The actual requirement is that I have to achieve LDAP authentication for my organisation's internal web application which is being built on Django but not able to do so by far.
Therefore, I have decided to check if i'm able to establish the connection using the python-ldap module.
the details of the ldap server that I have:
server1 = dc3.something-software.com
server2 = dc5.something-software.com
and the python code:
def main(server="ldap://dc5.something-software.com", who='', cred=""):
try:
l = ldap.initialize(server)
l.simple_bind_s(who, cred)
if l:
print("Successfully connected")
l.search_s("cn=someone#something-software.com,dc=something-software,dc=com",
ldap.SCOPE_SUBTREE)
except Exception as e:
print(e)
return True
and this is giving me the following output
Successfully connected
{'msgtype': 101, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580'}
implying that i'm actually able to connect to my ldap but not able to do anything else?
Im working on a windows operating system and I have tried the answers suggested for other similar questions though they've been mostly addressed for *NIX operating systems.
Thanks.
Based on the certificate error in your latest comment above, the directory server's SSL certificate is not trusted. Two solutions -- one is to ignore certificate problems, the second is to establish a trust. Ignoring cert errors is easy but less secure (i.e. I can make myself a cert that says I am yourhost.example.com ... and if you're not checking certificate validity, you'll happily communicate with my fake yourhost.example.com). Establishing the trust takes a little more effort and may create ongoing maintenance. Check the expiry date on the signing server ... you may need need to update the CA public key occasionally (some orgs just make 100 year expiring CA certs to avoid this, but some have their CA key renewed every year or five). Either way, you want to add a line before you start tls negotiation (con.start_tls_s).
To ignore certificate errors, add:
con.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
To establish a trust with the CA used to sign the directory server's key, you'll need to get the public key used to sign the certificate. Sometimes you can just ask the people who maintain the directory server -- I've got a zipped up copy of mine on a URL I send to people. But, if they don't have it, there are other ways to grab the cert. The OpenSSL client is a good one. Once you have the public key used to sign the directory server cert, use
con.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/CAFile.pem')
Once you do one of these two things, you should be able to start the TLS session successfully.
Related
1I have an app installed on my android device that shows me if the SHA256 fingerprint has been changed. It often shows that it has been altered when I run it for YouTube.com and it once showed for Instagram.com. I tried using a VPN and it didn't show afterwards.
The app basically says that it detects the SSL interception of web traffic which will decrypt an encrypted session. The test is accomplished by comparing the HTTPS certificate fingerprint of the website on your device vs the fingerprint shown on an external server.
I'm curious if it is really a concern as I do a lot of private video calls on Instagram. Are those getting recorded or anything without my knowledge?
PS: I do not have any shady app on my device.
Check the actual certificate the sites return. Certificates will expire after a while, meaning they get replaced with new versions.
Besides that, bigger sites with multiple datacenters, such as YouTube (Google) and Instagram (Facebook), might even use different certificates for different regions. This would explain why it doesn't show up while using a VPN. Also because of IP routing, special server configurations, ... you might end up connecting to different servers/regions (with different certificates) from day to day or so.
Assuming that the certificate is properly signed, valid and not revoked, you should be fine, even if the fingerprint changes. For malicious people to perform a man-in-the-middle attack with a valid SSL, they'd either need to have a valid certificate themselves (which would get revoked), access to the site's servers (which is a lost cause) or add a malicious root certificate to your device (which is a whole other problem).
The test is accomplished by comparing the HTTPS certificate
fingerprint of the website on your device vs the fingerprint shown on
an external server.
Mind that that external server might also have a different/outdated fingerprint compared to you, for any of the reasons above or others.
Consider we run the following request:
url="https://secretsub.example.com/secretpath/post.php"
payload = {'secretmessage1' : 'foo','secretmessage2' : 'bar'}
r = requests.post(url,data=payload,verify=True)
The language (python) is just arbitrary but it can be a request on any other language (NodeJs, Java, Php...)
