I have this problem using centos 7 the problem is when i try to connect with ssl and I'am using local internet provider the handshaking will block after client hello,
openssl version: OpenSSL 1.1.0g 2 Nov 2017
openssl s_client -connect 151.3.144.205:9093 -state -nbio 2>&1
CONNECTED(00000003)
Turned on non blocking io
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write R BLOCK
If I use a mobile connection the handshaking goes ahead.
the certificates are generating for kafka server and I use the common guide to generate it.
I guess is a problem with openssl
I guess is a problem with openssl
If it would be a problem with openssl then it would not work with the mobile connection either, assuming that you are using the same openssl with mobile and without.
It is more likely that there is some firewall which blocks access on your normal connection and that by using the mobile connection you bypass the firewall. Thus, search for the cause of the problem in your network and not in openssl.
We found the problem in Centos 7 or Openssl version, we have installed a debian server machine with the same Kafka and zookeper configuration and we have solve the problem.
I guess that there is a bug in Openssl Centos version, becouse it's impossible
that the communication tcp by ssl secutity were interrupted by the firs client presentation and no server hello response.
Related
I am using openssl commandline as a client to communicate with a server that uses TLS like so:
openssl s_client -connect localhost:xxxx
I want the client to send TLS shutdown to the server with the command line. How can I do this?
A TLS shutdown is send on TLS connection close. There is no way supported in s_client to explicitly trigger a SSL_shutdown but keep the underlying TCP connection open.
A close can for example be triggered by entering "Q" on the input, see CONNECTED COMMANDS in the documentation. See also the comment from dave_thompson_085 for other ways how a close can be triggered.
I have learnt about SSL and SSL certificates used on client and server side. I pretty much understand how things work and have generated server and client certificates and keys. I have studied how can I use my own CA with https in Android.
I want to setup a server where I can put the server certificate and then access it from my android device to make an emulation of what I have learnt so far.
Is there any server available where I just need to put cert and key and it will start working? I have gone through wamp and apache configuration stuff but unfortunately I am unable to make it work properly.
If you're using OpenSSL it includes a very simple server named s_server which is very useful for this kind of experimentation. Here's an example that might get you started
$ openssl s_server -key test.key -cert test.crt -accept 8443 -WWW
This will serve up files in the current working directory from https://localhost:8443/
The manpage for s_server should give you all the info you need. I think you'll want the -CApath or -CAfile options if you're also experimenting with client certs.
I'm right now at this tutorial wiki.wireshark.org
Everything went fine first, i could start the server with openssl
Afterwards I wanted to send a SSL message with this code in my bash shell.
printf 'GET / HTTP/1.0\r\n\r\n' | openssl s_client -ign_eof
in the output i had the problem with no client certificate or just a self signed certificate.
Would be great if you had a hint for me, I've been trying for hours.
I am running Django 1.7 with gunicorn. I am able to use https using gunicorn by passing certificate and key file as parameter.
When I validate my server by geotrust ssl tools, it says everything is fine except -
This server may be vulnerable: SSLv3 is enabled
Disable SSLv3 and use TLS 1.0 or higher.
I am new to this and not able to understand how to do this. Is this is related to machine or this is related to gunicorn?
gunicorn --ssl-version TLSv1_2 -b 0.0.0.0:8000 project:app
This should enable TLSV1.2 in 8000 port. you can also check if TLSV1 is still active by running below command. if connection established, then target uses tlsv1
openssl s_client -connect hostname:port -tls1
You can also check for tlsv1.2:
openssl s_client -connect hostname:port -tls1_2
Replying to an old thread here, in order to disable anything but TLSv1.2+ and weak ciphers, allowing to pass SSLLabs tests
Gunicorn option --ssl-version allows to set minimal SSL version to use.
Gunicorn --ciphers allows to enable / disable cipher sets or specific ciphers.
Both options accept OpenSSL standard directives.
Good cipher lists can be found on cipherli.st
As of April 2021, in order to have a secure SSL connection according to SSLLabs, I made the following
/usr/bin/gunicorn --ssl-version=TLSv1_2 --ciphers='DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK' --certfile=/etc/pki/tls/certs/mycert.crt --keyfile=/etc/pki/tls/private/mykey.key
Warning: The singlequotes need to be removed if the commandline is to be put in a systemd unit file.
In the following document: http://www.ietf.org/rfc/rfc2487.txt
It stated that after running starttls client must do .
What should I write there in place of that?
My aim is to emulate a connection to Zoho's mail server: https://www.zoho.com/mail/help/zoho-smtp.html through command line.
Can anyone help, please?
If you are to use telnet for connecting to a mail server using tls then you will have to perform handshake operations manually. But these handshake operations can be automated by using an open source library which implements TLS. One such library is 'OpenSSL'. Below is the openssl command using which you can try connecting to the mail server using tls
openssl s_client -starttls smtp -connect smtp.zoho.com:587 -crlf -ign_eof