I'm trying to implement TLS in XPub / XSub pattern example, the example was taken from https://netmq.readthedocs.io/en/latest/xpub-xsub/
I tried to use NetMQCertificate for CURVE (https://github.com/zeromq/netmq/blob/master/src/NetMQ.Tests/CurveTests.cs)
I also tried to use NetMQ.Security (https://github.com/NetMQ/NetMQ.Security/blob/master/tests/NetMQ.Security.Tests/SecureChannelTests.cs)
Can someone pls help me with an example? or with a direction?
Related
I am trying to understand the use of hadoop.ssl.hostname.verifier. As per https://hadoop.apache.org/docs/r2.7.4/hadoop-project-dist/hadoop-common/core-default.xml there are these possible values. The hostname verifier to provide for HttpsURLConnections. Valid values are: DEFAULT, STRICT, STRICT_I6, DEFAULT_AND_LOCALHOST and ALLOW_ALL
The associated codebase at https://github.com/c9n/hadoop/blob/master/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/ssl/SSLHostnameVerifier.java has also described a bit more about the values, but I am trying to see where should I this in the log message or associated impact. The https endpoints for namenode or any other services do not seem to show any difference in responses. Appreciate if someone can tell me how to test the impact of different values.
I currently need to parse the CommonName from a packet. I have code that works up to a point, however am having trouble skipping over the "issuer" member of a Certificate record for TLSv1.2. I have done research on the format of the SSL records and have investigated the dump via wireshark. I've found the format is generally - Length, followed by the data. However when trying to find the issue length, I cannot seem to get it, and is inconsistent with the bytes presented. Any ideas..or a better way to skip over the issuer field, and go directly to the "subject" of an TLS 1.2 record. Coded in C..Thank you for useful responses.
You need to understand ASN.1. Go read this book (it is a free download). Once you have read and understood it, you can write your decoder, following the ASN.1 specification for certificates. This is doable, but requires great implementation care. In fact, this is a bad idea unless you are a demi-god of C programming.
Alternatively, use some library that already knows how to decode a certificate. Typically, OpenSSL.
Does anyone know if Netty provides reliable messaging (acks) and sequence ordering for UPD messages? I am looking for a Java messaging library that will allow me to write a game server but provide that functionality so that I don't have to write it.
OK - I found the answer. It does! It provides UDT via these packages:
io.netty.channel.udt
io.netty.channel.udt.nio
Which include these classes:
UdtChannel
UdtChannelConfig
UdtChannelOption
UdtMessage
UdtServerChannel
UdtServerChannelConfig
and these ones:
NioUdtAcceptorChannel
NioUdtByteAcceptorChannel
NioUdtByteConnectorChannel
NioUdtByteRendezvousChannel
NioUdtMessageAcceptorChannel
NioUdtMessageConnectorChannel
NioUdtMessageRendezvousChannel
NioUdtProvider
And it also provides plain UDP via these classes:
DatagramChannel
DatagramChannelConfig
DatagramPacket
The Tripple Handshake Issue was disclosed lately. Wether disabling session resumption will mitigate this or not, is a topic for another question. Let's assume I want to disable it for whatever reason (basicly my paranoia).
To disable this in C, it seems like one should use this:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
Can someone please confirm this?
But how to do this in pyopenssl?
Starting with pyOpenSSL 0.14 this is possible:
from OpenSSL.SSL import TLSv1_2_METHOD SESS_CACHE_OFF, Context, Connection
ctx = Context(TLSv1_2_METHOD)
ctx.set_session_cache_mode(SESS_CACHE_OFF)
conn = Connection(ctx, ...)
Earlier versions of pyOpenSSL do not expose these APIs.
If you also need to turn off session tickets then:
from OpenSSL.SSL import OP_NO_TICKET
...
ctx.set_options(OP_NO_TICKET)
Can someone please confirm this?
I believe Dr. Henson answered this over at the OpenSSL User Mailing list.
the attack described in https://secure-resumption.com/ breaks also tls
channel binding tls-unique RFC 5929.
I would still like to use tls-unique for channel binding as defined in
SCRAM (RFC 5802). Can OpenSSL be used for channel binding and protect
against this attack if the session caching is disabled?
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)
Is it necessary to disable resumption using a different function?
You'd also need to disable session tickets too.
Note the initiial phase of the attack requires that the attacker
possess a private key and certificate the client trusts. I'd be
interested to know how that could happen under your circumstances.
So, according to Dr. Henson, you also need to call SSL_CTX_set_options with SSL_OP_NO_TICKET. See the OpenSSL docs at
SSL_CTX_set_options(3).
I don't know how to do it in Python, though.
I am sending a big endian byte array to a UDP host and all works well, but I need to incorporate proxies into the mix.
From what I've found (or haven't found) there is no straight forward way to use anonymous proxies (or even Socks4/5) with UdpClient. Can anyone help?
You should use System.Net.HttpWebRequest.Proxy for the proxy. Check the MSDN code snippet link for more information. I had a similar problem and this helped.