I am working on the Microchip WINC3400.
I can establish a TLS socket connection.
For testing purpose i would like to disable root CA certificate verification.
Is this possible on WINC3400 and if so, how can I do this?
Related
Recently I was debugging a mutual TLS issue between a MQTT client and a broker.
For the TLS setup, a self-signed CA was used to sign both server certificates and client certificates.
Both server and client trust stores had the CA certificate present.
During the handshake I observed, both brokers (RabbitMQ and Mosquitto) sent the CA certificate along with the server certificate.
But on clients, except for JAVA(PAHO), the Python and the nodejs clients both were also sending the CA certificate they had with their response to the server.
If the CA certificates were already installed in the trust stores of both the server and client, why should they exchange the CA at all during the handshake?
PS: Also JAVA client was never sending the CA certificate in its response. In which case, if the server did not send the certificate the handshake failed, but for other clients even if the server did not send the CA in the handshake, the clients were sending the CA in their response and the handshakes were successful.
In general the root CA certificate don't need to be sent inside the TLS handshake, no matter if for client or server certificate. Trust anchors (i.e. the root certificate as the base of the trust chain) need to be already trusted by the peer and thus cannot be taken from a still untrusted network connection. If root CA is sent anyway it will be simply ignored.
I am using OpenSSL program to generate my SSL self-signed certificate, created a CA certificate and a webserver certificate. The webserver certificate, I have signed it with the CA certificate. I created a keystore with Java's keytool to import webserver's certificate.
On the client side, I have imported the CA certificate inside client's Certificate Manager, under the "Trusted Root Certification Authorities".
In theory, is this way considered as a One way TLS or a Two way TLS communication?
Thank you so much for the help!
In TLS protocol by default the client validates servers authenticity, the server sends its certificate during the handshake and the client validates it with the CA certificate in its trust store. It is one way setup
For two way, during the handshake, the server also asks for certificate from client,it validates the certificate sent by the client with the CA certificate in its trust store. So if you want to use two way setup, you need to generate client CA certificate and client certificate(it will be signed by the client CA certificate), the same CA certificate you need to configure at server so that it(server) will be able to validate the client certificate it received during the handshake.
You can also decide to keep same CA certificate for both client and server certificates, making sure client and server certificates are signed by the same CA
Can we make SSL connection without Digital Certificate?
I have tried SSL communication with Digital Certificate but is it possible without Digital Certificate?
Regards
Abdul
I'm trying to add TLS to a node application connecting to RethinkDB database. I've setup the RethinkDB to use --driver-tls* parameter.
The strange thing to me is that on the client side I need to provide the CA certificate use to sign the certificates used by the server.
Is that root CA certificate can be self-signed or does it have to be signed with a trusted root CA itself?
I can't figure out how to get Trusted TLS connections between my primary mail server (mail.sfnet.it) and mail exchanger (mx.sfnet.it)
They both use Postfix as MTA and they both have a PositiveSSL certificate installed and everything seems to work well, except for trusted handshake.
I've set CA path, reconfigured package, but nothing to do. Any idea?
Postfix log says:
postfix/smtp[20689]: Untrusted TLS connection established to mail.sfnet.it[94.23.65.191]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
It may be necessarily to specify a path to trusted certificates with smtp_tls_CApath:
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CApath = /etc/ssl/certs
Can you check if the certificate is correctly installed for mail.sfnet.it on the smtp port? SSL Labs (https://www.ssllabs.com/ssltest/analyze.html?d=mail.sfnet.it&hideResults=on) indicates that the server's certificate is untrusted (self-signed) on 443 and I suspect it may be the same on the smtp port as well.
The connection is untrusted because the sender MTA doesn't recognize the CA that signed the recipient MTA's certificate. To make the MTAs trust each other's certificates, you have to install the CA certificate on both the MTAs. The installation process depends on what distro you are using. Here is an example for centOS.
You can get the CA certificate from the official positivessl site. Here is what I found.