It might be a dummy question on security.
I'm working on a file access service, trying to do authentication for it.
For example, I should be able to know who's the request issuer, and whether he/she has the permission to access the file he/she requests.
I'm using grpc to do communication, and grpc seems to natively support a bunch of authentication methods. I tried one of them (https://grpc.io/docs/guides/auth/#using-google-token-based-authentication). The client side code is exactly the same as in the doc. I'm using C++.
But I get the error
E0812 19:03:32.173663955 3576491 ssl_transport_security.cc:1509] Handshake failed with fatal error SSL_ERROR_SSL: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER.
I'm wondering what else should I do?
Related
We will be connecting to a web service over https. This will be triggered in the background if a user performs a certain action.
The link will be between the server and the web-service though - the user will not be aware of it.
As there is no user there to see the certificate come up with an error - because this is server to server - how can we mitigate a man in the middle attack between the two servers? What would happen in the code if one were tried and the certificate failed?
We are using ASP.NET.
Its up to you - you can specify your own validation behavior via
ServicePointManager.ServerCertificateValidationCallback
Reference: https://msdn.microsoft.com/en-us/library/system.net.servicepointmanager.servercertificatevalidationcallback(v=vs.110).aspx
Default implementation is very reasonable - throw an exception when validation fails.
If you are using a well-written HTTP client library to consume your web service, the calls will fail if the certificate validation fails. Correct http client library will do full validation including making sure that hostname it connects to matches the subject name of the certificate, that CA is correct etc. I would hope that .NET's implementation is correct in that regard, but you should definitely test and validate that default behavior is correct.
I'm sending GET requests to Trello API, and I need to test my error handling script. Can I send something that will reliably provoke server-side error?
If all you need to do is have a server generate HTTP error code replies, and you are fine with not using the real Trello API server (but can switch to another host), you could give HttpBin a try. It's a free, anonymous, hosted service that just replies with whatever status you ask it for.
We have a ASP.NET web service which needs to receive a client cert from another service. We have configured our cloud service in IIS to "Accept Client certificates" in IIS Manager (we do not have "Require SSL" check marked in the SSL settings of our website). Occasionally when we attempt to get the client certificate in with the following code (Asp.Net):
httpAuthenticationContext.Request.GetClientCertificate();
we get null. This issue is intermittent. Sometimes, GetClientCertificate() returns the expected cert.
While not this exact issue, we periodically have issues in our Azure implementation of requesting data from a file, database, etc. that we know exists, but fails to return data.
We learned to just wrap these calls with some retry logic, with a brief delay in between. If the calls fail a few times in a row, we throw an error, but for these "transient" issues, sometimes a simple retry will do the trick...
Hope this helps
I have created a webservice in a ASP.net. All the access to the respective website is done through HTTPS. The service which I have added is only one among many others.
I am trying to access just for test purposes this service through Javascript (Ajax, json). The final target is actually Android.
I am getting the following message:
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
The main problem here is inconsistency: while my webservice in inaccessible, another previously written webservice is accessible. Another apparent inconsistency is that even if I tried a compromise solution by adding the needed methods to the accessible webservice, these methods themselves incur a 401 error.
So, my question is related to both "Why doesn't my webservice work" and "How is this supposed to work", with more emphasis on the latter.
Thank you.
Never mind !
Since I was oblivious to the depths of the code I was changing on our server, I did not know that the 401 error message is sent due to the way the code is organised. To access other services, I had to authenticate first through the authentication webservice.
Am trying to use asterisk by posting via http to get the peers, and i keep getting permission denied and then the remote server is not accessible or disconnected, though the login action is working fine and the manager.conf persimission is set correct to allow read and write.
Here is the request:
http://[ServerName]:8088/asterisk/mxml?action=Sippeers&actionid=SipPeersAction&SuppressEvents=True
I found the problem. It turns out that one of the extensions/trunks set inside the SIP file is causing reading the peers to crash, so the users is disconnected, and that's why you get permission denied afterward. So first comment all the extensions inside the sip file then try to run the sippeers actions, make sure it works, then start enabling extension gradually until you identify the extension that is causing the problem.
May be you are using a custom code (http client) instead of browser and your client is not handling cookies properly! after the login request you must get cookie from asterisk response and save it for further use.
read more about ajam here
http://www.voip-info.org/wiki/index.php?page_id=3578
and here is php based example that how to use cookies in custom request (http client)
http://coderscult.com/php/php-curl/2008/05/20/php-curl-cookies-example/