I have a grpc endpoint hello.mydomain.io, exposed on port 80 (unencrypted) and port 443 (tls with a public trusted certificate)
Both of these are are reachable with grpcurl without difficulty:
me:~$ ./grpcurl -v hello.mydomain.io:443 list
addsvc.Add
grpc.gateway.examples.examplepb.ABitOfEverythingService
grpc.reflection.v1alpha.ServerReflection
grpcbin.GRPCBin
hello.HelloService
me:~$ ./grpcurl -v --plaintext hello.mydomain.io:80 list
addsvc.Add
grpc.gateway.examples.examplepb.ABitOfEverythingService
grpc.reflection.v1alpha.ServerReflection
grpcbin.GRPCBin
hello.HelloService
However when I try from Postman (latest v9.21.2), only port 80 works, while the secure endpoint is stuck "Invoking method..." forever. Hoping there's some easy configuration that fixes this!
Related
I use:
https://www.chilkatsoft.com/refdoc/goLang_Http_Ref.html#method14
but I get this error:
ChilkatLog:
DownloadBd:
DllDate: Jun 25 2020
ChilkatVersion: 9.5.0.83
UnlockPrefix: *********
Architecture: Little Endian; 32-bit
Language: ActiveX
VerboseLogging: 0
url: https:\\*********.exe
Component successfully unlocked using purchased unlock code.
quickRequestDb:
url: https:\\*********.exe
a_quickReq:
quickHttpRequest:
httpVerb: GET
url: https:\\*********.exe
openHttpConnection:
**SSL on port 80 is probably incorrect! Normally HTTP on port 80 is non-SSL and port 443 is for SSL.
Opening connection directly to HTTP server.**
httpHostname: https
httpPort: 80
tls: True
socket2Connect:
connect2:
connectImplicitSsl:
connectSocket:
connect_ipv6_or_ipv4:
resolveHostname6:
getAddressInfo:
Failed to get host address info. (3)
**SocketError: WSAHOST_NOT_FOUND No such host is known.**
hostOrIpAddr: https
port: 80
Versions of Windows earlier than Windows XP are limited to handling IPv4 only
On Windows Server 2003 and Windows XP, IPv6 addresses are returned only if IPv6 is installed on the local computer.
--getAddressInfo
--resolveHostname6
Domain to IP address resolution failed.
--connect_ipv6_or_ipv4
--connectSocket
--connectImplicitSsl
ConnectFailReason: DNS lookup failed
--connect2
--socket2Connect
--openHttpConnection
--quickHttpRequest
--a_quickReq
--quickRequestDb
Failed.
--DownloadBd
--ChilkatLog
My questions are:
This is kinda strange that Chilkat is trying to use connection via http with port 80, especially when the URL string contains "https://"
Why this function is trying to use port 80 ?
How to force Chilkat to use SSL on port 443 ?
Remark:
I checked the URL which I provide with Google Chrome and this browser was able to download this particular file on exactly the same computer.
Look closely at the URL within the Chilkat LastErrorText. Your application passed "https:\\*****.exe". Notice that you used backslashes instead of forward slashes after "https:". The backslashes caused the URL parsing to return garbage results..
If I make a request to my Daphne/Django server in Postman or the Android app we're developing, Daphne serves the certificate, but it's rejected. If I first make a simple get request to https://letsencrypt.org/ and then make a request to my server, the certificate is accepted.
How can I make sure a client will trust my certificate, even if it's the first time this client is seeing a certificate issued by this CA?
Everything bellow can serve as a history of how I studied the problem.
Original title: SSL Certificate works in browser but can't be verified by Postman
I have an AWS EC2 instance running Ubuntu 18.04, with python 3, Django, a bunch of project dependencies, Daphne running with ASGI, with a certificate by Let's Encrypt. Daphne is using port 8000 for HTTP and por 4430 for HTTPS, iptables is configured to redirect requests from port 80 to 8000 and from port 443 to 4430. Django is configured to enforce secure connections with SECURE_SSL_REDIRECT=True in the settings.py file.
There's a "Site in Construction" temporary page being served, and it's properly accessible from every browser and every device I tested so far. If I explicitly type http, I get redirected to https and the certificate is accepted. Every browser I tested (Firefox, Brave, Chrome, Chrome for Android) says cert is good.
