I am using POCO HTTPSClientSession for executing a HTTPS POST request. I want to compute SHA1 of the server certificate before transmitting any data. How can this be achieved?
This is sample of creating context which doesn't verify server certificate. The basic requirement is to fetch the server certificate during the SSL handshake and do a custom verification of the server certificate.
const Poco::Net::Context::Ptr context( new Poco::Net::Context( Poco::Net::Context::CLIENT_USE, "", "", "",Poco::Net::Context::VERIFY_NONE ) );
Poco::Net::HTTPSClientSession session(uri.getHost(), uri.getPort(),context);
Poco::Net::HTTPRequest req(Poco::Net::HTTPRequest::HTTP_POST,uri.getPath(), Poco::Net::HTTPMessage::HTTP_1_1);
Any help would be appreciable
I don't know if it can help you. Remove the parameter context from the session constructor. It will force to check the SSL certificate.
Poco::Net::HTTPSClientSession session(uri.getHost(), uri.getPort() );
Poco::Net::HTTPRequest req(Poco::Net::HTTPRequest::HTTP_POST,uri.getPath(), Poco::Net::HTTPMessage::HTTP_1_1);
Related
Trying to create my own simple MITM-proxy for the specific app which using TLS 1.2 protocol and connecting to several IP addresses, however got in stuck with the error in the app log "Certificate verify failed". How to solve this problem?
The app using about the following code to check the cert:
X509* cert = SSL_get_peer_certificate( ssl );
X509_STORE_CTX * xCtx = X509_STORE_CTX_new();
X509_STORE_CTX_init( xCtx, (X509_STORE*)Store, cert, NULL );
int res = X509_verify_cert( xCtx );
if( !res ) { /*Certificate verify failed*/ };
I did the following steps to achieve the result:
Created CA root key and self-signed certificate according to this manual. It is a bit outdated, so i have made some changes like md5 to sha256, also I didn't use pass phrase, used different key size and other minor changes.
Created proxy key and certificate using the above Root CA to sign it.
Both certificates have been added to the Local Computer Certificates in Personal and Trusted Root Certification Authorities (not sure if this was necessary). Btw, I'm using Windows 10.
Wrote a simple proxy server using sample code from here. Cert.pem and Key.pem took from the second step.
Changed all IP addresses in the app to 127.0.0.1:443 to see if TLS connection established successfully and we can receive first message with an Application Data.
I believe that connection established properly, because WireShark shows common sequence for establishing a TLS connection: Client/Server hello, Certificate, Client key exchange, two encrypted handshake messages. Moreover, using OpenSSL for testing connection:
openssl s_client -connect localhost:443
allow me to write some message and later successfully receive it using SSL_Read() in proxy server. However, there are some errors:
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
Verify return code: 21 (unable to verify the first certificate)
Using OpenSSL client to directly connect to the original IP addresses give the same errors, but application works great.
Also the output:
openssl verify -CAfile "signing-ca-1.crt" "cert.crt"
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
e:\MyProg\SSL_serv\Debug\cert.crt: OK
It seems that I missed something important. Could you please tell me how to solve this problem with cert?
One of the very purposes of having certificates, along with certificate authorities, is to prevent MITM. The app you are trying trick does the proper thing and checks the certificate. And it doesn't like your's. Its really that simple.
Is it possible to circumvent it and run MITM on an app anyway? Absolutely! Is it going to be easy? Probably not. What you need to do is to patch the app and remove this certificate check.
I am using GNU libmicrohttpd to establish HTTPS server. My requirement is that the server and the client both authenticate during the TLS handshake however what I observe is that even if the client sends empty certificate the connection is accepted.
in wireshark I see that the server requests certificate and the client sends certificate with len 0. How to make the microhttpd to not accept that case - the certificate must always be verified with the provided CA pem?
if(!(server_handle = MHD_start_daemon(flags, port, NULL, NULL,
&mhttpd_layer::access_handler_callback, callback_data,
// now, continue with the options
MHD_OPTION_NOTIFY_COMPLETED, &mhttpd_layer::request_completed_callback, l_callback_data,
MHD_OPTION_SOCK_ADDR, (sockaddr*) &(it->addr),
MHD_OPTION_CONNECTION_TIMEOUT, it->conn_timeout,
MHD_OPTION_CONNECTION_LIMIT, it->conn_limit,
MHD_OPTION_PER_IP_CONNECTION_LIMIT, it->per_ip_conn_limit,
// HTTPS certificate options
MHD_OPTION_HTTPS_MEM_KEY, it->https_key_buff.data(),
MHD_OPTION_HTTPS_MEM_CERT, it->https_cert_buff.data(),
MHD_OPTION_HTTPS_MEM_TRUST, it->https_turst_ca_buff.data(),
MHD_OPTION_END)))
Maybe I should manually on the access callback retrieve the certificate as described by their tutorial (https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security) ? In this case why do I provide the CA - this doesn't seem the proper way to me?
I am getting the below exception when I invoke a jax ws webservice from my application deployed in WebSphere Application Server 6.1
SSL HANDSHAKE FAILURE: A signer with SubjectDN "CN=yyy.com, OU=For Intranet Use Only, OU=Web Hosting, O=xx, L=xx, ST=xx, C=xx" was sent from target host:port "*:9445". The signer may need to be added to local trust store "F://../trust.p12" . The extended error message from the SSL handshake exception is: "No trusted certificate found".
The enpoint url has https.
With the same enpoint url I am able to get a response from SOAP UI(Tool) without any certificate configuration etc..
Could you help me on this ?
I finally was able to fix this small issue.The Server certificate needs to be added to the websphere appserver truststore.This can be done from the admin console of websphere by providing the server domain and port.
I have a Jax-ws web service. I've successsfuly tested it with soap ui. but now I've added mutual authentication security. Client and server just exchange with x.509 certificates. How to configure soap ui to have its certificate and validated server's ones. Without any passwords, signatures and encryption. Just certificates.
Check out these links:
Tryst with Technology 2 (two) way SSL using soapUI as client and
server
soapUI SSL Settings
It looks like client certificate authentication has been broken in SoapUI since version 4.6.4. You can modify the source code like this:
Line 273 of class com.eviware.soapui.impl.wsdl.support.http.SoapUISSLSocketFactory needs to be changed from
SSLSocket sslSocket = ( SSLSocket )getSocketFactory().createSocket( socket, host, port, autoClose );
to
SSLSocket sslSocket = ( SSLSocket )sslContext.getSocketFactory().createSocket( socket, host, port, autoClose );
Posted on http://forum.soapui.org/viewtopic.php?f=13&t=23441
I think this code is working though the server I want to connect to doesn't have their authentication working. I want to disable authentication checking but still connect using SSL? Here is the code:
// Create a context that uses the default paths for
// finding CA certificates.
ssl::context ctx(ssl::context::sslv23);
ctx.set_default_verify_paths();
// Open a socket and connect it to the remote host.
ssl_socket sock(io_service, ctx);
tcp::resolver::query query(host_name_, "https");
boost::asio::connect(sock.lowest_layer(), resolver_.resolve(query));
sock.lowest_layer().set_option(tcp::no_delay(true));
// Perform SSL handshake and verify the remote host's
// certificate.
sock.set_verify_mode(boost::asio::ssl::context::verify_none);
//sock.set_verify_callback();
//sock.set_verify_callback(ssl::rfc2818_verification(host_name_));
sock.handshake(ssl_socket::client);
How can I remove authentication checking?