I am getting following error in my server log :
[crit] 915#0: *46701 SSL_do_handshake() failed (SSL:
error:140A1175:SSL routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate
fallback) while SSL handshaking, client: 187.50.199.66, server:
0.0.0.0:443
What does it mean ? How can I solve it ?
Please help me.
It looks, as it's connected with security bug in OpenSSL. It's nothing to do with YOUR nginx configuration. It's just indicating that your server has client which inproperly handles SSL handshakes.
What is SSL handshake?
Basically it's exchanging some messages between client and server at the beggining of each session. It consists of 6 phases:
Client Hello
Server Hello
Authentication and Pre-Master Secret
Decryption and Master Secret
Generate Session Keys
Encryption with Session Key
Read more at http://www.symantec.com/connect/blogs/how-does-ssl-work-what-ssl-handshake
To sum up - your server is raising this warning to indicate that some client is (un)intentionally breaking this procedure (for example, prematurely ending connection, or trying to open it several times in one session.
How to solve it?
If you really want to get rid of this message (it's not recommended) you can change level of error logging 9in your nginx.conf file), to something like:
error_log logs/error.log alert;
*available levels are: debug | info | notice | warn | error | crit | alert | emerg
http://nginx.org/en/docs/ngx_core_module.html#error_log
Related
I had an issue in nodejs, when I use the API link https://hostname:8089
return new NoSQLClient({
serviceType: ServiceType.KVSTORE,
endpoint: 'localhost:8089'
});
I'm getting error like this,
Error: [REQUEST_TIMEOUT] Operation timed out after 10000 ms and 6 retries; Caused by: [NETWORK_ERROR] Network error; Caused by: socket hang up
There is nothing wrong with the query, it's about the port, you have to expose the port first and then try it...or disable the firewall
This error happens when you are trying to access a secure KVStore using a non-secure connection call ( http://localhost:8089 )
NoSQLTimeoutError: [REQUEST_TIMEOUT] Operation timed out after 10000 ms
and 6 retries; Caused by: [NETWORK_ERROR] Network error;
Caused by: socket hang up
When accessing a secure KVstore, you need also to provide a user/pwd. If not, you will have the following error
NoSQLArgumentError: [ILLEGAL_ARGUMENT] TABLE_REQUEST: Illegal Argument:
Missing authentication information
Here is an example of a connection string (see https, if this value is not set you will use http by default):
return new NoSQLClient({
serviceType: ServiceType.KVSTORE,
endpoint: 'https://localhost:8089'
, auth: {
kvstore: {
user: "driver_user",
password: "DriverPass##123"
}
}
});
In a secure mode, the proxy requires an SSL Certificate and private key. You need to provide the certificate, before running your application, set the environment variable NODE_EXTRA_CA_CERTS
export NODE_EXTRA_CA_CERTS=<yourpath>/certificate.pem
Without the certificate, you will have the following error:
NoSQLAuthorizationError: [REQUEST_TIMEOUT] Authorization error:
[operation timeout]: Failed to login to kvstore.
Operation timed out, see the cause
You also need to validate the requested domain name to match the server's certificate.
$ curl --cacert ~/certificate.pem https://localhost:8089
curl: (51) Unable to communicate securely with peer: requested domain name
does not match the server's certificate.
In this case, you need to change the certificate or use the appropriate URL
$ openssl x509 -text -noout -in ~/certificate.pem | grep CN
Issuer: CN=kvlite
Subject: CN=kvlite
$ curl --cacert ~/certificate.pem https://kvlite:8080
If your CN is not localhost, use an url matching with the certificate (e.g.)
return new NoSQLClient({
serviceType: ServiceType.KVSTORE,
endpoint: 'https://kvlite:8089'
, auth: {
kvstore: {
user: "driver_user",
password: "DriverPass##123"
}
}
});
I'm trying to stream videos from YouTube in a GUI app using PyQt5, python-vlc and pafy modules, but vlc gave me some connection errors:
[0000025466dc7340] main tls client error: connection error: Interrupted function call
[0000025466df9f00] access stream error: HTTP connection failure
[0000025466dc7430] gnutls tls client error: TLS handshake error: Error in the push function.
[0000025466dc7430] main tls client error: TLS session handshake error
[0000025466dc7430] main tls client error: connection error: Interrupted function call
[0000025466dfa080] access stream error: HTTP connection failure
When I make the same thing with tkinter module it works without problems. How can I solve these errors?
def OnYT(self):
text = self.textbox.text()
url = self.Search(text) #this function returns the first result url from a search on YouTube
self.textbox.setText("")
video = pafy.new(url)
best = video.getbest()
self.mediaplayer.set_mrl(best.url)
if sys.platform.startswith('linux'):
self.mediaplayer.set_xwindow(self.videoframe.winId())
elif sys.platform == "win32":
self.mediaplayer.set_hwnd(self.videoframe.winId())
elif sys.platform == "darwin":
self.mediaplayer.set_nsobject(int(self.videoframe.winId()))
self.mediaplayer.play()
there is a work around for this , you can configure VLC to connect to URL using http using the parameter vlc.Instance("prefer-insecure")
or you can try to update and feed VLC with certificates:
sudo update-ca-certificates --fresh --verbose
mkdir -p ~/.local/share/vlc/certs/
cat /usr/share/ca-certificates/mozilla/* | tee ~/.local/share/vlc/certs/ca-certifcates.crt
you can find more info here
GNUtls options:
--gnutls-system-trust, --no-gnutls-system-trust
Use system trust database
(default enabled)
Trust the root certificates of Certificate Authorities stored in the
operating system trust database to authenticate TLS sessions.
