I have a WebSocket which works good over WebSocket protocol, but I can not switch to WebSocketSecure protocol, It doesn't generate any errors on server side, client says error:141970DF:SSL routines:tls_construct_cke_psk_preamble:psk identity not found. The certificate was generated by certbot and is used of for https web site on same domain.
Server code:
QSslConfiguration conf = server.sslConfiguration();
QFile * privkey =
new QFile{"/etc/letsencrypt/live/example.com/privkey.pem"};
privkey->open(QFile::ReadOnly);
conf.setCaCertificates(QSslCertificate::fromPath(
"/etc/letsencrypt/live/example.com/fullchain.pem"));
conf.setPrivateKey(QSslKey(privkey));
conf.setProtocol(QSsl::TlsV1_0);
server.setSslConfiguration(conf);
if (server.listen(QHostAddress::Any, 54045)) {
connect(
&server, &QWebSocketServer::newConnection, this,
&Server::onNewConnection);
connect(&server, &QWebSocketServer::closed, this, &Server::closed);
qDebug() << "server started";
}
The client code:
import QtQuick 2.13
import QtWebSockets 1.13
WebSocket {
active: true
url: "wss://example.com:54045"
}
Output of openSSL:
$ openssl s_client -connect example.com:54045
CONNECTED(00000003)
140623606740288:error:14095126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:302:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 325 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Related
I have this new client which only can talk TLSv1.2 which communicate with a old service which can only talk TLSv1. It is about to be upgraded. It is an internal system without access to internet.
To solve the problem I have placed a Nginx proxy in between.
client =TLS1.2=> Nginx =TLSv1=> oldservice
Even with proxy_ssl_verify=off I get this error:
==> /var/log/nginx/ngx-error.log <==
2021/09/15 14:48:26 [error] 13231#0: *3 peer closed connection in SSL handshake while SSL handshaking to upstream, client: 10.140.164.9, server: ngx.example.org, request: "GET /net/EXT/microservice.svc HTTP/1.1", upstream: "https://172.23.149.10:443/EXT/microservice.svc", host: "ngx.example.org"
If I on ngx.example.org run curl -v https://endp.example.org/EXT/microservice.svc I get this message:
* NSS error -8016 (SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED)
* The certificate was signed using a signature algorithm that is disabled because it is not secure.
* Closing connection 0
curl: (60) The certificate was signed using a signature algorithm that is disabled because it is not secure.
If I run curl --insecure it is working and this is the behavior I want Nginx to do.
My Nginx configuration:
server {
listen 80;
listen 443 ssl;
server_name ngx.example.org;
access_log /var/log/nginx/ngx-access.log;
error_log /var/log/nginx/ngx-error.log;
root /var/www/nginx/ngx;
ssl_protocols TLSv1.2;
ssl_certificate /etc/pki/nginx/private/ngx.example.org.crt;
ssl_certificate_key /etc/pki/nginx/private/ngx.example.org.key;
ssl_verify_client off;
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#proxy_ssl_ciphers PSK-3DES-EDE-CBC-SHA;
location /net/ {
proxy_ssl_name endp.example.org;
proxy_ssl_server_name on;
proxy_ssl_verify off;
proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/wsgw.root.ca.pem;
proxy_set_header Host endp.example.org;
proxy_set_header X_FORWARDED_PROTO https;
proxy_pass https://endp.example.org/;
}
}
Edit:
Here is the output from openssl without -tlsv1:
openssl s_client -connect endp.example.org:443
139801673865104:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631880896
Timeout : 300 (sec)
Verify return code: 0 (ok)
Here is the output from openssl with -tlsv1:
openssl s_client -connect endp.example.org:443 -tls1
depth=0 CN = endp.example.org
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = endp.example.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=endp.example.org
i:/CN=endp.example.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICIzCCAYygAwIBAgIQZs9VZsp/iZRC2rL+oYTf0DANBgkqhkiG9w0BAQQFADAc
...lines deleted
OS+ih0tnXEzJKqtSC52Z+zAIFWdEipA=
-----END CERTIFICATE-----
subject=/CN=endp.example.org
issuer=/CN=endp.example.org
---
No client certificate CA names sent
---
SSL handshake has read 694 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: A01E00002B40C49CA7D7CD8EE73A9FB8DF44BF155300CDFCC98712657F697F88
Session-ID-ctx:
Master-Key: A90284275AA0067A47836A269592213E419F5286E0D30EA38F1094B50536F67913FCE7BA5D43025D1AC7FBDCA769FBE4
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1631862396
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Content of certificate:
$ openssl x509 -in endp.example.org.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
66:cf:55:66:ca:7f:89:94:42:da:b2:fe:a1:84:df:d0
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=endp.example.org
Validity
Not Before: Nov 9 11:08:50 2010 GMT
Not After : Dec 30 23:00:00 2030 GMT
Subject: CN=endp.example.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:eb:ea:04:f0:53:87:26:b5:19:13:c6:a5:7b:27:
75:7e:f5:9a:84:74:59:d3:ec:0d:40:42:78:a4:c6:
1b:42:b2:50:19:3e:90:7b:20:73:f4:71:b8:3b:c3:
b3:dd:84:94:78:64:64:ac:5c:dc:a3:e4:8c:36:10:
32:ec:12:90:89:6c:e9:44:0e:fb:2e:84:0f:df:16:
c2:ae:b8:2c:d6:d0:73:b3:cf:4b:f8:56:91:e6:30:
c1:15:34:9f:70:6d:e1:e9:33:de:d6:9b:4d:2e:c8:
03:7b:eb:ed:6b:9c:8e:0b:80:a2:ef:29:5f:18:4e:
bf:e3:9a:81:e3:57:ae:c5:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
2.5.29.1:
0D....M..w....T..."...0.1.0...U....endp.example.org..f.Uf....B.......
