This question is similar to another one, concerning pyCURL
I have the following error when I send a post request to a secure url, using CURLpp https://stackoverflow.com/questions/1942719/pycurl-tls-handshake-error
Ok, so according to the answer to the previous question, I should use libcurl with openSSL. If I run curl -v, I get this:
curl 7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
So I should be using openSSL, and not see gnuTLS. So if I try to send the very same request through curl directly with the command line, it works fine, and I see on the command output the result I am expecting.
So It turns out when I switch to CURLpp, it uses gnuTLS, instead of openSSL.
Is there something I have to configure, in order to specify I want openSSL with CURLpp ?
cURLpp is just a wrapper over libcURL, it doesn't dictate which SSL implementation libcURL uses.
Am not exactly sure how you've come to the when I switch to CURLpp, it uses gnuTLS, instead of openSSL conclusion but I suspect that you have multiple libcurl.so installed, the one curl uses and another that your app is using (via cURLpp).
As a side note, the TLS fatal alert ... received (mentioned in the linked question) was probably a result of a misconfiguration on the server side (invalid servername TLS extension, failure to negotiate ciphers, etc).
Related
I have a problem.
I am using openssl for validate my cert - x509_verify_cert(). But this function doesn't use ocsp. So it can be a problem if there is no crl.
In openssl errors i found this define - x509_err_ocsp_verify_needed, but i don't understand how it uses.
It seems that may be exists some kind of callback for my connecting to ocsp server function or something like that.
Also i found it which i can use, as i understand, for my own validate function, but i want only ocsp check.
So my question is: is it possible ask openssl use ocsp for validation and how?
It is possible :
openssl ocsp -issuer certchain.pem -cert cert.pem -text -url <the ocsp responder URL>
Some links to articles with more details:
https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
https://akshayranganath.github.io/OCSP-Validation-With-Openssl/
OpenSSL API does not provide a single API to do OCSP validation. The OpenSSL API provides the primitives so that you can implement your own validation. There are details you need to fill to the implementation which may depend on your situation you are trying to solve.
I would suggest that you get to know the openssl ocsp command as a basis of your understanding. Reading the links from Sanjeev's answer gives you examples of using this command as well.
To implement OCSP validation you will need to:
Extract server and issuer certificates from somewhere (SSL connection most likely)
Extract the OCSP server list from the server certificate
Generate a OCSP request using the server and issuer certificates
Send the request to the OCSP server and get a response back
Optionally validate the response
Extract the certificate status
Optionally you can also cache the result with the response update date range so that you can shortcut the above procedure if you see the certificate again.
You can also group a bunch of server certificates to the same OCSP server into a single request as well.
Of note is that the OCSP server link may not be HTTP and you may need to support whatever link type the certificate may have. For example in windows AD enterprise setups, the server OCSP may only have LDAP OCSP server links.
You may also like to see my answer to a question where I go into code examples of OCSP request and response handling.
UPDATE:
If you want to check the whole chain, you will have to do the above one certificate at a time (although the certificates operations can be overlapped). As far as I know, there is no way to check a whole chain at once. Also, you may find that a lot of intermediate certificates don't provide OCSP links anyway so there is no way to check. If you need to do this then it would be a good idea to cache the results as you will come across the same intermediate certificates all the time. In fact you could schedule to do this ahead of time for "known" intermediate certificates that you come across all this time.
You also keep pointing to "x509_verify_cert" check I quote:
Applications rarely call this function directly but it is used by
OpenSSL internally for certificate validation, in both the S/MIME and
SSL/TLS code.
So you shouldn't be calling this yourself anyway.
It seems that may be exists some kind of callback for my connecting to ocsp server function or something like that.
X509_STORE_CTX_set_verify_cb - used to set a callback to do your own custom verification - used a lot in server SSL setups
X509_STORE_CTX_set_ex_data - used to add custom argument values used by the callback
X509_VERIFY_PARAM_set_flags - used to setup flags (e.g. X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL)
In openssl errors i found this define - x509_err_ocsp_verify_needed
X509_V_ERR_OCSP_VERIFY_NEEDED is defined and never used in the openssl codebase. It is meant to returned from a verify callback function that the user provides (i.e. X509_STORE_CTX_set_verify_cb) to indicate that verification should fail with that error. What you do with that information is up to you. If you supply a callback and return that error from a openssl SSL connection that the SSL connection will terminate.
Also of note, if you do add a custom verification callback that does do full OCSP checking, it will slow down the SSL connection setup a lot. This is why most browsers don't do this by default as it slows down the user experience to much.
I am using uWebSockets in C++ to host a WebSocket server. However, I need it to be a secure wss server instead of simply a ws server.
