I am using uWebSockets in C++ to host a WebSocket server. However, I need it to be a secure wss server instead of simply a ws server.
I have tried this code:
uS::TLS::Context tls = uS::TLS::createContext ("./cert.perm", "./key.perm", "passphrase");
if (h.listen (9002, tls)) {
cout << "Game server listening on port 9002" << endl;
h.run();
}
I am using this shell command to generate the certificate and key:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 30
I then tried connecting to my remote server using wss://address instead of the usual ws://address, however, it cannot connect.
Any ideas why? Thanks
UPDATE #1
The tls variable seems to be actually NULL, so it looks like the certificate part isn't working.
UPDATE #2
I got the file extensions wrong in the code, they're meant to be pem instead of perm. However, the server will now not establish a connection on both wss and ws.
UPDATE #3
After fixing the issue mentioned above, the tls variable is now 1 instead of 0 (which I assumed was NULL).
If you are using a web browser ws-client to connect to wss://address, try checking if the browser is the problem. It happened to me that I had created my own certificates, but the browser blocks the connection as they are not certified by any CA.
Enter in your browser something like: "https://address", and add a security exception for your "address".
I know you can use uWebSockets for SSL/TLS, however... I would consider separating the TLS/SSL concern from the main application.
Separating the TLS/SSL layer from the app allows you to update the TLS/SSL without recompiling the application as well as simplifies the codebase.
I would recommend using a TLS/SSL proxy or tunnel while having the app bind locally to the loopback address or to a unix socket.
Related
I am trying to communicate via SignalR with a server which requires client authentication with a certificate. Hence, i receive the following error when trying to start the connection:
"connection could not be started due to: WinHttpSendRequest: 12044: A certificate is required to complete client authentication".
My program is in cpp, so i use the SignalR-Client-Cpp which is integrate to my project via vcpkg.
My implementation is similar to the example in readme.md, you can use it as a base for a sample code.
My client-certificate is stored in Windows certificate store. How can I establish the connection with this certificate?
I have grpc server in Java and client in C++, I want to connect grpc client to server in tls mode without using certificates on client side. I am using the default methods and trying to connect but getting grpc code as 12.
creds = grpc::SslCredentials(grpc::SslCredentialsOptions());
Note:- No issue with proto files as it works fine in insecure mode
Which cert is your server using? If it's self-signed or not signed by a standard CA (whose root cert should be present in the standard trust store) then you need to make sure you are using a custom root cert on the client
Trying to create my own simple MITM-proxy for the specific app which using TLS 1.2 protocol and connecting to several IP addresses, however got in stuck with the error in the app log "Certificate verify failed". How to solve this problem?
The app using about the following code to check the cert:
X509* cert = SSL_get_peer_certificate( ssl );
X509_STORE_CTX * xCtx = X509_STORE_CTX_new();
X509_STORE_CTX_init( xCtx, (X509_STORE*)Store, cert, NULL );
int res = X509_verify_cert( xCtx );
if( !res ) { /*Certificate verify failed*/ };
I did the following steps to achieve the result:
Created CA root key and self-signed certificate according to this manual. It is a bit outdated, so i have made some changes like md5 to sha256, also I didn't use pass phrase, used different key size and other minor changes.
Created proxy key and certificate using the above Root CA to sign it.
Both certificates have been added to the Local Computer Certificates in Personal and Trusted Root Certification Authorities (not sure if this was necessary). Btw, I'm using Windows 10.
Wrote a simple proxy server using sample code from here. Cert.pem and Key.pem took from the second step.
Changed all IP addresses in the app to 127.0.0.1:443 to see if TLS connection established successfully and we can receive first message with an Application Data.
I believe that connection established properly, because WireShark shows common sequence for establishing a TLS connection: Client/Server hello, Certificate, Client key exchange, two encrypted handshake messages. Moreover, using OpenSSL for testing connection:
openssl s_client -connect localhost:443
allow me to write some message and later successfully receive it using SSL_Read() in proxy server. However, there are some errors:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
Verify return code: 21 (unable to verify the first certificate)
Using OpenSSL client to directly connect to the original IP addresses give the same errors, but application works great.