Signature Algorithm: md5WithRSAEncryption
83:a7:c9:cf:a5:d3:91:78:65:d0:43:24:84:c5:77:62:be:ba:
52:db:7f:c6:ca:59:40:50:91:5f:48:fe:77:4a:94:26:36:23:
3a:82:6b:54:46:c1:a4:0d:bd:8f:96:bc:04:c8:54:f7:74:94:
83:3a:9e:71:61:8c:d4:a0:77:be:fc:50:e8:3f:12:a3:00:01:
9d:d6:06:a0:77:c2:84:24:96:03:c1:6a:05:57:bb:5e:d0:47:
e5:ff:a9:6c:a1:e1:cc:a4:d0:4b:b0:9d:1b:0b:d4:39:2f:a2:
87:4b:67:5c:4c:c9:2a:ab:52:0b:9d:99:fb:30:08:15:67:44:
8a:90
Not a solution but a work-around: Use Apache
ServerName ngx.example.org:443
SSLEngine on
SSLProxyEngine on
SSLProxyVerifyDepth 0
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
SSLCertificateFile /etc/pki/nginx/private/ngx.example.org.crt
SSLCertificateKeyFile /etc/pki/nginx/private/ngx.example.org.key
DocumentRoot /var/www/httpd/ngx
CustomLog /var/log/httpd/ngx/access.log combined
ErrorLog /var/log/httpd/ngx/error.log
ProxyPass "/net/" "https://endp.example.org/"
i'm trying to get a domain on a private server, but requests get continuously fails with sslv3 alert handshake failure.
I have configured the session to ignore sslv3 according to the blog post here https://lukasa.co.uk/2017/02/Configuring_TLS_With_Requests/
but it continues using it as statet in the exception message.
Any ideas what i am making wrong here?
Heres my minimal script:
import ssl
import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context
CIPHERS = (
'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:'
'!eNULL:!MD5'
)
class DESAdapter(HTTPAdapter):
"""
A TransportAdapter that re-enables 3DES support in Requests.
"""
def create_ssl_context(self):
ctx = ssl.create_default_context()
# opt out the SSLv3
ctx.options |= ssl.OP_NO_SSLv3
ctx.set_ciphers( CIPHERS )
return ctx
def init_poolmanager(self, *args, **kwargs):
kwargs['ssl_context'] = self.create_ssl_context()
return super(DESAdapter, self).init_poolmanager(*args, **kwargs)
def proxy_manager_for(self, *args, **kwargs):
kwargs['ssl_context'] = self.create_ssl_context()
return super(DESAdapter, self).proxy_manager_for(*args, **kwargs)
s = requests.Session()
s.mount('https://my-broken-intranet-domain.net:4942', DESAdapter())
# This will throw the error:
r = s.get('https://my-broken-intranet-domain.net:4942')
Exception has occurred: requests.exceptions.SSLError
HTTPSConnectionPool(host='my-broken-intranet-domain.net', port=4942): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)')))
With Curl, the request goes trough and the negotiated CIPHER and TLS are:
curl -v https://my-broken-intranet-domain.net:4942
...
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DES-CBC3-SHA
* ALPN, server did not agree to a protocol
Versions:
Python 3.7.2
requests
Version: 2.21.0
urllib3
Version: 1.24.1
OpenSSL
1.1.0j
Thanks for the help!
Related to Python 3.7.2.
Closing this, as it is not present with 3.6.8
Using IIS 7 and PHP7.1
We i managed to connect my server to our SMTP server (on a different IP Address)
I did this by quiet simply editing my php.ini file
SMTP = mail.<Domain>.co.uk
smtp_port = 25
sendmail_from = mail#<Domain>.co.uk
And by calling a php script, an email was sent
<?php
$msg = "Hello Do I Work Im From the Server";
mail("joe#<Domain>.co.uk","My subject",$msg);
?>
This worked providing that the email recipient was on the same domain.
