Twisted supports http1 + http2.
How to setup a twisted http2 server over TCP (neither ALPN nor protocol-upgrade)?
The server should answer to this query:
curl --http2-prior-knowledge http://localhost:8000/
Twisted should set up HTTP/2 servers for you auto-magically. Make sure you install twisted's http2 modules. The simplest way is to use pip:
pip install -U twisted[http2]
However, I've noticed a few times that it doesn't do run the HTTP/2 stuff out of the box. I had to uninstall h2, hyper and hyperframe, then reinstall them.
pip uninstall h2 hyperframe hyper
pip install -U twisted[http2]
Using a self signed certificate, here's a small klein webserver example.
openssl genrsa -aes256 -passout pass:SuperSecretPassword -out server.key 4096
openssl req -new -key server.key -passin pass:SuperSecretPassword -out server.csr
# Common Name (e.g. server FQDN or YOUR name) []:localhost
openssl x509 -req -passin pass:SuperSecretPassword -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server_no_pass.key -passin pass:SuperSecretPassword
mv server_no_pass.key server.key
cat server.crt server.key > selfsigned.pem
rm server.crt server.csr server.key
from klein import route, run
#route("/")
def hello(req):
if req.clientproto == b"HTTP/2":
return "http2"
return "http1.1"
run(endpoint_description="ssl:8000:privateKey=selfsigned.pem")
Update
While it's not best practice, there's nothing prohibiting you from running HTTP/2 server on a non-TLS connection. I believe most browsers won't support a non-TLS HTTP/2 server though (at least I couldn't get Firefox and Chrome to work with it). Twisted won't work out the box for you either, so that means you'll have to implement your own server. Follow the twisted example on the hyper-h2 site. Then replace endpoints.SSL4ServerEndpoint with endpoints.TCP4ServerEndpoint.
# ...
endpoint = endpoints.TCP4ServerEndpoint(reactor, 8080, backlog=128)
endpoint.listen(H2Factory(root))
reactor.run()
Related
I used openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365 to generate a cert.pem and key.pem and it has executed correctly. Now what I want is how can I add the openssl generated certificate to trusted certificates so that I don't get greeted with Your connection isn't private page before loading my flask https site. Any help is appreciated.
EDIT: OS - Windows. I am trying to add the OpenSSL generated certificate to Trusted Root Certification Authorities inside the Microsoft Management console (MMC)
depending on the browser you need to run certutil with a specific db location:
chromium-based (most) -d sql:$HOME/.pki/nssdb
firefox -d %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db
I have a basic nginx home server setup which i use Client certificates to allow outside access. I have followed this guide to get everything setup which works as expected:
https://gist.github.com/rkaramandi/20a04a41536f3d7e6d2f26b0b9605ab6
in summary:
openssl genrsa -aes256 -out ca.privkey 4096
openssl req -new -x509 -days 365 -key ca.privkey -out ca.crt
openssl genrsa -aes256 -out bobs-ipad.privkey 4096
openssl req -new -out bobs-ipad.csr -key bobs-ipad.privkey
openssl x509 -req -days 365 -in bobs-ipad.csr -CA ca.crt -CAkey ca.privkey -set_serial 100 -out bobs-ipad.crt
openssl pkcs12 -export -clcerts -in bobs-ipad.crt -inkey bobs-ipad.privkey -out bobs-ipad.p12
Also openssl pkcs12 -in bobs-ipad.p12 -out bobs-ipad.pem -nodes to generate a pem file as well.
And in nginx config:
ssl_client_certificate <path>/ca.crt;
# ssl_crl <path>/ca.crl;
ssl_verify_client optional;
...
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
I am able to access the server from outside and only signed certificates on the client machine allow access.
However if one of the signed certificates were to be compromised i'd have to re-generate the CA and re-distribute the new signed client certificates. I understand that a CRL file can be used to revoke certificates using ssl_crl <path to crl>; in the nginx config but i am not sure to generate this using the guide i followed.
A command like this can be used openssl ca -gencrl -keyfile ca.privkey -cert ca.crt -out ca.crl
But this relies on a configuration file with an index of the certificates i believe?
Is there anyway of using a command like the above to input a (or list of) pem or p12 client certificate(s) -in bobs-ipad.pem that i want to revoke?
If not perhaps i need to start again and have a config with index file to then -revoke the certificates and re-generate the crl file.
Thanks in advance,
Richard
It doesn't seem like this is possible. I have found some other guides to get this working with a configuration file (and generating a new CA): https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
https://www.djouxtech.net/posts/nginx-client-certificate-authentication/
I'm using Mosquitto version 1.4.8 on my test PC and the server. The server is accessible via ha.euroicc.com.
I've generated certificates and keys using the following script:
#! /usr/bin/env bash
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
# Serial should be different from the server one, otherwise curl will return NSS error -8054
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
# Verify Server Certificate
openssl verify -purpose sslserver -CAfile ca.crt server.crt
# Verify Client Certificate
openssl verify -purpose sslclient -CAfile ca.crt client.crt
I've put 'd', 'dd' and 'dddd' everywhere except for common name.
The common name for ca is 'd' and for server/client is 'ha.euroicc.com'.
CN for server/client needs to be this value, or it doesn't work at all!
My current mosquitto config file:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
password_file /etc/mosquitto/passwd
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
port 8883
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
I use this command to subscribe from test PC:
mosquitto_sub -h ha.euroicc.com -t "topic/test" -u "damjan" -P "damjan" -p 8883 --cafile ca.crt --key client.key --cert client.crt
And get these errors:
On test PC:
Error: A TLS error occurred.
