I'm trying to make LDAP setup using CentOS based OpenLDAP server and MCP Linux based PAM LDAP client.
Without SSL, I'm able to get the user authenticated successfully.
But with SSL('ssl start_tls' in /etc/pam_ldap.conf), I'm unable to get the user authenticated. When I did packet capture at server, I do not see client's HELLO packet.
Also, I'm not interested in server/client certificate verification hence at server I had 'TLSVerifyClient never' and at client I used 'TLS_REQCERT never' in /etc/openldap/ldap.conf(in addition to 'tls_checkpeer no' in /etc/pam_ldap.conf)
With CentOS based PAM LDAP client and with the same client configuration, I'm able to get the user authenticated successfully with the same server.
Can anyone tell me, in which cases SSL client doesn't send 'HELLO' packet ?
Here you go with logs at server:
...
connection_read(13): checking for input on id=1005
tls_read: want=3, got=0
TLS: error: accept - force handshake failure: errno 11 - moznss error -5938
TLS: can't accept: TLS error -5938:Encountered end of file.
connection_read(13): TLS accept failure error=-1 id=1005, closing
connection_closing: readying conn=1005 sd=13 for close
....
BTW, I'm trying to connect to client using SSH.
Also, if I use 'openssl s_client -connect my-domain.com:636 -showcerts -state -CAfile /etc/pki/tls/certs/cacert.pem' command at CLIENT, it is sending Client hello packet and is returing the server certificates
Thanks,
Sravani
From 'strace ldapsearch ....' log, I see that
open("/usr/lib/libsoftokn3.so", O_RDONLY) = -1 ENOENT (No such file or directory)
I'll try to get this library for MCP Linux and give it a try again.
Thanks all for your support
Related
My environment : windows server 2019, isolated network w/o internet access, local instance of gitlab server, gitlab-runner v 15.2.0.
I try to register runner on my gitlab server i got this error:
ERROR: Registering runner. failed runner=<runner> status=couldn't execute POST against https://test-gitlabserver/api/v4/runners: Post https://test-gitlabserver/api/v4/runners: net/http: TLS handshake timeout PANIC: Failed to register the runner. You may be having network problems.
So, I check that port 443, 80 is accessible, certificate chain is valid, certificate trusted authority is up to date, check certificate revocation list is up to date. When I'm do
curl https://<test-gitlabserver>
everything is ok, But runner still not register.
After that I have the internet access on this windows server and it's work like a charm, but it's must be isolated network. I do a few wireshark capture to compare sessions and I see - if internet connection is down, after TLS "client hello" phase, connection with gilab server close, but if internet connection is up, after TLS "Client hello", i got "Server hello" and runner succesfully register
P.S sry for mistakes in text=)
I am having some problems using mosquitto client in linux, more specifically I need to use mosquitto_sub but I don't really get how I should authenticate.
All I have is a json config file for MQTT.Fx, that works fine when imported in that application. I can see there are username and password, as well as host information, and that SSL/TSL is enabled.
My question is: how can I do the same thing that MQTT.Fx does automatically since option CA signed server certificate is selected? I have been trying a lot of alternatives, like downloading server certificate and passing it as --cafile, generating new certificate, signing them, editing mosquitto.conf, but I didn't match the right combination of operations.
Any suggestion, please?
Edit: here is current command:
mosquitto_sub -h myhost.example -p 8883 -i example1 -u myusername -P mypassword -t XXXXXXXXXXXX/# --cafile /etc/mosquitto/trycert.crt
where file trycert.crt contains the response to following request (of course only part between BEGIN CERTIFICATE and END CERTIFICATE)
openssl s_client -showcerts -servername myhost.example -connect myhost.example:8883 </dev/null
All the times I had problems with MQTT over SSL its been that the server cert chain of trust broken on my client. In other words, the server i am connecting to has a cert. This cert is authorized by another cert and so forth. Each of the certs in the chain need to be on the client.
If any of these certs are missing, the chain of trust is broken and the stack will abort the connection.
I start openvpn server with openvpn --dev tun --ifconfig 172.16.0.1 172.16.0.2 --cipher AES-256-CBC on my Ubuntu 22.04 Linux Box
I generate the certificates and keys with easycert and copy everything on a Windows 10 client.
