I am planning to do GET/POST methods using the reqwest library. Unfortunately, I don't want to have any TLS dependencies: no openssl, native-tls, rust-nativetls, etc.
How can I disable it?
Reqwest has different TLS functionality provided by its feature flags with the "default-tls" feature enabled by default. To disable it, you need to set default-features=false in your Cargo.toml:
[dependencies]
reqwest = { version = "0.11.12", default-features = false }
Related
I need to check avalara TLS 1.2 compliance, But I didn't find any documentation
Could someone let me know the procedure to check compliance
TLS is part of JRE security settings not related with hybris. You can check your JRE security configuration. Up to date JRE distributions supporting TLS 1.2 and old versions already disabled.
You can checkyour configuration in hac via groovy script. For example my web page supporting TLS 1.2 and 1.3.
URL url = new URL("http://mkysoft.com/ip.php");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
InputStream is = connection.getInputStream();
return org.apache.commons.io.IOUtils.toString(is);
If you want to test other TLS/SSL/certificate/handshake options check https://badssl.com/ for alternative test endpoints.
Recently the 3rd party email service provider I was using made a change. They disabled support for TLS 1.0 and TLS 1.1.
I provide support for an ancient system that still uses php 5.3 and phpmailer 5.2.
My tests indicates that TLS 1.2 is enabled.
But, the PHPMailer code cannot connect to the email server after the disabling of TLS 1.0 and 1.1
Also, note that I am not a full time php expert.
Is there a way to make PHPMailer 5.2 use tls 1.2?
Look for constant STREAM_CRYPTO_METHOD_TLS_CLIENT in file class.smtp.php and update that to STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
Like this:
public function startTLS()
{
if (!$this->sendCommand('STARTTLS', 'STARTTLS', 220)) {
return false;
}
// Begin encrypted connection
if (!stream_socket_enable_crypto(
$this->smtp_conn,
true,
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
)) {
return false;
}
return true;
}
You should run phpinfo() in a small php script on your server to make sure TLS 1.2 is available in the first place.
It's not up to PHPMailer, its up to the version of PHP that you're using to run it, so the solution is to update your PHP version. The major changes relating to TLS were largely in PHP 5.6, so upgrading to that would be a good intermediate point if you're really stuck with this legacy version.
I have an application that dynamically links with OpenSSL 1.0.2 and TPM hardware with OpenSSL ENGINE implementation for RSA.
I use OpenSSL's dynamic ENGINE to register the TPM ENGINE. This is how the (simplified) code looks:
ENGINE_load_dynamic();
ENGINE *e = ENGINE_by_id("dynamic");
ENGINE_ctrl_cmd_string(e, "SO_PATH", path_to_libtpm, 0);
ENGINE_ctrl_cmd_string(e, "ID", "tpm2tss", 0);
ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
ENGINE_init(e);
ENGINE_ctrl_cmd(e, ...);
ENGINE_ctrl_cmd(e, ...);
ENGINE_register_all_complete();
ENGINE_finish(e);
ENGINE_free(e);
According to the man page, since I'm calling ENGINE_register_all_complete() instead of ENGINE_set_default_RSA, I am letting OpenSSL decide which implementation of RSA to use.
the next time OpenSSL tries to set up an RSA key, any bundled ENGINEs that implement RSA_METHOD will be passed to ENGINE_init() and if any of those succeed, that ENGINE will be set as the default for RSA use from then on
Will OpenSSL prioritize RSA implementation in a registered ENGINE over its own implementation?
What happens when there are several ENGINEs registered that provide implementations for the same algorithm? Will OpenSSL use the first ENGINE it is able to initialize?
Is there any guarantee that a registered ENGINE will be used if ENGINE_set_default_XXX is not called?
You can specify which engine to use via the openssl.cnf configfile
Or you can use the -engine parameter to specify an engine on the commandline.
From your C Code you can use ENGINE_by_id(engine_id);
When deploying a Corda 4.0 CorDapp to UAT, must the Jar be signed?
We have tried using devMode = true - which causes the node to recognize the flows in the CorDapp, but when we set devMode to false it seems the node is unable to recognize the CorDapp.
This could be because the JAR has been signed using the default development key. This is the case when devMode is set to true in your build.gradle.
If this is the case you need to add cordappSignerKeyFingerprintBlacklist=[] to the node.conf. If devMode=false, the Corda development key is blacklisted as it's completely insecure. This is suitable for PoC purposes only, NOT PRODUCTION.
The correct fix is to sign the app with a your 'own' key.
You can also switch off Jar signing when building the CorDapp by setting cordapp { signing { enabled false } } in the build.gradle, which should cause it not to be signed.
More information can be found here: https://docs.corda.net/cordapp-build-systems.html#signing-the-cordapp-jar
We have a library that is traditionally client-side only. It uses HTTP Request (or several other dependency libraries) to make REST calls. When using the library, user will initialize with a particular request provider and off they go.
We use webpack in our examples to utilize our library.
It is now extended it to use node-fetch, so if someone wants to use it from nodejs that's supported too.
For people using webpack, webpack is now attempting to pack node-fetch and the require call is failing in the browser. We can get around this with setting an external
"externals" : {
"node-fetch": "{}"
}
Is there a way to define our library so that if the consumer is using webpack target: web, it'd skip the require check for node-fetch? And similarly, if the consumer is using webpack target: nodejs - it needs to include the node-fetch component.
The project in question is https://github.com/OfficeDev/PnP-JS-Core
Thanks for reporting this. So according to This commit and conversation linked to it, the automatic module resolution field (also known as a described-resolve to the webpack resolver instance) changes based on what your target is.
By default, when target is node in your webpack build, resolution in package.json field will default to the main field else, browser field takes priority by default.
More reference https://github.com/webpack/webpack/issues/151
The links provided in the accepted answer & comment show how to do this, so +1 to those, but just to surface it directly here
Is there a way to define our library so that if the consumer is using webpack target: web, it'd skip the require check for node-fetch
Yes. In the library's package.json, add a browser field with the following
"browser": {
"node-fetch": false
}
This provides a hint to webpack and other bundlers that the the node-fetch module should be ignored - i.e. do not even attempt to include it in the bundle - when the target is web. When the target is node, it will be included.
Note that the above relies on the code in the client bundle never using node-fetch. In that sense it can be considered unsafe, because there is no compile-time guarantee of this, and if it happens, it will just error and probably crash your client. If you're absolutely sure it can never be used client-side, though, this is the simplest way to get this done.
For more safety - i.e. if you want the client code to only warn if you try to use node-fetch - you also have the option of providing a shim to the module that the client bundle can include instead, and for instance just log a warning in the shim implementation if it gets used. You do this in the same way, just by providing a path to the shim module instead of false
"browser": {
"node-fetch": "./shims/node-fetch.js"
}