Also the output:
openssl verify -CAfile "signing-ca-1.crt" "cert.crt"
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
e:\MyProg\SSL_serv\Debug\cert.crt: OK
It seems that I missed something important. Could you please tell me how to solve this problem with cert?
One of the very purposes of having certificates, along with certificate authorities, is to prevent MITM. The app you are trying trick does the proper thing and checks the certificate. And it doesn't like your's. Its really that simple.
Is it possible to circumvent it and run MITM on an app anyway? Absolutely! Is it going to be easy? Probably not. What you need to do is to patch the app and remove this certificate check.
I'm facing an issue with the ESP8266HTTPClient and SSL.
#include <ESP8266HTTPClient.h>
const char* url= "https://someUrl.com";
const char* fingerPrint= "SO ME SH A1 FI NG ER PR IN T";
HTTPClient http;
http.begin(url, fingerPrint);
http.GET();
When doing this I receive the following in debug log:
State: sending Client Hello (1)
Alert: handshake failure
Error: SSL error 40
Alert: unexpected message
Error: SSL error 40
Alert: close notify
[HTTP-Client] failed connect to someUrl.com:443
I tried to check the fingerprint on grc and got the following response:
The SSL/TLS security certificate obtained from the remote server was invalid. The trouble was severe enough that we were unable to obtain the certificate's common name and/or fingerprint. There is a server answering on the HTTPS port 443 of the IP address associated with the domain name you supplied (shown above). But the server may be answering HTTPS as if it was HTTP and returning a web page rather than a proper SSL/TLS setup handshake. (We have encountered this behavior.)
Which makes me believe that there is something wrong with the SSL configuration on the host.
But there are no issues with the certificate when visiting the url with my browser (tried IE, Edge and FireFox).
According to this comment to an issue on github there are only two supported cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA and
TLS_RSA_WITH_AES_256_CBC_SHA
The host supports the following cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Is there any chance to perform a HTTPS request to this host on an ESP8266 anyway? Maybe another HttpClient library?
Unfortunately not with the Arduino ESP8266 as it uses axTLS regardless of what HTTP client library you use. They simply do not support it.
However, the SDK from Espressif switched to mbedTLS a little while back, and mbedTLS Supported Cipher Suites show that it includes support for those ciphers. Code made with the Arduino SDK will be largely uncompatible with the Espressif SDK, however.
According to https://github.com/esp8266/Arduino/issues/2771 the Arduino ESP8266 Library is now being switched to BearSSL which supposedly supports more ciphers. Unfortunately my knowledge is insufficient (been trying for 2 days now) to implement the fix, since I have the same problem (need to login to capture portal on SSL for wifi access), but hopefully I will soon find out.
I would like to authenticate securely from C++ client application with OpenLDAP server, for example, using SSL/TLS or SASL. I use Windows 7 64-bit operating system.
I tried this example:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366105%28v=vs.85%29.aspx
But it fails in this function call:
ULONG ldapConn = ldap_connect(pLdapConnection, NULL);
The return code from ldap_connect is 81 (dec).
I have installed OpenLDAP to my computer from here:
http://www.userbooster.de/en/download/openldap-for-windows.aspx
I use 127.0.0.1 (localhost) as the host.
OpenLDAP debug log looks like this:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: activity on 1 descriptor
daemon: waked
daemon: WSselect: listen=2 active_threads=0 tvp=NULL
daemon: WSselect: listen=3 active_threads=0 tvp=NULL
According to the log it seems that this is somehow related to certificates. The OpenLDAP configuration is the about default from the installation package, for example:
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile ./secure/certs/server.pem
TLSCertificateKeyFile ./secure/certs/server.pem
TLSCACertificateFile ./secure/certs/server.pem
Does someone know why ldap_connect fails?
Or does someone know a useful tutorial or C++ code example concerning this topic? It is especially unclear to me how the client certificates are linked to the client code. In other words, how it is defined in the client C++ code, where the certificates are obtained during the authentication.
BR,
Tuomo
Found this article: http://www.openldap.org/lists/openldap-technical/200903/msg00061.html. Looks like you might want to change out TLSCipherSuite HIGH:MEDIUM:-SSLv2 to TLSCipherSuite HIGH:MEDIUM:+SSLv2.