This link describes some otpions to fix this problem: https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting#php-56-certificate-verification-failure
But I simply don't know what to do specifically in Joomla and how to prevent this verification, because I can't set up ssl for my site.
warning:
Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /nfsmnt/hosting1_1/1/b/1bec1745-5e90-43d0-beb1-2d132937948b/domain.com/web/libraries/vendor/phpmailer/phpmailer/class.smtp.php on line 344
What is the sense of this verification, when so many websites don't run ssl?
Piece of code in Joomla library (class.smtp.php)
// Begin encrypted connection
if (!stream_socket_enable_crypto(
$this->smtp_conn,
true,
STREAM_CRYPTO_METHOD_TLS_CLIENT
)) {
return false;
}
return true;
}
You are missing the point. It's not the site that's using SSL, it's the mail server you are connecting to. For example if you use PHPMailer to send a message via your gmail account, the connection to gmail will be encrypted, regardless of whether your web server is.
The problem you are running into is that the mail server you are using is misconfigured. If it is advertising encryption to inbound connections, it should use a valid certificate. The error will be that the certificate has expired, is a self-signed certificate (and thus can't be trusted), or does not match the host name that you have connected to. The instructions in the guide tell you how to disable these checks, and they should be applied at the point PHPMailer is used, not by altering the library itself. You can find where to do this in the Joomla code base by searching for instances of new PHPMailer and following it with the code that sets the degraded SSL options in the guide. Bear in mind though that this is the wrong way to fix it. If your mail server can't be fixed, use a proper hosting company that knows what it's doing.
As for "not many sites run SSL", that's just not true. All sites should run SSL, but many do not. There is really no excuse not to now that you can get free real certificates with minimal hassle. For more compelling aguments, read this.
Related
I am trying to use hash-buster and making requests from my server to database's of hash-buster.
and each time I get this error:
Hash function : MD5
/usr/lib/python3/dist-packages/urllib3/connectionpool.py:849: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning
I am new in python 3 also in Ubuntu(19.04). Please help me about adding certificate in my server, actually I need a step by step guide to install and activate it (or whatever).
I found my certifications in my server: (etc/ssl/certs/ca-certificates.crt). Is it possible to use my own certifications?
I hope my questions is clear, please feel free to ask me questions to make it clearer.
I am trying to use hash-buster....
I'm assuming that you mean this project.
... Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. ...
The code contains the following line, which probably is the reason for this warning:
response = requests.get('https://www.nitrxgen.net/md5db/' + hashvalue, verify=False).text
So it is explicitly disabling certificate validation here with verify=False. Given that there are other HTTPS requests in the code and this one is the only one with certificate validation disabled, it is likely to work around a problem with the site.
And, the SSLLabs report for www.nitrxgen.net shows that that the site is not properly configured:
This server's certificate chain is incomplete. Grade capped to B.
This incomplete certificate chain causes requests to fail. To work around the broken site one need to either import the missing chain certificate in the trust store or have it explicitly trusted by the code.
Since there are many similar questions already I don't want to repeat all the details. See for example Python requests SSL error - certificate verify failed
, Python Requests getting SSLerror, SSL error with Python requests despite up-to-date dependencies for more.
A node/electron app gets deployed on the end user's machine. It tries to make an HTTPS request to a server. Depending on the user's network setup, this may work fine, or Node may throw the error "Unable to Get Local Issuer Certificate". As far as I understand, this happens when the client is behind a proxy with SSL interception or something similar.
I know SO and github are full of questions like this. But the only generic "solution" I could find is breaking SSL entirely either at process level:
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0
or at request level:
rejectUnauthorized: "false"
There's also the option to somehow specify the correct certificate when making the HTTP request. But it seems to almost require custom setup for every user and I haven't found any examples of doing it in a generic way.
1. Why is this issue specific to Node apps, while every other app on the computer works fine?
2. Can it be fixed in a general and cross-platform way?
I am trying to make something very basic work and it just isn't working for me. I have a simple Node-RED flow with an inject input node and an email output node:
The properties of the email node look like this:
The error says:
"7/28/2017, 11:43:28 AM node: fname.lname#company.com
msg : error
"Error: unable to verify the first certificate"
I am able to manually send unauthenticated email through this server via telnet. Even if I enter account creds it gives me the same "Error: unable to verify the first certificate".
Am I missing something simple?
I don't have enough reputation to write a comment, but i am adding this line for the previous reply, somebody might need it,
to bypass this error in Node.js program, type:
process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
The problem is that the mail server you are connecting to is using SSL and the certificate it is supplying is not signed by one of the trusted CA's built into the Node.JS implementation you are using.
I'm guessing it's a self signed certificate.
The Error says that Node.JS can not verify the first certificate in the presented chain.
My best guess is that Nodemailer (which is used under the covers by the email node) is seeing the STARTTLS option listed when it sends the EHLO command as it starts the connection to the mail server and is trying to upgrade the connection to one that is secure.
While I really wouldn't normally recommend this, you can turn off Node.JS's cert checking by exporting the following environment variable before starting Node-RED:
NODE_TLS_REJECT_UNAUTHORIZED=0
This turns off ALL certificate checking, so you are open to man in the middle attacks for any TLS/SSL connection made from Node-RED.
The real solution here is to get a proper certificate for the mail server, maybe something from the letsencrypt project especially if this mail server is internet facing in any way.
