we have put our gsoap stubs c++ into a custom dynamic library, linked and built it against our main program.
When i use a https call i get ERROR_SYSCALL from openssl and see that it fails in the SSL_Connect.
The exact error is:
sk_sort:0xb6cc1680
SOAP 1.2 fault SOAP-ENV:Receiver [no subcode]
"SSL_ERROR_SYSCALL
Error observed by underlying SSL/TLS BIO: Connection reset by peer"
Detail: SSL_connect error in tcp_connect()
If i use the same code directly in our main program it works without any problem...
What am I missing ? our custom library is dynamic and linking also openssl dynamically...
With kind regards
Not exactly problem with custom library but with latest GSOAP.
Gsoap added SSL_set_tlsext_host_name to use SNI with TLS. If you are using IP based server with default SSL certificate e.g. no SNI then all calls will fail with ERROR_SYSCALL
So we solved it like this for now:
SSL_set_tlsext_host_name(soap->ssl, host) - WHICH causes ERROR SYSCALL because we are using IP and not host name. And server drops the link as hostname is ip and not a valid name. As we need to use IP instead of hostname and gsoap does not use any flag for this, we commented out the part in stdsoap2.cpp
We just searched SSL_set_tlsext_host_name in stdsoap2.cpp and commented out.
Probably Gsoap should have a flag for this ?
Related
I have a problem.
I am using openssl for validate my cert - x509_verify_cert(). But this function doesn't use ocsp. So it can be a problem if there is no crl.
In openssl errors i found this define - x509_err_ocsp_verify_needed, but i don't understand how it uses.
It seems that may be exists some kind of callback for my connecting to ocsp server function or something like that.
Also i found it which i can use, as i understand, for my own validate function, but i want only ocsp check.
So my question is: is it possible ask openssl use ocsp for validation and how?
It is possible :
openssl ocsp -issuer certchain.pem -cert cert.pem -text -url <the ocsp responder URL>
Some links to articles with more details:
https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
https://akshayranganath.github.io/OCSP-Validation-With-Openssl/
OpenSSL API does not provide a single API to do OCSP validation. The OpenSSL API provides the primitives so that you can implement your own validation. There are details you need to fill to the implementation which may depend on your situation you are trying to solve.
I would suggest that you get to know the openssl ocsp command as a basis of your understanding. Reading the links from Sanjeev's answer gives you examples of using this command as well.
To implement OCSP validation you will need to:
Extract server and issuer certificates from somewhere (SSL connection most likely)
Extract the OCSP server list from the server certificate
Generate a OCSP request using the server and issuer certificates
Send the request to the OCSP server and get a response back
Optionally validate the response
Extract the certificate status
Optionally you can also cache the result with the response update date range so that you can shortcut the above procedure if you see the certificate again.
You can also group a bunch of server certificates to the same OCSP server into a single request as well.
Of note is that the OCSP server link may not be HTTP and you may need to support whatever link type the certificate may have. For example in windows AD enterprise setups, the server OCSP may only have LDAP OCSP server links.
You may also like to see my answer to a question where I go into code examples of OCSP request and response handling.
UPDATE:
If you want to check the whole chain, you will have to do the above one certificate at a time (although the certificates operations can be overlapped). As far as I know, there is no way to check a whole chain at once. Also, you may find that a lot of intermediate certificates don't provide OCSP links anyway so there is no way to check. If you need to do this then it would be a good idea to cache the results as you will come across the same intermediate certificates all the time. In fact you could schedule to do this ahead of time for "known" intermediate certificates that you come across all this time.
You also keep pointing to "x509_verify_cert" check I quote:
Applications rarely call this function directly but it is used by
OpenSSL internally for certificate validation, in both the S/MIME and
SSL/TLS code.
So you shouldn't be calling this yourself anyway.
It seems that may be exists some kind of callback for my connecting to ocsp server function or something like that.
X509_STORE_CTX_set_verify_cb - used to set a callback to do your own custom verification - used a lot in server SSL setups
X509_STORE_CTX_set_ex_data - used to add custom argument values used by the callback
X509_VERIFY_PARAM_set_flags - used to setup flags (e.g. X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL)
In openssl errors i found this define - x509_err_ocsp_verify_needed
X509_V_ERR_OCSP_VERIFY_NEEDED is defined and never used in the openssl codebase. It is meant to returned from a verify callback function that the user provides (i.e. X509_STORE_CTX_set_verify_cb) to indicate that verification should fail with that error. What you do with that information is up to you. If you supply a callback and return that error from a openssl SSL connection that the SSL connection will terminate.
Also of note, if you do add a custom verification callback that does do full OCSP checking, it will slow down the SSL connection setup a lot. This is why most browsers don't do this by default as it slows down the user experience to much.
Please bear with me. I'm no SSL encrpytion expert. I just want to make connections to a server, using their API. I am unable to. When I use this api as indicated in the documentation, the following error occurs:
[Errno 1] _ssl.c:510: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
This API seems to be hosted on an AWS server somewhere, and the support person for it has referred me to this AWS document with the added information that their server uses TLSv1_2016. I'm not sure that that's correct, but that's what I was told.
