How to disable the dtls stuff in OpenSSL 1.0.2k? - build

I am trying to configure the OpenSSL 1.0.2k for windows.
According to https://wiki.openssl.org/index.php/Compilation_and_Installation, I can use
perl Configure VC-WIN32 no-asm no-dtls
But it shows me error unknown dtls command.
Can anyone help me please how to disable the DTLS in OpenSSL 1.0.2 branch.

The option you want in OpenSSL 1.0.2 is no-dtls1 (OpenSSL 1.1.0 has slightly different options in this area).
There is a bug for this option, so you will still see the unknown option - no-dtls1 message appear. However this is spurious. You can safely continue to build. You can confirm that DTLS has successfully been disabled by attempting to use it in s_server. It should complain because it doesn't understand the -dtls option:
cd out32dll
openssl s_server -dtls
usage: s_server [args ...]
-accept arg - port to accept on (default is 4433)
-verify_hostname host - check peer certificate matches "host"
-verify_email email - check peer certificate matches "email"
-verify_ip ipaddr - check peer certificate matches "ipaddr"
...
EDIT:
Note that a fix for the spurious unknown option - no-dtls1 warning message has been committed to the OpenSSL git repo here:
https://github.com/openssl/openssl/commit/1c5ebcd87822c2af4b8fdc23fa8b9a7201fb7097

Related

Libcurl openSSL certificate problem (c++)

I am writing a program in C++ and now there is a need for cross-platform and dependency adjustment. While I was writing for linux, everything was OK, but I started to port the code to Windows. My program needs licurl. first I compiled through nmake - the wö learned the code worked. However, I need Cmake for the task. So I slightly edited CmakeLists compiled without SSL, which was fixed by compiling openSSL. And then there was a mistake that I'm not ready for at all:
* Trying 172.67.163.127:443...
* Connected to www.showmyip.com (172.67.163.127) port 443 (#0)
* ALPN: offers http/1.1
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
I found out from OpenSSL --version that I have certificates registered along the way Z:\extlib_openssl111__\ssl there was no such disk, so I used a USB flash drive to create this path. Then I tried to export the certificate from the browser (pem). Created in the folder Z:\extlib_openssl111__\ssl folder www.showmyip.com and exported the ssl dir certificate there and to the root - it didn't help. Then I command:
openssl s_client -connect showmyip.com:443 -showcerts > stackoverflow.txt
This merged 3 certificates into an odil file and I really don't know what to do with it.
OpenSSL can be run with a derivative:
-CAfile demoCA/cacert.pem
but I have another case I can't run openssl.exe , I'm accessing libcurl and libcrypto directly, maybe it can somehow be written in the C++ code if you throw an example, I will be very grateful.

AWS Managed AD SSL Certifcates export

I am trying to explore AD integration and was able to succesfully complete the setup as described in AWS blog post, and verified that SSL connection is working fine from "Management box".
Based on my understanding, ldp.exe from Management box is working fine because management box is joined to this AD and certificates are propagated properly.
I have use case where another linux box (which can't be joined to AD) but should use LDAPS over SSL to do some user search. For this to work, I need to export SSL and install it on Linux box. I couldn't quite figure out how to find and export certificates in this example? Are those certificates are available on RootCA (or) SubordinateCA and how to export them? appreciate any help.
I'm assuming you generated the SSL cert in AWS via Amazon Certificate Services (ACS). Although ACS won't allow you to export the private key from ACS, you shouldn't need it. All you need to do is import the public certificate into the certificate trust store that your Linux box is using when it connects to the AD server. I can't tell you how to do that (not sure what the application is), but you should be able to extract the public cert using openssl. You'll point openssl to the ad server, and have it output the public cert.
I'm pretty sure this is the openssl command line that would do that:
openssl s_client -showcerts -connect activedirectory.yourdomain.com:636
You can download the certificate from the ldaps end point and install it as follows.
Install openldap client
sudo yum install -y openldap-clients
• Download and Add Server Certificate to the openldap cert path
openssl s_client -connect <LDAPSURL>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > server.crt
• Configure LDAP Details
Vi /etc/openldap/ldap.conf
BASE dc=corp,dc=example,dc=com
URI ldaps://corp.example.com
TLS_CACERT /etc/openldap/certs/server.crt