Notice that the url is using https, which means that the connection is secured over SSL. Assuming that I compile this program into binary (.exe), would it be possible for computer to read the payloads through a software in plain text?
I know that packet sniffing software (like WireShark), will only reveal the domain name (example.com) in plain text but not the secrepath nor the payload which will be encrypted.
If I run this code in a web browser however (assuming that it is written in Javascript), I will be able to access the payload and the secretpath in plain text inside the browser console. I assume that the browser only encrypts it only after the request is logged in its console. But if this code is run outside the browser, is there a way a for the computer host to intercept those data in plain text? (some sort of packet sniffing tools)
It is only possible to see the domain name, the payload and path are encrypted and can only be decrypted by the session key as negotiated between the client and webserver. But malware on your computer could be able to access it, for instance by having access to the memory used by the application or by using an insecure programming library with some kind of backdoor.
What the https is doing is initiating a certificate exchange so your client will recieve a certificate from the server that validates the server is who thay say they are and allows the client to encrypt the data through the channell (network).
The first bit - validating the server is who they claim to be - relies on something called a certificate chain. The certificate you recieve will have been signed with an issuers private key. Your client should check this certificate using the issuers public key that you should "already have".
Most operating systems have a list of trusted root certificates. In windows you can see them in the certificate manager.
Without knowing python - #Patrick Mevzek hints that you can ship a root CA (certificate authority) or use the OS one. if your using the OS one - you might need to check its going to be there.
I would expect all this to be automatic - its part of the protocol that you've specified i.e. https. However - you might want to confirm that with a python person.
Most people kind of ignore all this bit - but it is very important. If you do not validate the certificate then you are susceptabe to a "Man in the Middle" attack or DNS spoofing.
Basically I can issue a cert for secretsub.example.com using a couple of tools on my desktop. It will not be signed by a valid CA but if you don't check it then I can either place that cert in a proxy (Man in the Middle) - and when you make your requet my proxy will get the real cert from the real server, establish the HTTP connection but issue my cert to your application. You will then encrypt to my proxy with my cert so I can read your data and then forward it to the real server - and you'll never know! (Many corporate proxies do exactly this to their employees).
Alternatively if I can change your DNS to point the IP to my server I can do pretty much the same - act as a proxy.
Once that's done the data will then be encrypted accross the network.
So - yes HTTPS will encrypt accross the network - but check the cert is valid.
Obviously as someone points out - the data is in the clear on the client computer - just like it is in your browser now.
Stuart
This link describes some otpions to fix this problem: https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#php-56-certificate-verification-failure
But I simply don't know what to do specifically in Joomla and how to prevent this verification, because I can't set up ssl for my site.
warning:
Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /nfsmnt/hosting1_1/1/b/1bec1745-5e90-43d0-beb1-2d132937948b/domain.com/web/libraries/vendor/phpmailer/phpmailer/class.smtp.php on line 344
What is the sense of this verification, when so many websites don't run ssl?
Piece of code in Joomla library (class.smtp.php)
// Begin encrypted connection
if (!stream_socket_enable_crypto(
$this->smtp_conn,
true,
STREAM_CRYPTO_METHOD_TLS_CLIENT
)) {
return false;
}
return true;
}
You are missing the point. It's not the site that's using SSL, it's the mail server you are connecting to. For example if you use PHPMailer to send a message via your gmail account, the connection to gmail will be encrypted, regardless of whether your web server is.
The problem you are running into is that the mail server you are using is misconfigured. If it is advertising encryption to inbound connections, it should use a valid certificate. The error will be that the certificate has expired, is a self-signed certificate (and thus can't be trusted), or does not match the host name that you have connected to. The instructions in the guide tell you how to disable these checks, and they should be applied at the point PHPMailer is used, not by altering the library itself. You can find where to do this in the Joomla code base by searching for instances of new PHPMailer and following it with the code that sets the degraded SSL options in the guide. Bear in mind though that this is the wrong way to fix it. If your mail server can't be fixed, use a proper hosting company that knows what it's doing.
