Can anyone please help me to fix the below issue?
I am using libnss to implement tls connection between a server and a client,
Both are being run on a single machine.
First I tried to run ./certutil exe, I got the below output on console
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Then I tried running the server that is ./selfserv , but I got one error shown below, here -n (nickname) I am passing as SSL.
Is that right ? or what exactly going wrong here?
selfserv: Can't find certificate SSL
Also please explain me how to execute the server and client using mozilla nss with simple steps
Related
We created a root crtificate, which unfortunately expired today in Azure VPN, I regenerated the certificate, upload it to Azure VPN, regenerated a client certificate and se up the OpenVPN configuration file. (After downloaadin the "VPN Client" from the Azure portal.
However, I keep getting "Peer certification verification failure" and I can't seem to understand why. Everything I read suggests that it is as there is a mismatch between the server and the client, however, I must be making the same mistakes, as I have followed the instructions below to generate the root certs, and the client certs::
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#cer
I've used the following open-ssl command to generate convert to a PEM file:
"C:\Program Files\OpenSSL-Win64\bin\openssl" pkcs12 -in child.pfx -out child.pem -clcerts
Then followed this for creating the OVPN file for the iOS device. (I have downloaded the OpenVPN Client to my desktop machine to make it easier to test)
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-mac
I have done this more than once, as well as having "Reset" the VPN gateway, just to try and make sure that it isn't something weird going on.
Does anyone have any ideas as to where I am going wrong?
In case anyone comes across this, there are two things that I have done to fix this issue:
I ended up entering the name of the Root Certificate into the azure settings (the cn=psroot2025 part)
I had been using a windows version of OpenVPN to test the connections were working, by the looks of it, some versions of OpenVPN return the "Peer certification verification failure" error, although this is not the case. You need to download version 2.5.4 from https://openvpn.net/community-downloads/ instead of the latest and this seems to not have the same issue (I had originally installed vrsion 2.5.7.)
Hope that helps...
First of all, a rookie, related to VPN/Security issues, so really
forgive me for whatever error I make while describing my problem,
and hope I'm able to make it clear.
Our contractors changed AVIATRIX-OKTA VPN for AWS-VPN with OKTA
Authentication, they send as an .ovpn file, that works ok for
Windows/MAC using AWS-Vpn-Client application software, but a
couple of us using Linux boxes (Ubuntu specifically) run the
described method in AWS which is: openvn config-file.ovpn,
and it does not work.
It simply asks for usr/pwd an then it fails with auth error (we use our OKTA credentials)
, seems nothing is configured to go to OKTA, open a browser or whatever it needs to do.
As an aside note, we can connect without any trouble to our k8s cluster using OKTA
client libraries, no sure is this is useful or not, just in case.
The .ovpn file looks like this
client
dev tun
proto tcp
remote random.cvpn-endpoint-xxxxxx.yyy.clientvpn.us-west-2.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 5
<ca>
....
....
....
</ca>
auth-user-pass
auth-federate
auth-retry interact
auth-nocache
reneg-sec 0
An interesting thing to notice is that openvpn complains about auth-federate
seems not to recognize it, so I started using gnome network-manager which seems
to accept this configuration, but getting Auth error too.
After this I tried openvpn3 which didn't complain about configuration,
but still getting the same error.
I also tried adding TOPT token to password and the same problem
Any help on how to configure it, or just know if it is possible, will be greatly welcome
, seems there is very little information around this in the net
and we are really stuck on this, we are willing not to change OS or machines as they
are asking to, or using VM just to connect.
Thanks in advance,
We have tried the solution mentioned in the following URL and it worked for us:
https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh
The detailed working of this solution is explained in :https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh.
We have made few changes in the configuration files to make it work.
Removed the following lines in vpn.conf.
auth-user-pass
auth-federate
Made the following change in line 38 in the script aws-connect.sh.
open "$URL"
to
xdg-open "$URL"
Finally I got an answer from AWS people:
If the Client VPN endpoint is configured using SAML-based
authentication (such as Okta), then you have to use the AWS-provided
client to connect:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-requirements
And the promise to update del client documentation with a WARNING about
this.
I'm using the node-request module, regularly sending GET requests to a set of URLs and, sometimes, getting the error below on some sites.
Error: 29472:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:openssl\ssl\s23_clnt.c:683
The problem is that I don't get this error always or always on the some URLs, just sometimes. Also, it can't be ignored with "strictSSL: false".