Mosquitto MQTT service failed to restart after adding SSL configuration

I'm trying to configure SSL access to my mosquitto bridrge on Amazon EC2, Ubuntu 18 server. I followed the steps described in mosquitto tls docs and ended up with the following files:
ca.crt
ca.key
ca.srl
client.crt
client.csr
client.key
server.crt
server.csr
server.key
in a temporary directory.
Then I copied three files:
sudo cp ca.crt /etc/mosquitto/ca_certificates/
sudo cp server.key /etc/mosquitto/certs/
sudo cp server.crt /etc/mosquitto/certs/
Then I added the following section to the configuration file:
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
Then I wanted to restart mosquitto:
sudo service mosquitto restart
This doesn't work and responds with
> Job for mosquitto.service failed because the control process exited with error code.
> See "systemctl status mosquitto.service" and "journalctl -xe" for details.
I tried both and there was just information, that the configuration is wrong.
I tried commenting out different lines and the following structure let's the service restart:
listener 8883
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
#certfile /etc/mosquitto/certs/server.crt
Unfortunatelly, the certfile is nessesary for the configuration to work. I checked the example configuration and the docs, and the certfile is a legal and required parameter.
How can I solve this issue?
I'm running Mosquitto on Ubuntu server. I ran also into Mosquitto failing to start after adding SSL certificates and configuration. I got a standalone certificate from Let’s Encrypt by Certbot tool.
Version information:
Ubuntu 18.04.5 LTS,
Mosquitto 2.0.4. (MQTT v5.0/v3.1.1/v3.1 broker) and
Certbot 1.11.0.
In original and failing configuration the mosquitto was configured to use certificates in /etc/letsencrypt... location.
My solution was to move all certificate files from /etc/letsencrypt/archive/ into /etc/mosquitto/ -folder and make the respective certificate file pointers in mosquitto configuration to point to this location.
Most relevant debugging for the problem in the trouble shooting is available in the logfile /var/log/mosquitto/mosquitto.log file.*
Further info about troubleshooting
Playing around with ownerships did not have any effect, in this case. The final configuration with certificates in /etc/mosquitto/certs folder worked regardless if the owner of the files and certificate containing folder was mosquitto or root.
I also tried not using the symbolic links of .../live/... and tested using directly the files in /etc/letsencrypt/archive/... location instead, did not work.
I did not check if some individual file is causing the issue, just moved them all. Tried afterwards to symlink from ..mosquitto/certs one of the files only to note that mosquitto will fail to start. For this server set-up to run, I need to keep the certificate files in ...mosquitto/certs folder".
Changing the certificate/key permissions fixed the issue for me.
E.g.
sudo chmod 744 raspberrypi.crt
sudo chmod 644 raspberrypi.key
As per this forum:-
https://github.com/owntracks/tools/issues/6

CURLE_UNSUPPORTED_PROTOCOL - ftp download fails

i use cURL (installed via vcpkg). Also openssl installed via vcpkg for a c++ project on VS 2019.
The problem:
CURLE_UNSUPPORTED_PROTOCOL = curl_easy_perform(curl);
I used this example:
https://curl.haxx.se/libcurl/c/ftpsget.html
with corrected connection and file data. The FTP server is filezilla. I checked the connection and file
download with filezilla client. All fine.
When i use the sample from link, i get the CURLE_UNSUPPORTED_PROTOCOL and in my FTP server i can't see
any connection try.
The error is described like this:
The URL you passed to libcurl used a protocol that this libcurl does not support..
Verbose information is:
* STATE: INIT => CONNECT handle 0x148090e0b38; line 1356 (connection #-5000)
* Protocol "ftp" not supported or disabled in libcurl
* Closing connection -1
* Expire cleared (transfer 0x148090e0b38)
I check the internet for the error message above and none of those i found solved my problem.
It seems not to be a format problem or problem related to wrong url .
So my question is, where can i enable this ? Do i need additional packages ? Or is the problem elsewhere ?
Many thanks
Mean while i figured out how to accomplish this using latest curl command line tool (version 7.68.0) on windows:
curl -u my_user:my_password --ftp-ssl ftp://my_ip/my_relative_path/my_file --insecure -o my_file
The file for download is on a server where a FileZilla FTP server is working. This server cyphers with a self created cert. The curl client only accepts this, when using flag:
--insecure
So far, i could not find the related options for my c++ curl. Perhaps it is not possible at all, because sources available through vcpkg are not (yet) up to date. But i want to stick with vcpkg. For me, this solutions: using command line tool instead, works fine.
One more hint, which is important: curl version 7.64.00 works NOT. You get error:
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

How to fix distcc error

I'm trying to get distcc working between two machines CLIENT and SERVER I "think" I have it setup right but I am still getting this error
(dcc_build_somewhere) Warning: failed to distribute, running locally
instead
NOTHING is being compiled on the server.
My configuration is as follows
CLIENT = 192.168.0.14
SERVER = 192.168.0.15
/etc/default/distcc on SERVER
STARTDISTCC="true"
ALLOWEDNETS="192.168.0.0/24" // Also tried CLIENT IP here
LISTENER="192.168.0.15" // SERVER IP
NICE="10"
JOBS="16"
ZEROCONF="false"
client - yes I know that its set to only compile on the server currently
DISTCC_HOSTS="192.168.0.15"
/etc/distcc/host set to 192.168.0.15
$HOME/.distcc/host set to 192.168.0.15
command
make -jx CC=distcc
I have tried on different software repos to see if there was some problem with an individual repo but the problem persists no matter the package.
EDIT
The failed to distribute error is a client side error. Server side the log indicates
distccd[1046] (dcc_job_summary) client: 192.168.0.14:40732 COMPILE_ERROR exit:1 sig:0 core:0 ret:0 time:94ms gcc certs/system_keyring.c
I fixed this by upgrading my version of GCC. The client and Server are now running 5.x.
Check the log:
DISTCCD_OPTS="${DISTCCD_OPTS} --log-file /var/log/distccd.log"
In my case, my log said:
(dcc_warn_masquerade_whitelist) CRITICAL! /usr/local/lib/distcc not found. You must see up masquerade (see distcc(1)) to list whitelisted compilers or pass --enable-tcp-insecure. To set up masquerade automatically run update-distcc-symlinks.
So I had to run:
sudo update-distcc-symlinks
sudo ln -s /usr/lib/distcc /usr/local/lib/distcc # because I compiled from source