As for "not many sites run SSL", that's just not true. All sites should run SSL, but many do not. There is really no excuse not to now that you can get free real certificates with minimal hassle. For more compelling aguments, read this.
I have an Air Application which communicates quite often with our server. Usually, all communication is fine, but every once in a while I get the following popup: "Revocation information for the security certificate for this site is not available. Do you wan to proceed?
Unfortunately, this popup halts all communications until the end user clicks OK (which is a problem as this application does not allow for user interaction and is not accessible locally.
I am connecting to our website which has a valid Comodo SSL certificate. Visiting the website causes no popups for any kind and shows completely valid.
I also have a Comodo Software Certificate validating the application which is bundled with the program.
I am using actionscript HTTP services to communicate with the server with GET/POST calls.
checkInService = new HTTPService();
checkInService.concurrency = Concurrency.SINGLE;
checkInService.method = "POST";
checkInService.addEventListener(ResultEvent.RESULT,sendResult);
checkInService.addEventListener(FaultEvent.FAULT, faultResult);
checkInService.addEventListener(InvokeEvent.INVOKE, invokeAttempt);
checkInService.url = "https://www.mywebsite.com";
Unfortunately, when the certificate popup appears, it continues to popup for every call (which is on a 2 second timer), causing thousands of popups eventually crashing the program.
My thoughts are the following:
1. Ensure the Root Certificate is installed on the PC.
2. Install the website's certificate as a trusted certificate
3. Add the site to the Trusted Sites in Internet Options
4. Disable Publisher/Certification verification in Internet Options.
I want to leave as much security as possible. Any hints or direction would be greatly appreciated.
Thank you in advance.
Revocation means, that the issuer of the certificate revoked it. Check for revocation is usually done after the trust path for the certificate was verified, so I assume that it is not a problem with the trust store on your system.
But, after the trust path verification so browser will check for revocation. Today this is mostly done with OCSP (online certificate status protocol). This needs an OCSP-URL in the certificate which can be asked and an OCSP responder at the issuers side, which responds to OCSP requests on this URL.
My guess is, that this is where the problem is, e.g. the following might be:
the OCSP responder has no revocation information yet, because the certificate is to new (just wait some hours in this case)
the OCSP responder has network or other problems (just wait and retry later)
a firewall or similar on your site is blocking access to the OCSP responder (check your network or ask your administrator)
I want to ensure that client libraries (currently in Python, Ruby, PHP, Java, and .NET) are configured correctly and failing appropriately when SSL certificates are invalid. Shmatikov's paper, The Most Dangerous Code in the World:
Validating SSL Certiļ¬cates in Non-Browser Software, reveals how confusing SSL validation is so I want to thoroughly test the possible failures.
Based on research a certificate is invalid if:
It is used before its activation date
It is used after its expiry date
It has been revoked
Certificate hostnames don't match the site hostname
Certificate chain does not contain a trusted certificate authority
Ideally, I think I would have one test case for each of the invalid cases. To that end I am currently testing an HTTP site accessed over HTTPS, which leads to a failure that I can verify in a test like so:
self.assertRaises(SSLHandshakeError, lambda: api.call_to_unmatched_hostname())
This is incomplete (only covering one case) and potentially wrong, so...
How can you test that non-browser software properly validates SSL certificates?
First off, you'll need a collection of SSL certificates, where each has just one thing wrong with it. You can generate these using the openssl command line tool. Of course, you can't sign them with a trusted root CA. You will need to use your own CA. To make this validate correctly, you'll need to install your CA certificate in the client libraries. You can do this in Java, for example, using the control panel.
Once you have the certificates, you can use the "openssl s_server" tool to serve an SSL socket using each one. I suggest you put one certificate on each port.
You now have to use the client library to connect to a port, and verify that you get the correct error message.