Curl outputs the HTML content returned from the server. I don't know if it accepts the certificate or ignores it.
The Problem
Postman, however, says "Error: unable to verify the first certificate". Only works when I disable "SSL certificate verification", which doesn't answer my question: why Postman is unable to verify my Let's Encrypt certificate?
I'm building an API that runs on the same server, using the same domain, and it's meant to be consumed by a mobile app. Currently, the Android app is throwing a "TypeError: Network request failed", which I suspect could be caused by the same thing Postman is complaining about.
When I spin the server locally and configure 1) the app to use http://localhost:8000 and 2) the server not to enforce SSL, it works in browsers, Postman and in the Android app.
I've being looking for answers in many places for days, so any clue will be very welcome.
EDIT
Interesting clue:
If I make a request to my Daphne/Django server, it servers the certificate, which is rejected. But if I first make a request to https://letsencrypt.org/ and then make a request to my server, it works!
This pattern holds true in both Postman and our Android app.
It also happens when I first make a request to https://alloy.city (instead of letsencrypt.org), which is served by a Node.js app, and uses a certificate also issued by the Let's Encrypt CA.
So maybe the question should be: how to configure my server to politely invite clients to add the CA that issued my certificate if they hadn't done it yet?.
Apparently, that's what my Node.js server does.
Yes, in settings, tap ssl verification off
File > Settings > General > SSL Certificate Verification > off
I want to print PostScripts via CUPS/HTTPS on Cloud Foundry.
It's working when I'm using HTTP but fails for HTTPS with gorouter's log:
http: TLS handshake error from ...
My cipher_suites:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
I tried to set router.logging_level to debug (default is info) but it changes nothing...
Is there any chance to get more information?
What is the most detailed log level for gorouter?
I solved my problem.
In my case mutual TLS was enabled on gourouter:
By default, Gorouter requests but does not require client certificates in TLS handshakes.
https://docs.cloudfoundry.org/adminguide/securing-traffic.html#gorouter_mutual_auth
Checking if mTLS is enabled
1. Widows SCHANNEL event logging
Add a registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
EventLogging REG_DWORD = 3
https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/schannel-event-logging/
Now you should find event logs that server asks for client certificate but it can't be found.
2. curl
Look at the bold lines:
curl -I -v -H "Connection: close" https://your-app.cloud
About to connect() to your-app.cloud port 443 (#0)
Connected to your-app.cloud port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
NSS: client certificate not found (nickname not specified)
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
3. openssl
Look at the bold lines:
openssl s_client -connect your-app.cloud:443 -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
...
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
Disable Gorouter mTLS
Change Gorouter properties using CF deployment manifest:
- name: router
- name: gorouter
release: routing
properties:
router:
forwarded_client_cert: always_forward
client_cert_validation: none
Now you can check if mTLS is enabled again.
Note that these settings didn't for the routing version 0.164.0 but for 0.178.0 it works as expected.
Our integration partner was using our Web service with http: 8090 and now we are moving to https: 8443 so they tried to update the WS URL but they are getting "handshake error". They are asking whether they can still use http 8090. If we route any traffic coming from http 8090 to https 8443 in the webserver config, will they still get handshake error?
When you create a redirect, the server sends a HTTP 302 which the client is obligated to follow, which means that they should still get the error. depending on your setup, and config, they may be able to send the request anyway, but if that works, then all your traffic is potentially insecure...
I have a C++ server in linux using Mongoose listening on port 8080 for http requests. I'm using port 8080 because I have an Apache server already using port 80.
The reason I have my C++ server listening for http requests is so that I can receive the http GET sent by Facebook to get a user's Facebook info. For the Facebook server side Auth I'm redirecting to localhost:8080.
I am correctly getting the information sent from Facebook, but now Apache isn't serving up my html to the clients webpage (which works correctly if I only redirect to localhost).
Is it possible to make both of these work? Is the client still trying to get the index.html from port 80 or does it expect 8080 to now send this?
Is 80 equal 8080? Apparently no. So the both ports might be listened by different applications.
Try to inspect income requests with Wireshark (packet analyzer).