Sending this, tried public, private key, none of it works:
Have you set TLS 1.2 (you have to set TLS 1.2)?
Related
I saw that in pg_hba.conf , we have the option to set different authentication for different IPs . Like can we set password (md5) authentication for 1 IP Range and certificate authentication for another IP range.
Please help.
Please share any good links for examples of implementing
Yes possible. I tried myself and it worked.
We are writing a new server/client app and need to Verify self-signed certificates in OpenSSL 1.1.0 where CN field isn't important.
I tried to do the following but it doesn't seem to have an effect:
X509_VERIFY_PARAM *param = NULL;
param = SSL_get0_param(sslo.ssl);
X509_VERIFY_PARAM_set1_host(param, nullptr, 0);
How can I effectivly ignore all verification of this field?
Update after Shane's answer:
I tried setting verify_callback with SSL_CTX_set_verify .
In the callback I called X509_STORE_CTX_get_error_depth . The resulting error code was X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, which according to documentation means "the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates."
This error is very generic and not related specifically to CN, if I only change the CN field in the cert to appropriate value it doesn't happen.
Use the SSL_CTX_set_verify call to specify your own verification callback function where you can OK anything you wish about the certificate.
Read that page carefully and it should tell you everything you need to know, the page also includes a example you can base your handler on if you wish.
I am working on Linux embedded application which acts as client and receives data from https server using libCurl. My application's requirement is to accept expired certificate and continue to connection establishment.
I could not find any such option that can be set using curl_easy_setopt as we can ignore -
- verification of the certificate's name against host => setting CURLOPT_SSL_VERIFYHOST to 0
- verification of the authenticity of the peer's certificate => setting CURLOPT_SSL_VERIFYPEER to FALSE
Any there any other way out I can try to make it work.
You can set a callback using CURLOPT_SSL_CTX_FUNCTION (see example at https://curl.haxx.se/libcurl/c/cacertinmem.html) where you can manipulate the SSL context, clear errors, etc.
This will probably not be enough, you can experiment with setting some options of openssl itself, see https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_verify.html.
I'm not sure if it is enough to set SSL_VERIFY_NONE or if you actually have to supply a validation callback function that says yes to everything.
I haven't tested this and I'm not sure it will actually work, but you can certainly try.
I'm writing a script that loads IAM certificate to some ELB in order to check if it's valid.
When I tested it, I used an invalid private key on purpose to see if I could load it to the ELB.... and the problem - it gets loaded!
So my questions are-
How is this possible? I know for a fact that if you use AWS console you can't do something like that.
Is there a boto way to check if a cert is valid? (not using openssl, this is what I'm trying to avoid).
What exactly do you mean when you say "check if it's valid"? If you try to upload a malformed PEM file (the text of the cert isn't valid) then it will definitely throw an error since it can't decode the file. Also, if you try to upload a mismatched public & private key it will also throw an error. I just tested these sorts of cases myself and got the following error:
The private key did not match the public key provided. Please verify the key material and try again.
If you're referring to testing that a certificate is signed, authentic, and not expired, then the ELB isn't going to do any of that. According to the AWS documentation for ELBs it's perfectly fine to make use of self-signed certificates, and certs will also continue to work (whether CA signed or self-signed) even if expired. Both self-signed certs and expired certs are "valid" as far as operation of a secure SSL connection goes. Whether the cert is signed and unexpired or not is really just a means of providing authentication that it's a legitimate certificate.
If you are asking about testing if a certificate is properly signed and not expired then you would need to test for these sorts of things yourself, typically by leveraging something like openssl.
I have implemented an authentication solution using OAuth.
Everything was ok, but I added the tag cookie-secure in my weblogic.xml file. Now the cookie is not set and the session is not created.
This is the code I added and that is causing the error.
<wls:session-descriptor>
<wls:persistent-store-type>replicated_if_clustered</wls:persistent-store-type>
<wls:cookie-http-only>true</wls:cookie-http-only>
<wls:cookie-secure>true</wls:cookie-secure>
<wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
</wls:session-descriptor>
Thanks in advance.
You have mismatched tag values in your descriptor xml. The cookie-secure flag tells the Web browser to only send the cookie back over an HTTPS connection but you also set cookie-http-only to true... you need to change it to:
<wls:session-descriptor>
<wls:persistent-store-type>replicated_if_clustered</wls:persistent-store-type>
<wls:cookie-http-only>false</wls:cookie-http-only>
<wls:cookie-secure>true</wls:cookie-secure>
<wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
</wls:session-descriptor>
http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/securecookies.htm
I was able to solve the problem by enabling the ssl listen port on my server and in firewall. The cookie-secure and cookie-http-only flags are both set to true.