I know that Python by default does no certificate validation (look at the manual for httplib.HTTPSConnection). However, m2crypto does do validation. Java by default does do validation. I don't know about other languages.
Some other cases you could test:
1) Wildcard host names.
2) Certificate chaining. I know there was a bug in old browsers where if you had a certificate A signed by the root, A could then sign B, and B would appear valid. SSL is supposed to stop this by having flags on certificates, and A would not have the "can sign" flag. However, this was not verified in some old browsers.
Good luck! I'd be interested to hear how you get on.
Paul
Certificate hostnames don't match the site hostname
This is probably the easiest to check, and failure (to fail) there is certainly a good indication that something is wrong. Most certificates for well-known services only use host names for their identity, not IP addresses. If, instead of asking for https://www.google.com/, you ask for https://173.194.67.99/ (for example) and it works, there's something wrong.
For the other ones, you may want to generate your own test CA.
Certificate chain does not contain a trusted certificate authority
You can generate a test certificate using your test CA (or a self-signed certificate), but let the default system CA list be used for the verification. Your test client should fail to verify that certificate.
It is used before its activation date, It is used after its expiry date
You can generate test certificates using your test CA, with notBefore/notAfter dates that make the current date invalid. Then, use your test CA as a trusted CA for the verification: your test client should fail to validate the certificate because of the dates.
It has been revoked
This one is probably the hardest to set up, depending on how revocation is published. Again, generate some test certificates that you've revoked immediately, using your own test CA.
Some tools expect to be configured with a set of CRL files next to the set of trusted CAs. This requires some setup for the test itself, but very little online setup: this is probably the easiest. You can also set up a local online revocation repository, e.g. using CRL distribution points or OCSP.
PKI testing can be more complex than that more generally. A full test suite would require a fairly good understanding of the specifications (RFC 5280). Indeed, you may need to check the dates for all intermediate certificates, as well as various attributes for each certificate in the chain (e.g. key usage, basic constraints, ...).
In general, client libraries separate the verification process into two operations: verifying that the certificate is trusted (the PKI part) and verifying that it was issued to the entity you want to connect to (the host name verification part). This is certainly due to the fact these are specified in different documents (RFC 3280/5280 and RFC 2818/6125, respectively).
From a practical point of view, the first two points to check when using an SSL library are:
What happens when you connect to a known host, but with a different identifier for which the certificate isn't valid (such as its IP address instead of the host)?
What happens when you connect to a certificate that you know cannot be verified by any default set of trusted anchors (for example, a self-signed certificate or from your own CA).
Failure to connect/verify should happen in both cases. If it all works, short of implementing a full PKI test suite (which require a certain expertise), it's often the case that you need to check the documentation of that SSL library to see how these verifications can be turned on.
Bugs aside, a fair number of problems mentioned in this paper are due to the fact that some library implementations have made the assumption that it was up to their users to know what they were doing, whereas most of their users seem to have made the assumption that the library was doing the right thing by default. (In fact, even when the library is doing the right thing by default, there is certainly no shortage of programmers who just want to get rid of the error message, even if it makes their application insecure.)
I would seem fair to say that making sure the verification features are turned on would be sufficient in most cases.
As for the status of a few existing implementations:
Python: there was a change between Python 2.x and Python 3.x. The ssl module of Python 3.2 has a match_hostname method that Python 2.7 doesn't have. urllib.request.urlopen in Python 3.2 also has an option to configure CA files, which its Python 2.7 equivalent doesn't have. (This being said, if it's not set, verification won't occur. I'm not sure about the host name verification.)
Java: verification is turned on by default for both PKI and host name for HttpsUrlConnection, but not for the host name when using SSLSocket directly, unless you're using Java 7 and you've configure its SSLParameters using setEndpointIdentificationAlgorithm("HTTPS") (for example).
PHP: as far as I'm aware, fopen("https://.../") won't perform any verification at all.