate for my google app engine app and Google Apps domain. HTTPS is working ok, but when I try to use openssl cli tool I get this error:
$ openssl s_client -showcerts -connect mysite.com:443
CONNECTED(00000003)
140625875744448:error:1409E0E5:SSL **routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:**
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 226 bytes
---
Any insight on what could be the problem? From what I google'd, it could be a server config problem, but being Google App Engine server, I don't think I can do anything about it.
The main problem is that this prevents connecting securely via low level APIs like openssl, or programming languages (tried with python and it doesn't work). Strange thing is that the web can be accessed using HTTPS with no problems.
If it helps, here's the site: https://www.proofofexistence.com/
This usually happens when you have set up SNI SSL as this is not supported by default on openssl.
To make this work, just set the -servername flag to the name of the vhost you are testing.
$ openssl s_client -showcerts -servername www.proofofexistence.com -connect www.proofofexistence.com:443
Google just announced SSL support for custom domain but I can't understand how it can be set-up as there is no way to generate Certificate Signing Request (CSR) on GAE ?!
http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=2644386
Am I missing something ?
To expand on the above:
The following three steps should be sufficient to generate a private key and a self-signed certificate suitable for testing SSL on GAE on a linux box:
openssl genrsa -out yourdomain.com.key 1024
openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt
Disclaimer: It works but I do not know what I'm doing
Various programs exist to create a Certificate Signing Request (CSR.) I used 'openssl' on a linux machine to generate the Key and CSR.
1) I generated an Unencrypted PEM encoded RSA private key as specified by Google's SSL for a Custom Domain (https://cloud.google.com/appengine/docs/ssl)
cd $HOME
openssl genrsa -out rsa_private_key.key 2048
2) Use the 'rsa_private_key.key' to generate the required Certificate Signing Request (CSR) file.
openssl req -new -key rsa_private_key.key -out request.csr
You will be asked the following questions:
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: Illinois
Locality Name (eg, city) []: Chicago
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Chicago Company, Ltd.
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: checkout.customedomain.com
Email Address []:
I ignored two additional questions and everything worked fine. The 'request.csr' located on your home directory ($HOME) is the CSR file needed by the Certificate Authority provider to generate your certificate(s). Again, it doesn't have to be openssl: Many tools for various platforms are supported by providers. Just keep in mind Google's requirements.
A side note regarding Custom Domains:
Make sure your CUSTOM DOMAIN includes a subdomain or 'Full Qualified Domain Name.' The 'www.' is considered a subdomain and it's ALWAYS required for ssl in Google Appengine (10/2014.) So in my example if I wanted SSL at customedomain.com I would add 'www.customedomain.com' You can re-direct your naked domain to your Full Qualified Domain Name.
Google Appengine DOES NOT provide SSL support for naked domains like: https://customedomain.com
This is reposted from my answer at:
How to get .pem file from .key and .crt files?
I was trying to go from godaddy to app engine. What did the trick was using this line in the terminal (mac) to generate the the key and csr:
openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
Exactly as is, but replacing name with my domain name (not that it really even mattered)
Also, what follows that is a bunch of questions and I answered all the questions pertaining to common name / organization as www.name.com , and I skipped the pass code and company name by just pressing enter
Then I opened the .csr file, copied it, pasted it in go daddy's csr form, waited for godaddy to approve it, then downloaded it, unzipped it, navigated to the unzipped folder in the terminal and entered:
cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
Then I used these instructions from the post Trouble with Google Apps Custom Domain SSL, which were:
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt
Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate",
and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..
.. And that finally worked.
You need to generate a certificate with a CA and upload it. They aren't offering certificate creation as a service.