I have read that this can be related to me sending SSL requests with the wrong protocol (SSLv2, SSLv3, TLS..). But this doesn't explain why it happens irregularly.
Btw, I'm running nodejs on a Win 2008 server.
Any help is appreciated.
You will get such error message when you request HTTPS resource via wrong port, such as 80. So please make sure you specified right port, 443, in the Request options.
This was totally my bad.
I was using standard node http.request on a part of the code which should be sending requests to only http adresses. Seems like the db had a single https address which was queried with a random interval.
Simply, I was trying to send a http request to https.
I got this error because I was using require('https') where I should have been using require('http').
Some of the sites are speaking SSLv2, or at least sending an SSLv2 server-hello, and your client doesn't speak, or isn't configured to speak, SSLv2. You need to make a policy decision here. SSLv2 should have vanished from the face of the earth years ago, and sites that still use it are insecure. However, if you gotta talk to them, you just have to enable it at your end, if you can. I would complain to the site owners though if you can.
I had this problem (403 error for each package) and I found nothing great in the internet to solve it.
My .npmrc file inside my user folder was wrong and misunderstood.
I changed this npmrc line from
proxy=http://XX.XX.XXX.XXX:XXX/
to :
proxy = XX.XX.XXX.XXX:XXXX
var https = require('https');
https.globalAgent.options.secureProtocol = 'SSLv3_method';
I got this error while connecting to Amazon RDS. I checked the server status 50% of CPU usage while it was a development server and no one is using it.
It was working before, and nothing in the connection configuration has changed.
Rebooting the server fixed the issue for me.
So in Short,
vi ~/.proxy_info
export http_proxy=<username>:<password>#<proxy>:8080
export https_proxy=<username>:<password>#<proxy>:8080
source ~/.proxy_info
Hope this helps someone in hurry :)
in my case (the website SSL uses ev curves) the issue with the SSL was solved by adding this option ecdhCurve: 'P-521:P-384:P-256'
request({ url,
agentOptions: { ecdhCurve: 'P-521:P-384:P-256', }
}, (err,res,body) => {
...
JFYI, maybe this will help someone
I got this error, while using it on my rocketchat to communicate with my gitlab via enterprise proxy,
Because, was using the https://:8080 but actually, it worked for http://:8080
I am getting below error can anyone help me out this.
the certificate for this server is invalid. You might be connecting to a server that is pretending to be “ciadfs1.xxxxx.com” which could put your confidential information at risk."
I am using the following web2py slice in attempt to use https for a service worker function in a page.
http://www.web2pyslices.com/slice/show/1507/generate-ssl-self-signed-certificate-and-key-enable-https-encryption-in-web2py
I have tried opening web2py with the following line (with and without [-i IP and -p PORT]):
python web2py.py -c myPath/ssl_certificate.crt -k myPath/ssl_self_signed.key -i 127.0.0.1 -p 8000
but https is declared 'not private' and is crossed out. Because of this, I am getting a SSL certificate error when the registration of the service worker is attempted.
Please indicate what is going wrong or whether more information is needed
You mention "https is declared 'not private' and is crossed out". This has to do with browsers disliking not trusted (self-signed) certificates, because that's what trust is all about. If any hacker could just make up a certificate and the https client wouldn't respond with at least a frown, you could still be hacked or sniffed without noticing. Since you don't mention any other error, I assume you get otherwise valid results from the web2py server?
If so, you have setup your self-signed certificate well. If you don't get any valid html response (outside your browsers complaint, of course), you still have an issue with the setup.
If your service worker won't accept the certificate, what you can do (in a test environment at least) is import the self-signed certificate into the machine or service worker certificate repository. The process differs per OS and version.
Hope this helps. If it doesn't, please provide more detail.
The best way to use ssl with web2py is use of the deployment recipes with prodution-grade webservers like apache, nginx or Lighttpd.
Any of the mentioned scripts create a self-signed certificate, and then, you have to fix the generated server config files to a real certificate.
You can buy a real ssl certificate from any of many resellers or get for free from Let's Encript, if you have a real IP, like in a VPS or server.
A simple way to fix the config files is create a simbolic link from the real certificate to the one mentioned in the server config file.
To just test your service worker in your machine or a internal test server, just use a non-ssl port, or like Remco sugested, import the self-signed certificate to client environment.