However the request came for emails to be sent to anyone. When i tried this, using above code and settings i got this error
PHP Warning: mail(): SMTP server response: 550 5.7.1 Unable to relay in …
Having a quick read i found that PHP 7.1 don't allow smtp passwords which the lack caused the above error. Id need a external mail library
1) Was this correct
i downloaded and installed phpmailer (i can change this if required) and ran the following script
<?php
require_once "PHPMailerAutoload.php";
$mail = new PHPMailer;
$mail->SMTPDebug = 3;
$mail->isSMTP();
$mail->Host = "mail.<Domain>.co.uk";
$mail->SMTPAuth = true;
$mail->Username = "mail#<Domain>.co.uk";
$mail->Password = "<Password>";
$mail->SMTPSecure = "tls";
$mail->Port = 25;
$mail->From = "mail#<Domain>.co.uk";
$mail->FromName = "Mail";
$mail->addAddress("joe#<Domain>.co.uk");
$mail->addReplyTo("mail#<Domain>.co.uk", "Reply");
$mail->isHTML(true);
$mail->Subject = "Test";
$mail->Body = "From the Server";
if(!$mail->send())
{
echo "Mailer Error: " . $mail->ErrorInfo;
}
else
{
echo "Message has been sent successfully";
}
?>
I ran this and got the error
2017-05-19 11:57:52 Extension missing: openssl Mailer Error: Extension missing: openssl
So i uncommented this in my php.ini
extension=php_openssl.dll
Reran the script and got
2017-05-19 11:59:14 Connection: opening to mail.<Domain>.co.uk:25, timeout=300, options=array ( ) 2017-05-19 11:59:14 Connection: opened 2017-05-19 11:59:14
SERVER -> CLIENT: 220 PATHEX01.pathways.local Microsoft ESMTP MAIL Service ready at Fri, 19 May 2017 12:59:14 +0100 2017-05-19 11:59:14
CLIENT -> SERVER: EHLO www.<Domain>.co.uk 2017-05-19 11:59:14
SERVER -> CLIENT: 250-PATHEX01.pathways.local Hello [146.255.105.211] 250-SIZE 37748736 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-X-ANONYMOUSTLS 250-AUTH NTLM 250-X-EXPS GSSAPI NTLM 250-8BITMIME 250-BINARYMIME 250-CHUNKING 250 XRDST 2017-05-19 11:59:14
CLIENT -> SERVER: STARTTLS 2017-05-19 11:59:14
SERVER -> CLIENT: 220 2.0.0 SMTP server ready 2017-05-19 11:59:15 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed [C:\inetpub\wwwroot\EmailTest\class.smtp.php line 369] 2017-05-19 11:59:15 SMTP Error: Could not connect to SMTP host. 2017-05-19 11:59:15
CLIENT -> SERVER: QUIT 2017-05-19 11:59:15
SERVER -> CLIENT: 2017-05-19 11:59:15 SMTP ERROR: QUIT command failed: 2017-05-19 11:59:15 Connection: closed 2017-05-19 11:59:15 SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting Mailer Error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
Can anyone suggest what I'm doing wrong? Thanks
I configured postfix to send mail through a microsoft exchange server with SMTP authentication and TLS. In the log of the emails I see this error:
postfix / smtp [ 11191 ] : warning: SASL authentication failure: No worthy mechs found
postfix / smtp [ 11191 ] : B5BEB22019E : <my#mydomain.it> to = , relay = my.relay.host , delay = 0:07 , delays = 0.04/0.02/0.01/0 , dsn
= 4.7.0 , status = deferred ( SASL authentication failed , can not authenticate to server my.relay.host no mechanism available )
The postfix configuration is the default one , I added these lines:
relayhost = my.relay.host
smtp_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash :/ etc / postfix / sasl_passwd
smtpd_use_tls = yes
The libraries cyrus -sasl and cyrus -sasl -devel cyrus- sasl- ntlm are installed , if I do a telnet to the server microsoft get:
220 my.relay.host Microsoft ESMTP MAIL Service ready at Wed, November 27 2013 10:20:40 +0100
ehlo
250 - MY.RELAY.HOST Hello [ XXX.XXX.XXX.XXX ]
250 -SIZE 10485760
250-PIPELINING
250 - DSN
250 - ENHANCEDSTATUSCODES
250 -AUTH LOGIN
250 - 8BITMIME
250-BINARYMIME
250 CHUNKING
The administrator of the relay server tells me that authentication is NTLM , any ideas?
Thanks Stefano
I'm using Network.Browser 4000.0.9 to retrieve a web page:
import Network.Browser
import Network.HTTP
main =
do
(uri, response) <- browse $ do
setAllowRedirects True
setDebugLog Nothing
request $ getRequest "http://www.google.com/robots.txt"
putStrLn "done"
Despite setDebugLog Nothing this spews all of this logging:
Sending:
GET /robots.txt HTTP/1.1
Host: www.google.com
User-Agent: ...
Content-Length: 0
Creating new connection to www.google.com
Received:
HTTP/1.1 200 OK
Content-Type: text/plain
...
How do I turn this logging off?
Use setOutHandler and setErrHandler as described in the documentation page you linked.