--gnutls-dir-trust <string>
Trust directory
Trust directory
--gnutls-priorities {PERFORMANCE,NORMAL,SECURE128,SECURE256,EXPORT}
TLS cipher priorities
Ciphers, key exchange methods, hash functions and compression methods
can be selected. Refer to GNU TLS documentation for detailed syntax.
you could use --gnutls-dir-trus to point to firefox certs I think
I'm trying (successfuly) to connect to a remote server where my device is connected.
But, despite my effort and researchs, I always have InsecureRequestWarning warning showing up...
The code :
*** Settings ***
Library AppiumLibrary
*** Test Cases ***
First run wizard - Connect to Remote
[Setup] Install and open app
[Teardown] Close all applications
Log Hello World WARN
Sleep 10
*** Keywords ***
Install and open app
open application ${Grid} &{MyDevice} &{UserCredential} &{Android_app}
*** Variables ***
${Grid} http://xxx/appium
&{Huawei_P20_Pro} uuid=xxx relaxed-security=True
&{UserCredential} Username=xx ApiKey=xxxx
&{Android_app} appPackage=xxx appActivity=xxx appWaitActivity=xxx
The output :
First run wizard - Connect to Remote
C:\Users\xxx\AppData\Local\Programs\Python37-32\Lib\site-packages\urllib3\connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
[ WARN ] Hello World
C:\Users\xxx\AppData\Local\Programs\Python37-32\Lib\site-packages\urllib3\connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
| PASS |
------------------------------------------------------------------------------
InsecureRequestWarning)
test :: Android template to connect to Remote | PASS |
1 critical test, 1 passed, 0 failed
1 test total, 1 passed, 0 failed
==============================================================================
Output: C:\Projects\RF\test\output.xml
Log: C:\Projects\RF\test\log.html
Report: C:\Projects\RF\test\report.html
Process finished with exit code 0
I've tried to put the capability relaxed-security it didn't work.
I've found some similar case with Create Session Keyword and the parameter verify=True, but it doesn't work on Open Application either.
Currently, I'm about to modify the source code of the urllib3 library to prevent this anoying warning, but this is not a proper solution.
Thus I was wondering if someone could have a clue arround here !
(using http or https makes no difference in the output)
[Partial answere here Suppress InsecureRequestWarning: Unverified HTTPS request is being made in Python2.6 :
It's just a workaround, it shows how to disable the warning, not how to prevent it (== make the things right) such as enable the certificate verification]
While connect error bot with self hosted . Getting this error while doing it -
10:40:34 DEBUG sleekxmpp.xmlstream.xmlst RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
10:40:34 DEBUG sleekxmpp.features.featur Starting TLS
10:40:34 INFO sleekxmpp.xmlstream.xmlst Negotiating TLS
10:40:34 INFO sleekxmpp.xmlstream.xmlst Using SSL version: TLSv1
10:40:34 DEBUG sleekxmpp.xmlstream.xmlst Event triggered: socket_error
10:40:34 ERROR sleekxmpp.xmlstream.xmlst **Socket Error #13: Permission denied**
10:40:34 DEBUG sleekxmpp.xmlstream.xmlst reconnecting...
This is config which i am using for same .
BACKEND = 'Hipchat' # Errbot will start in text mode (console only mode) and will answer commands from there.
BOT_DATA_DIR = r'/Users/XXX/errbot/errbot/data'
BOT_EXTRA_PLUGIN_DIR = '/Users/XXXX/errbot/errbot/plugins'
BOT_LOG_FILE = r'/Users/XXXX/errbot/errbot/errbot.log'
BOT_LOG_LEVEL = logging.DEBUG
BOT_ADMINS = ('#XXXXX', ) # !! Don't leave that to "CHANGE ME" if you connect your errbot to a chat system !!
# The identity, or credentials, used to connect to a server
BOT_IDENTITY = {
'username': 'XXXX', # The JID of the user you have created for the bot
'password': 'XXXXX', # The corresponding password for this user
'token': 'XXXXXX',
'endpoint' : 'https://xxxx.xxxx.com',
}
Can someone please let me know what i am doing wrong in above config ?
Or please also suggest any other bot (in python) that works with self hosted Hipchat .
Hipchat Server removed external access to the XMPP ports on the 2.0.7 release, in favor of supporting only communication over port 443 (using XMPP's BOSH protocol).
Depending on your server version, you might be able to enable them back by running hipchat network --enable-xmpp-ports.
https://confluence.atlassian.com/hipchatkb/external-xmpp-ports-5222-5223-disabled-by-default-in-hipchat-server-2-0-7-859442760.html has more information on this topic.
We are getting the below error inconsistently in production and we are not sure what the root cause is:
[error] (104)Connection reset by peer: ajp_ilink_receive() can't receive header
[error] ajp_read_header: ajp_ilink_receive failed
[error] (120006)APR does not understand this error code: proxy: read response failed from XXX.XX.XX.XXX:8009 (XXX.XX.XX.XXX)
Our architecture:
F5 Load balancer -> Web servers (httpd mod_proxy ajp load balancer) -> App server (Tomcat with AJP connector)
Note that F5 is used to load balance the apache httpd web servers only (2 in total). Then, we are using apache mod_proxy_ajp to load balance our app servers (5 in total)
Does anyone know what is causing the "connection reset by peer" error on the web server?
Thanks