I have an Air Application which communicates quite often with our server. Usually, all communication is fine, but every once in a while I get the following popup: "Revocation information for the security certificate for this site is not available. Do you wan to proceed?
Unfortunately, this popup halts all communications until the end user clicks OK (which is a problem as this application does not allow for user interaction and is not accessible locally.
I am connecting to our website which has a valid Comodo SSL certificate. Visiting the website causes no popups for any kind and shows completely valid.
I also have a Comodo Software Certificate validating the application which is bundled with the program.
I am using actionscript HTTP services to communicate with the server with GET/POST calls.
checkInService = new HTTPService();
checkInService.concurrency = Concurrency.SINGLE;
checkInService.method = "POST";
checkInService.addEventListener(ResultEvent.RESULT,sendResult);
checkInService.addEventListener(FaultEvent.FAULT, faultResult);
checkInService.addEventListener(InvokeEvent.INVOKE, invokeAttempt);
checkInService.url = "https://www.mywebsite.com";
Unfortunately, when the certificate popup appears, it continues to popup for every call (which is on a 2 second timer), causing thousands of popups eventually crashing the program.
My thoughts are the following:
1. Ensure the Root Certificate is installed on the PC.
2. Install the website's certificate as a trusted certificate
3. Add the site to the Trusted Sites in Internet Options
4. Disable Publisher/Certification verification in Internet Options.
I want to leave as much security as possible. Any hints or direction would be greatly appreciated.
Thank you in advance.
Revocation means, that the issuer of the certificate revoked it. Check for revocation is usually done after the trust path for the certificate was verified, so I assume that it is not a problem with the trust store on your system.
But, after the trust path verification so browser will check for revocation. Today this is mostly done with OCSP (online certificate status protocol). This needs an OCSP-URL in the certificate which can be asked and an OCSP responder at the issuers side, which responds to OCSP requests on this URL.
My guess is, that this is where the problem is, e.g. the following might be:
the OCSP responder has no revocation information yet, because the certificate is to new (just wait some hours in this case)
the OCSP responder has network or other problems (just wait and retry later)
a firewall or similar on your site is blocking access to the OCSP responder (check your network or ask your administrator)
I am using the Authorize.Net DPM (Direct Post Method) integration on one particular eCommerce system that I manage.
We have renewed our SSL certificate for this site, and the new SSL cert uses SHA-256 rather than SHA-1, as is recommended for additional security.
However, now AUthoeize.Net can no longer post back to my server. When processing a payment, I receive the message:
An error occurred while trying to report this transaction to the merchant. An e-mail has been sent to the merchant informing them of the error. The following is the result of the attempt to charge your credit card.
from the URL https://secure.authorize.net/gateway/transact.dll, rather than being sent back to my code where I can display the "payment successful" page. Upon reseraching this, I believe the issue is that Authorize.Net's servers don't support SHA-2 certificates:
Does anyone know if Authorize.net accepts the newer SHA2 encryption? Our production servers which use this type of certificate do not receive the RelayResponse.
We found an article on SHA2 encryption issues with WIN2003 servers KB968730. We know Authorize.net uses Win 2003 servers based on http headers, which tell us IIS6.0.
We just established that is a real issue with Authorize.Net. We were able to purchase a SHA1 certificate and we are now able to receive the Relay Response from Authorize.NET. Authorize.NET Relay Response does not handle G2/SHA256 certificates. This will become a major issue in 2014 when SHA1 certifictions will not be obtainable from vendors eg. GoDaddy etc.
I have contacted Authorize.Net support but they seem to not even understand how their own product works, because the responses I get from them make no sense:
We have no announcements regarding the use specifically of SHA-2 hashes to connect to our servers at this time. Notices of any changes to the integration methods will be available in the merchant interface, as well as on the developer center at developer.authorize.net if that change occurs.
I'm not connecting to their servers. They're connecting to my server... so since their support is of no help... how can I resolve this? Is it safe/wise to not use SSL for the x_relay_url DPM postback URL? That seems to be the safest suggestion but I am hesitant to do this.
The resolution I went with was to get an SSL certificate with an SHA-1 signature algorithm, rather than SHA-2.
The issue that SHA-2 certs are rejected by Authorize.net's servers has been reported to their systems engineering team, but I do not know if they will correct this.
I have just run into this problem myself.
I can verify that in my tests, when I switched my x_redirect_url parameter to use a non-ssl host it started redirecting properly back to my site. I can also verify that Authorize.net support does not know how their own products work; I had to explain to them how the x_redirect_url works and got no usable info from them regarding any kind of validation they might be doing on the redirect URL that could cause their system to refuse to redirect.
I thought it was due to a domain name mismatch in my dev environment so I just forced my dev environment to use a non-ssl redirect. Then when I launched my new site I discovered that the problem persisted with SSL redirects on my production site, so I've just switched it back to using non-ssl redirects on my production site temporarily until I get this sorted out.
I have not yet regenerated my ssl cert because I'm not sure if it's using SHA1 or SHA2 and I don't want to regenerate it and reinstall it until I'm sure the cert is SHA1.
I'm having a hard time determining which SHA version it uses because the Thumbprint Algorithm shows SHA1, but then I see SHA256RSA for the Signature Algorithm and sha256 for the Signature Hash Algorithm. So, if anyone knows if that means I have SHA1 or SHA2, please reply to this reply.