On the development machine we have the default certificates that comes with apache, when we trying to authenticate with facebook, HWIOAuthBundle fires an exception:
SSL certificate problem: unable to get local issuer certificate
It's clear that in plain PHP we need to set an option CURLOPT_SSL_VERIFYPEER = false, and pass to curl_setopt_array(...).
How can we define these options for Symfony or for HWIOAuthBundle?
Add following options under "hwi_oauth" and you should be fine.
hwi_oauth:
http_client:
verify_peer: false
Related
I am using the extension "Trigger E-Mail" in Firebase. When I try to send an e-mail and I get the following error:
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames
Does this mean the loaded certificate must contain my hostname to work? Sorry, I just have started studying certificates. If I am right then one solution would be to add my hostname into the certificate. As I am using a thirdparty mailprovider. UPDATE: The smtp server uses a shared certificate which doesnt include any other domain and it will never happen.
Similar posts using nodejs tell to set the following configuration:
{ rejectUnauthorized : false }
First I cannot set his configuration into the Extension, secondly I do not want to remove the security feature.
What do you recommend?
Try to use Symfony mailer with Gmail on my Symfony 5.1 app.
mailer.yaml:
framework:
mailer:
dsn: '%env(MAILER_DSN)%'
.env:
MAILER_DSN=gmail+smtp://myadresse#gmail.com:mypassword#localhost
But each time I send a mail, I got:
Connection could not be established with host "ssl://smtp.gmail.com:465": stream_socket_client():
SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Don't understand why... According to the https://symfony.com/doc/current/mailer.html it should work.
I activated low security app on my Gmail account.
Thanks for help
To use Gmail, you need the package symfony/google-mailer (composer require symfony/google-mailer)
And this configuration in your .env file:
###> symfony/google-mailer ###
# Gmail SHOULD NOT be used on production, use it in development only.
MAILER_DSN=gmail://YourEmailAddress:YourPassword#default?verify_peer=0
###< symfony/google-mailer ###
An example:
MAILER_DSN=gmail://stackoverflow#gmail.com:admin123#default?verify_peer=0
Warning:
Although it’s not recommended to disable this verification for
security reasons, it can be useful while developing the application or
when using a self-signed certificate
I know you've said you've done it, but I usually get this error because I need to allow "less secure apps" on my Gmail account.
Connect to Gmail
Go to https://www.google.com/settings/security/lesssecureapps and click Authorize
Go to https://accounts.google.com/DisplayUnlockCaptcha and click Continue
Retry sending an email from your website, and if it still doesn't work repeat points 2 & 3. Sometimes I have to try a few times...
That can come from an async property that is defined by config/packages/messenger.yaml
see https://github.com/symfony/symfony/issues/45811
You need to make sure you are using an SSL certificate when sending emails through Gmail.
See:
https://symfony.com/doc/3.0//email/gmail.html
Jupyter only allows access from localhost unless I do a bunch of extra security stuff. I am running my server so that it is only accessible on a local network where anyone with access is equal in trustworthiness to localhost. How do I set up a jupyter notebook server with no extra security features?
Based on your question, I expect you want this configuration (in ~/.jupyter/jupyter_notebook_config.py):
c.NotebookApp.ip = '0.0.0.0' # listen on all IPs
c.NotebookApp.token = '' # disable authentication
There are a few security features in Jupyter (as of 4.3.1). I'll go over how to disable each one, and whether/when it makes sense to disable it:
It listens only on localhost. This can be changed to all public IP addresses:
c.NotebookApp.ip = '0.0.0.0'
Listening on public IPs should generally come with enabling HTTPS and/or password or token authentication (docs). If it's all internal on a trusted network where nothing bad ever happens, you can proceed to disable other security features:
Token authentication is enabled by default. To disable it:
c.NotebookApp.token = ''
Disabling authentication means that anyone with access to the host can run code. It seems like this is what you want. You can also enable a password:
In [1]: from notebook.auth import passwd
In [2]: passwd()
Enter password:
Verify password:
Out[2]: 'sha1:67c9e60bb8b6:9ffede0825894254b2e042ea597d771089e11aed'
You can store this in c.NotebookApp.password.
You can also store this password in (~/.jupyter/jupyter_notebook_config.json):
{
"NotebookApp": {
"password": "sha1:67c9e60bb8b6:9ffede0825894254b2e042ea597d771089e11aed"
}
}
Jupyter also has CORS protections, to avoid other websites from being able to access this server. This means that when a user on your network visits example.com, javascript on that page cannot execute code on your notebook server. It sounds like you don't want to touch this, but if you are running a service that should be able to access the notebook server, you can add it to:
c.NotebookApp.allow_origin = 'https://your.other.host'
Finally, Jupyter 4.3.1 introduces an xsrf token, which is part of dealing with the same category of cross-site execution above. You don't need to touch this if users are only accessing the server directly, rather than through javascript on additional websites.
c.NotebookApp.disable_check_xsrf = True
A completely insecure notebook server, which is to say one where any website can run code on it, as long as a browser can connect to its host (this would include localhost or LAN if the browser is running from inside the LAN):
c.NotebookApp.ip = '0.0.0.0' # listen on all IPs
c.NotebookApp.token = '' # disable authentication
c.NotebookApp.allow_origin = '*' # allow access from anywhere
c.NotebookApp.disable_check_xsrf = True # allow cross-site requests
This might be desirable if you are aiming to make compute resources free for the world to use however they want via the notebook API.
I am trying to configure alfresco 5.0d community to use kerberos and SSO via active directory.
My setup works fine when I login in the alfresco form login page (without SSO),
However, When enabling SSO, I see this exception in the alfresco logfile:
KrbException: KDC cannot accommodate requested option (13)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
After looking at it with wireshark, it seems like the difference in the TGS-REQ message is that when using SSO, there is an option flag called request-anonymous that is enabled. This causes the KDC to answer with a KDC_ERR_BADOPTION message.
Is there a way to configure kerberos to not set the request-anonymous flag?
Or alternitavely, is there a way to tell the KDC server to deal with it properly?
I'm using symfony2 and its login system through security.yml
When I log in with correct credentials , I get redirected to the correct page but will still have the anonymous in the profiler bar.
when I remove this line :
ini_set('session.cookie_domain', '.domain.com');
it works.
I need that line because my socket server is running on domain.com and I'm developing on sub.domain.com
How can I fix this problem ?
Thanks!
Configure your cookie domain in the framework configuration, instead of calling ini_set():
# app/config/config.yml
framework:
session:
cookie_domain: .domain.com
Reference: http://symfony.com/doc/current/reference/configuration/framework.html#cookie-domain