How to set specific cipher suites in XAMPP for localhost? - api

Before starting this project, I have never directly worked with API requests. I have learned a lot and I am able to successfully get valid responses from the FedEx and USPS tracking APIs. However, I am unable to get anything besides a 403 Forbidden error when trying to get a response from UPS.
I have been in contact with their tech support and they verified I am using the correct endpoints and credentials, so they said it must be a security issue. I needed an up to date certificate and they gave me a list of supported security ciphers.
TLS 1.2
1. ECDHE-RSA-AES256-GCM-SHA384
2. ECDHE-RSA-AES128-GCM-SHA256
3. ECDHE-RSA-AES256-CBC-SHA384
4. ECDHE-RSA-AES256-CBC-SHA
TLS 1.3
1. TLS_AES_256_GCM_SHA384
2. TLS_CHACHA20_POLY1305_SHA256
3. TLS_AES_128_GCM_SHA256
4. TLS_AES_128_CCM_8_SHA256
5. TLS_AES_128_CCM_SHA256
I followed a guide online to create and sign a server certificate for my localhost. However, I have no idea what to do with the ciphers. When I check the security tab in DevTools, I can see that the cipher used for localhost is AES_256_GCM Protcol TLS 1.3 with Key exchange group X25519.
Is there any way I can configure my XAMPP Apache server to have these ciphers only?
UPS Tech support said I should check with my company's IT team or Network Admin but we don't really have one besides me. Any help would be appreciated and I would be happy to share my code for the API call.

Related

Specifying criteria for client certificate authentication

I need to setup client certificate authentication for a web app. I have a POC that works fine, except one thing: I can't figure out how to specify criteria for the client certificate (so that the browser only shows matching certificates when it prompts the user to pick one).
I know it's possible, because I've seen sites that did it, and the TLS RFC mention that the CertificateRequest can contain extensions "describing the parameters of the certificate being requested".
However, I can't find a way to do this with ASP.NET Core. I need to support this on IIS (for hosting in Azure App Service) and, if possible, on Kestrel (for local development).
Is it even possible?
EDIT: To be clear, I'm not asking how to validate the certificate once I received it. I'm asking how to specify which certificate I want (e.g. which CA issued it, etc.) during the TLS handshake.

No cipher suites in common

I am trying to get Google Home / API.ai communicating with a simple Java server REST API coded with RESTlet
I have set up a self-signed developer certificate as the webhook communication requires using HTTPS
When the webhook tries to communicate with my server I am seeing an error which says SSHHandshakeException no cipher suites in common.
I have tried adding parameters to the Series and added the enabledCipherSuites parameter with a few cipher IDs I found online but I am unsure what cipher suites API.ai supports.
Is there a way to accept any requests ciphers so I get the communication between API.ai and my webhook working?
I found out from Google that you HAVE to used a SSL certificate from a trusted certificate authority and NOT a self-signed certificate, maybe one day API.AI will update their documentation to mention this

HTTPS api call not working with sha2 ssl

I have used an external api which can be accessible via https (sha1 ssl), And now the external api system upgraded to sha2. While I am hitting the api, i am getting below exception.
Connecting to test.demo.com|10.200.100.101|:8443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish `SSL connection`.
Update:
Comments from external api team (earlier we used SSL protocol and now TLS (TLSv1.2) is benign used in new setup (SSL was expired protocol)).
Based on description above (without actual code snippet) you need to check if you client application has appropriate protocol specified (if they changed it on server to TLS v1.2, you need to change it in your client as well). Great link regarding different TLS versions.

Can not access the web with Chrome

We have just setup a web site , IE and firefox works fine to access it , but when use Chrome , the https is not works , it pops the below error , would advise how can I fix it ? thanks
mysite.com
identity not verified.
the identity of this website has been verified by geo trust ssl CA but does not have public audit records.
the site is using outdate security setting that may prevent future version of Chrome from being able to safely access it.
Your connection to mysite.com is encrypted with obsolete cryptography.
the connection uses TLS 1.2.
the connection is encrypted using RC4_128 with SHA1 for message authentication and RSA as the key exchange mechanism.
If you see an SSL error message in Chrome saying "Your connection is not private," it means your Internet connection, or your computer, is stopping Chrome from loading the page securely.
If you are a web user and you see this warning, you can contact the site owner to make sure that they are aware of the warning. The site is no less secure today than it was last month, but Google is starting to bring awareness to the less secure SHA-1 signed certificates.
The certificate is unable to be audited. In other words, it does not
have the necessary information to be able to go to the CA and check if
the certificate has been manually revoked prior to its expiration.
HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome's user interface.
References :
Check connection to a website here.
Sunsetting SHA-1 - blog
Also more at security.exchange

Authenticating client certificate GnuTLS

So, for an assignment I need to use GnuTLS and to start of, I followed the client and server examples in the documentation (http://www.gnutls.org/manual/gnutls.html) (client and server examples with X.509). Everything works fine till there.
However, I would like the server to authenticate the client (which, in the examples, does not by default). A little research has lead me to changing the flag GNUTLS_CERT in:
gnutls_certificate_server_set_request (mSession, GNUTLS_CERT_REQUEST);
I understand that this returns an error if the client does not provide a certificate that matches the server's trusted CA. However, is this enough to authenticate the client, or should there be more steps for authentication?
Thanks in advance.