I have tried this code:
uS::TLS::Context tls = uS::TLS::createContext ("./cert.perm", "./key.perm", "passphrase");
if (h.listen (9002, tls)) {
cout << "Game server listening on port 9002" << endl;
h.run();
}
I am using this shell command to generate the certificate and key:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 30
I then tried connecting to my remote server using wss://address instead of the usual ws://address, however, it cannot connect.
Any ideas why? Thanks
UPDATE #1
The tls variable seems to be actually NULL, so it looks like the certificate part isn't working.
UPDATE #2
I got the file extensions wrong in the code, they're meant to be pem instead of perm. However, the server will now not establish a connection on both wss and ws.
UPDATE #3
After fixing the issue mentioned above, the tls variable is now 1 instead of 0 (which I assumed was NULL).
If you are using a web browser ws-client to connect to wss://address, try checking if the browser is the problem. It happened to me that I had created my own certificates, but the browser blocks the connection as they are not certified by any CA.
Enter in your browser something like: "https://address", and add a security exception for your "address".
I know you can use uWebSockets for SSL/TLS, however... I would consider separating the TLS/SSL concern from the main application.
Separating the TLS/SSL layer from the app allows you to update the TLS/SSL without recompiling the application as well as simplifies the codebase.
I would recommend using a TLS/SSL proxy or tunnel while having the app bind locally to the loopback address or to a unix socket.
I'm currently writing a small HTTP server, and I would like to implement SSL.
The goal is to be able to do load multiple PEM files in boost so it can do a correct SSL handshake with a client depending on the SNI sent in TLS.
However I don't see how I can load multiple PEM files in boost and also how I can tell it to use one cert or another depending on this SNI.
For example I load the cert with:
context.use_certificate_file("cert.pem");
m_context.use_private_key_file("server.pem",
boost::asio::ssl::context::pem);
we have put our gsoap stubs c++ into a custom dynamic library, linked and built it against our main program.
When i use a https call i get ERROR_SYSCALL from openssl and see that it fails in the SSL_Connect.
The exact error is:
sk_sort:0xb6cc1680
SOAP 1.2 fault SOAP-ENV:Receiver [no subcode]
"SSL_ERROR_SYSCALL
Error observed by underlying SSL/TLS BIO: Connection reset by peer"
Detail: SSL_connect error in tcp_connect()
If i use the same code directly in our main program it works without any problem...
What am I missing ? our custom library is dynamic and linking also openssl dynamically...
With kind regards
Not exactly problem with custom library but with latest GSOAP.
Gsoap added SSL_set_tlsext_host_name to use SNI with TLS. If you are using IP based server with default SSL certificate e.g. no SNI then all calls will fail with ERROR_SYSCALL
So we solved it like this for now:
SSL_set_tlsext_host_name(soap->ssl, host) - WHICH causes ERROR SYSCALL because we are using IP and not host name. And server drops the link as hostname is ip and not a valid name. As we need to use IP instead of hostname and gsoap does not use any flag for this, we commented out the part in stdsoap2.cpp
We just searched SSL_set_tlsext_host_name in stdsoap2.cpp and commented out.
Probably Gsoap should have a flag for this ?
I would like to authenticate securely from C++ client application with OpenLDAP server, for example, using SSL/TLS or SASL. I use Windows 7 64-bit operating system.
I tried this example:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa366105%28v=vs.85%29.aspx
But it fails in this function call:
ULONG ldapConn = ldap_connect(pLdapConnection, NULL);
The return code from ldap_connect is 81 (dec).
I have installed OpenLDAP to my computer from here:
http://www.userbooster.de/en/download/openldap-for-windows.aspx
I use 127.0.0.1 (localhost) as the host.
OpenLDAP debug log looks like this:
TLS trace: SSL_accept:SSLv3 flush data
tls_read: want=5 error=Unknown error
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
daemon: activity on 1 descriptor
daemon: waked
daemon: WSselect: listen=2 active_threads=0 tvp=NULL
daemon: WSselect: listen=3 active_threads=0 tvp=NULL
According to the log it seems that this is somehow related to certificates. The OpenLDAP configuration is the about default from the installation package, for example:
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile ./secure/certs/server.pem
TLSCertificateKeyFile ./secure/certs/server.pem
TLSCACertificateFile ./secure/certs/server.pem
Does someone know why ldap_connect fails?
Or does someone know a useful tutorial or C++ code example concerning this topic? It is especially unclear to me how the client certificates are linked to the client code. In other words, how it is defined in the client C++ code, where the certificates are obtained during the authentication.
BR,
Tuomo
Found this article: http://www.openldap.org/lists/openldap-technical/200903/msg00061.html. Looks like you might want to change out TLSCipherSuite HIGH:MEDIUM:-SSLv2 to TLSCipherSuite HIGH:MEDIUM:+SSLv2.