The connection doesn't work, and in the syslog I find a lot of
write to TUN/TAP : Invalid argument (code=22)
write to TUN/TAP : Invalid argument (code=22)
...
What's wrong? This is my client configuration file:
client
dev tun
proto udp
remote *MYSERVERIP* 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-256-CBC
The problem is that your server uses comp-lzo adaptive compression default (even if not added to the server.conf file), but client does not have compression enabled at all. So the client is sending uncompressed packets, while the server is expecting a compression header. Pls check a log: /var/log/openvpn/openvpn.log on your server.
To solve the problem pls add this line: comp-lzo adaptive or simply comp-lzo to your client.conf file, because adaptive is the default mode for comp-lzo, so you can omit that.
You can also add the same option to your server.conf file, then you are sure that your server uses the same kind of compression.
Hello if you have a vpn configuration file like .pcf:
1)convert the file format to .conf:
$>pcf2vpnc file.pcf file.conf
2)so you can connect by typing:
$>vpnc ./file.conf
3)and disconnect:
$> vpnc-disconnect
I found this in: https://kifarunix.com/connect-to-cisco-vpn-using-pcf-file-on-ubuntu/
I'm building a mqtt server. I used the mosquitto with the TLS on the server as a broker.
I encountered this problem:
I created the ca.crt, server certificate, server key, client certificate, client key via generate-CA.sh
I can connect the broker and publish and subscribe msg via MQTT.fx, but when I tried to connect the broker with the mosquitto_sub, it came out Error:A TLS error occurred on the client PC(ubuntu), at the same time, the server prints
New connection from xx.xx.xx.xx on port 8883.
Openssl Error: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown
Openssl Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
my command used is:
mosquitto_sub -p 8883 -i test -t mqtt -h 150.xx.xx.xx --cafile ca.crt --cert xx.crt --key xx.key in which, the 150.xx.xx.xx is the IP of my broker.
when I used the option --insecure with the command above, the problem disappeared.
so I think it is the server hostname which leads to this problem.
In the mosquitto_sub command the option -h specifies the hostname, but i need to use this parameter to point to the IP address of my broker, so how could i specify the hostname of my server??
Old question but perhaps this might help someone:
If the --insecure option makes it work, you have a certificate problem. What hostname did you set whilst signing the certificate? What does openssl s_client -showcerts -connect 150.xx.xx.xx:8883 say?
Related: although it should be possible to use SSL certs for your servers using public IP addresses (see Is it possible to have SSL certificate for IP address, not domain name?), I'd recommend not doing this and just using DNS, even if this means server.localdomain and/or editing your /etc/hosts file if necessary.
I am trying to download a serious of scripts ... unfortunately it doesn't work.
shell:
$ wget --secure-protocol=TLSv1 --user=username --password=password --no-check-certificate https://www.example.com/bla/foo/bar/secure/1.pdf
respond:
--2014-10-06 12:49:26-- https://www.example.com/bla/foo/bar/secure/1.pdf
Resolving www.example.com (www.example.com)... xxx.xxx.xx.xx
Connecting to www.example.com (www.example.com)| xxx.xxx.xx.xx|:443... connected.
OpenSSL: error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error
Unable to establish SSL connection.
There can be lots of reasons why this fails with this error, among them:
server is unable to cope with newer TLS versions
server requires client authentication
server has a misbehaving SSL load balancer in front
there is a firewall between you and the server rejecting your traffic after initial inspection
That's all which can be said from the information you provide.
You might check the server against sslabs to get more information or provide more details in your question, like the real URL.
Edit: The requested server is www2.cs.fau.de. This server supports only SSLv3 and croaks on TLSv1 (instead of just responding with SSLv3), so you need to enforce SSLv3 with wget:
wget --secure-protocol=SSLv3 ...
The certificate of the server can be verified against the usual trusted CA on Linux, so you probably don't need the --no-check-certificate option.
Most browsers can access this site because they automatically downgrade to older SSL versions if connects with more modern versions does not succeed, but tools like curl or wget do not retry with downgraded versions.