I wish to implement a custom trustStore. I have the path to new trustStore, but I also wish to keep the default one. Based on an if-else loop I want to decide which trustStore to use in SSL Context. Is this possible? Thanks!
Related
For my IT Security class I have to create a vulnerable web application.
When logging in the user should upload a certificate (e.g. a PFX file, I chose a use case where this makes sense). However I want to make it so an attacker can recreate the certificate with some basic information.
I did some research and it seems like I need to generate a reproducable SSL key and CSR if I want to use PFX. Can I do this on my own? If so, how? If not, what other options do I have?
i'm trying to send post request to daemon which is SSL applied. i want to pass the SSL verification and encrypt with SSL at the same time and here is what i found :
verify=false
but i can't find simillar one in twisted agent.request.
Control TLS behavior using the contextFactory argument to twisted.web.client.Agent.__init__.
The value for this parameter should provide twisted.web.iweb.IPolicyForHTTPS. This interface defines a method (creatorForNetloc) which is used to set up the TLS connection.
Twisted includes one distinct implementation of this interface which implements a policy like that used by most modern web browsers.
You can create your own implementation which does something else, such as disregard certificate validation errors - even on a per-host basis - or does things like adds custom trust roots so you can still verify the certificate without requiring it be issued by a certificate authority.
twisted.internet.ssl.optionsForClientTLS is useful for implementing some behaviors in creatorForNetloc - however it does not support completely ignoring all validation errors. For that, you might benefit from using twisted.internet.ssl.ClientTLSOptions which accepts an arbitrary OpenSSL.SSL.Context instance that controls most of its behavior.
OpenSSL.SSL.Context lets you control approximately every feature of OpenSSL that it is possible to control when using TLS with Twisted - including ignoring validation errors, if that's what you really need.
The most straightforward way to do that is to use Context.set_verify with a suitably defined function.
Need help setting up Jmeter to use multiple Certs.
Need Jmeter HTTPS requests to use different client certificates that I have in a JKS keystore, currently 2 client certs/keys are in it.
Currently I have few HTTPS request in first thread group which should be made using CERT1 and Second thread group has few more HTTPS request which should be made using CERT2.
I am using KeyStore configuration to have have these different thread groups to use different CERTs by using alias or index.
Besides adding the Keystore Configuration to the thread group and setting different alias to select different Cert, Jmeter is not using different certs to make request. I see the same cert is being used.
I have set -Jhttps.use.cached.ssl.context=false -Jhttps.socket.protocols=TLSv1.2 -Djavax.net.ssl.keyStore=%KEYSTORE% -Djavax.net.ssl.keyStorePassword=%KEY_PASS%
and also I am using HTTPClient4 in my HTTPS requests.
Is there something that I am missing..any help would be appropriated..?
Read the documentation reference:
http://jmeter.apache.org/usermanual/component_reference.html#Keystore_Configuration
Pay attention to the yellow notes:
To make JMeter use more than one certificate you need to ensure that:
- https.use.cached.ssl.context=false is set in jmeter.properties or user.properties
- You use either HTTPClient 3.1 or 4 implementations for HTTP Request
I have searched in vain for a straightforward example of calling a web service requiring SSL authentication and that has a self-signed certificate. I already have the code to be able to trust all certs, so you don't need to provide that. Just a simple example of being able to provide to the service the authentication parameters - username, password, and any other authentication-related parameters, transports, and headers necessary to authenticate successfully and make use of the service. Right now I am using Axis 1.4. Your responses will be greatly appreciated. Thanks.
Have you tried this?
https://stackoverflow.com/a/3256676/372643
You'll need to initialise your socket factory from an SSLContext that trusts this particular self-signed certificate.
Alternatively, you could import this specific certificate in your trust store (cacerts in your JRE directory), or import it into a copy of this file and use it as a global trust store by pointing the javax.net.ssl.trustStore system property to it (the default password is changeit).
I am trying to run a Java client with 2way SSL, which uses CAC card as keystore for the client. I have added the following system property in my client program to make it work and also changed the java.security file to add pcks11 provider.
System.setProperty("javax.net.ssl.keyStoreType", "pkcs11");
System.setProperty("javax.net.debug", "ssl");
The program works fine and the handshake is done successfully. However, when I have more than one trusted certificate in the CAC card, it takes the default certificate. I want to specify which certificate should be used to do the client auth (maybe by specifying the alias name), but I didn't find any system property to do that.
How can I specify the alias name as a system property, so that the 2way SSL will use it for the client auth?
Is there another way to specify the alias name? For example, when I access the server URL from any browser I would get a certificate selection prompt and the connection is established with the selected certificate.
For choosing a client certificate, the default implementation (sun.security.ssl.X509KeyManagerImpl, assuming you're using the Sun JRE) chooses the first certificate that it can use for the request.
PKCS#11 is a slightly specific case. As far as I'm aware, there would only be one private key + certificate chain per slot. If no slot is specified in your PKCS#11 provider configuration, the default one will be 0.
As there is no specific property in java ssl properties it is better to search for a different existing keymanager implementation which supports this or else write your own custom keymanager so that you can pick the specific certificate with it's alias name.
Thanks,
Sunny.