On server:
1532564086: OpenSSL Error: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
1532564086: Socket error on client <unknown>, disconnecting.
I've tried without require_certificate set on the server side, and not using client key/cert on the client side and subscription works in this case. This means that username/password parameters are fine.
That means that I either generated certificates and keys with a problem, my mosquitto.conf is bad or I'm using mosquitto_sub with a problem. Maybe something else?
I'm really at loss here and can't figure out what to try next...
Every bit of information helps.
Had a similar issue while upgrading to 2.0 because of the updated TLS/SSL bindings several know weak algorithms are not supported anymore.
In my case the signature of the certificate was sha1WithRSAEncryption where sha1 is the weak part. The same would be for e.g. MD5.
Check your certificate with openssl x509 -text -noout -in your.crt
Resigning the certificate with sha256WithRSAEncryption fixed it for me.
There is no need to create a new key.
You can either create a new CSR from your existing key and information from your certificate:
openssl x509 -x509toreq -in sha1.crt -signkey sha1.key -out sha256-new.csr -sha256
or overwrite the algorithm while signing the existing CSR again:
openssl x509 -req -days 360 -in sha1.csr -CA DummyCA-DonotTrust.pem -CAkey DummyCA-DonotTrust.pem -CAcreateserial -out sha256.crt -sha256
Recent openssl version should use sha256 as default.
Debian has changed the default setting with openssl-1.1.1 see https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 and set CipherString = DEFAULT#SECLEVEL=2.
To get a list of supported algorithms run: openssl ciphers -s -v 'ALL:#SECLEVEL=2'
Ok, so the problem was that I was generating all of the files on my test PC, and then sending it to the server.
I've tried generating everything on the server, and then copying appropriate files to my test PC, and everything works fine.
I've followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt . With lesser changes like hostname etc.
I had the same issue.
To fix it, while generating server.crt, answer to question 'Common Name' with IP address of the machine where Mqtt broker is going to be run.
I ran into this issue during my testing of django-channels and daphne (but the issue is not exclusive to them).
--- <exception caught here> ---
File "/Users/****/lib/python3.6/site-packages/twisted/internet/base.py", line 896, in runUntilCurrent
call.func(*call.args, **call.kw)
File "/Users/****/lib/python3.6/site-packages/twisted/web/http.py", line 2288, in forceAbortClient
self.transport.abortConnection()
File "/Users/****/lib/python3.6/site-packages/twisted/protocols/tls.py", line 435, in abortConnection
self._shutdownTLS()
File "/Users/****/lib/python3.6/site-packages/twisted/protocols/tls.py", line 338, in _shutdownTLS
shutdownSuccess = self._tlsConnection.shutdown()
builtins.AttributeError: 'NoneType' object has no attribute 'shutdown'
This is only the case when HTTP/2 is in use. HTTP1.1 works fine and I've never had an issue like this. I've done a bit of investigating and I've noticed that self._tlsConnection.shutdown() is called 2x, once when the timeout is exceeded and self._tlsConnection is set to None, then again for some unknown reason. I'm not knowledgeable enough in HTTP standards to know if this is expected behavior. Am I doing something wrong or is this a bug?
How to reproduce
Install Twisted with HTTP/2 and TLS support
pip install -U twisted[http2,tls]
Create TLS certificates
openssl genrsa -aes256 -passout pass:SuperSecretPassword -out server.key 2048
openssl req -new -key server.key -passin pass:SuperSecretPassword -out server.csr
openssl x509 -req -passin pass:SuperSecretPassword -days 1024 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server_no_pass.key -passin pass:SuperSecretPassword
mv server_no_pass.key server.key
Create a simple TLS server (it's not django-channels, it's klein, because this issue isn't exclusive to channels). This will start a server on https://0.0.0.0:9999
from klein import route, run
#route('/')
def hello(request):
return 'hello'
run(endpoint_description='ssl:9999:interface=0.0.0.0:certKey=server.crt:privateKey=server.key')
On a web browser, go to https://localhost:9999. Open the developer tools and navigate to network tab. Enable the protocol option and ensure it's HTTP/2.0. I've tested on both Chrome and Firefox.
Wait a few minutes and the server will hit the traceback.
I want to generate the CSR file for requesting SSL (wildcard) certificate. This certificate and private key will be used on multiple machines with both Apache and Nginx.
RapitSSL states the following commands for the different setups:
Nginx
$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Apache Mod SSL
$ openssl genrsa -des3 -out <private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
Is there a way to generate a CSR that works with both Apache and Nginx?
Apache Mod SSL
$ openssl genrsa -des3 -out < private key file name>.key 2048
Apache-SSL
$ openssl genrsa -des3 -out www.yourdomain-example.com.key 2048
These two are obviously the exact same command, with a different way of writing the example name. They just generate the key pair, you'd need an additional req command to generate a CSR too.
genrsa generates a key pair, and req generates a CSR. However, req can perform both operations at once when using -newkey.
See OpenSSL req example documentation:
Create a private key and then generate a certificate request from it:
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out req.pem
The same but just using req:
openssl req -newkey rsa:1024 -keyout key.pem -out req.pem
How to generate CSR for SSL that works with Nginx & Apache ...
Is there a way to generate a CSR that works with both Apache and Nginx?
A quick answer to the questions to clarify things... Nginx and Apache don't consume CSRs. They use certificates and private keys.
Perhaps you meant to say something about a self-signed certificate? If so, add the -x509 option to the openssl req command. That creates a self signed certificate rather than a signing request.
There's a lot more to self-signed certificates (and server certificates in general). See, for example, How to create a self-signed certificate with openssl?