This version of TLS is not supported by the OpenSSL that ships with Ubuntu 14.0.4 (openssl v1.0.1f). Version 1.2 IS supported. I upgrade my system on a regular basis, and it doesn't seem that there is any approved Ubuntu release that supports this protocol. I've been advised to upgrade, but it's not clear to what.
This is all Greek to me. Can someone tell me what upgrade I might be able to do my system to solve this?
UPDATE problem persists after installing Ubuntu-18.04, which comes with openssl 1.1.0g.
Answer mostly from comments.
The problem is apparently that the server, like many SSL/TLS servers today especially those handling multiple domains like Cloudfront, requires the SNI (Server Name Indication) extension in SSL/TLS. This was (and easily is) checked with openssl s_client which (unlike most programs) has an option that controls whether to send SNI.
You didn't previously say that this code is Python. It is Python that links to and invokes OpenSSL. (The OS is not involved in SSL/TLS, only in the lower-level TCP/IP protocols.) According to http://docs.python-requests.org/en/master/community/faq/ (at the bottom)
Python3 and Python 2.7.9+ include native support for SNI in their SSL modules. For information on using SNI with Requests on Python < 2.7.9 refer to this Stack Overflow answer.
linking to using requests with TLS doesn't give SNI support which has several answers that appear to consist mostly of updating various things (and I am not in a position to test even if you gave details of your Python and Requests which you didn't).
I'm facing an issue with the ESP8266HTTPClient and SSL.
#include <ESP8266HTTPClient.h>
const char* url= "https://someUrl.com";
const char* fingerPrint= "SO ME SH A1 FI NG ER PR IN T";
HTTPClient http;
http.begin(url, fingerPrint);
http.GET();
When doing this I receive the following in debug log:
State: sending Client Hello (1)
Alert: handshake failure
Error: SSL error 40
Alert: unexpected message
Error: SSL error 40
Alert: close notify
[HTTP-Client] failed connect to someUrl.com:443
I tried to check the fingerprint on grc and got the following response:
The SSL/TLS security certificate obtained from the remote server was invalid. The trouble was severe enough that we were unable to obtain the certificate's common name and/or fingerprint. There is a server answering on the HTTPS port 443 of the IP address associated with the domain name you supplied (shown above). But the server may be answering HTTPS as if it was HTTP and returning a web page rather than a proper SSL/TLS setup handshake. (We have encountered this behavior.)
Which makes me believe that there is something wrong with the SSL configuration on the host.
But there are no issues with the certificate when visiting the url with my browser (tried IE, Edge and FireFox).
According to this comment to an issue on github there are only two supported cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA and
TLS_RSA_WITH_AES_256_CBC_SHA
The host supports the following cipher suites:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Is there any chance to perform a HTTPS request to this host on an ESP8266 anyway? Maybe another HttpClient library?
Unfortunately not with the Arduino ESP8266 as it uses axTLS regardless of what HTTP client library you use. They simply do not support it.
However, the SDK from Espressif switched to mbedTLS a little while back, and mbedTLS Supported Cipher Suites show that it includes support for those ciphers. Code made with the Arduino SDK will be largely uncompatible with the Espressif SDK, however.
According to https://github.com/esp8266/Arduino/issues/2771 the Arduino ESP8266 Library is now being switched to BearSSL which supposedly supports more ciphers. Unfortunately my knowledge is insufficient (been trying for 2 days now) to implement the fix, since I have the same problem (need to login to capture portal on SSL for wifi access), but hopefully I will soon find out.
I want to know the functions which establish the SSL connection from windows.. I am writing a code to know whether the SMTP uses SSL of TLS ..i am able to find get TLS because encryption happens after handshake... i want to know about SSl .. please help me.
Thank you in advance
OpenSSL is the most common library used for SSL.
This question is similar to another one, concerning pyCURL
I have the following error when I send a post request to a secure url, using CURLpp https://stackoverflow.com/questions/1942719/pycurl-tls-handshake-error
Ok, so according to the answer to the previous question, I should use libcurl with openSSL. If I run curl -v, I get this:
curl 7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
So I should be using openSSL, and not see gnuTLS. So if I try to send the very same request through curl directly with the command line, it works fine, and I see on the command output the result I am expecting.
So It turns out when I switch to CURLpp, it uses gnuTLS, instead of openSSL.
Is there something I have to configure, in order to specify I want openSSL with CURLpp ?
cURLpp is just a wrapper over libcURL, it doesn't dictate which SSL implementation libcURL uses.
Am not exactly sure how you've come to the when I switch to CURLpp, it uses gnuTLS, instead of openSSL conclusion but I suspect that you have multiple libcurl.so installed, the one curl uses and another that your app is using (via cURLpp).
As a side note, the TLS fatal alert ... received (mentioned in the linked question) was probably a result of a misconfiguration on the server side (invalid servername TLS extension, failure to negotiate ciphers, etc).