I am using open source jar (https://github.com/thomaskwscott/kafka-connect-http) to create kafka http sink connector to write message to a third party system. I could see Bad certificate error in receiver's end. SSl certificate is not sent as part of request. Does this open source jar NOT support SSL connection?
It uses HttpUrlConnection rather than HttpsUrlConnection, so I would guess no.
But you should really create a Github issue there asking this question.
Related
We are just starting to use google cloud data fusion for our ETL.
We have a use case to hit a server(self-signed) and get some info using the http-plugin in the data fusion product.
In my pipeline, i am turning off SSL verification to accept any certificates but getting an error
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <on000120.aeo.ae.com> doesn't match any of the subject alternative names: []
Help text for the field also suggests to urn it off. See image.
Could someone please help?
I followed the instructions at https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/ to generate the key and crt files, so I had a file called v3.ext (which includes subjectAltName) and used that to generate the server.crt file. When I started my server with these files, I was able to deploy and run a pipeline using HTTP source from that local HTTPS server. How did you generate your crt and key? Would you please describe the plugins you're using?
I assume that issue that you've reported is not connected with Data Fusion runtime environment, but might be supposedly related the target HTTPS web server SSL/TLS configuration. Most of the time this issue occurs when the common name or SAN(Subject Alternative Name) of your SSL/TLS Certificate does not match the domain or address that you hit in HTTP call, hence this page is not listed in SAN's list and I can suppose that you didn't add any of domain names there.
As far as I know Data Fusion http-plugin, which is based on Java HTTP Client implementation, promotes HostnameVerifier class, that is used for URL's hostname and the server's identification hostname verification during establishing handshake between parties, you may take a look at the source code and find inherited method getDefaultHostnameVerifier() as well. Therefore, this can lead to the error, during http client intentions to launch SSL/TLS connection channel.
Even though, you turned of trust keystore certificate inspection in the plugin settings, the issue will persist because hostname validation still failing.
For my current project i need to implement http over tls at client ,for this i need a local server able to simulate this . is there any online or offline tool. which i can use and and see the handshake in wireshark .
For watching the TLS handshake you might not get far enough with wireshark. For such kind of monitoring you would ensure the security is low enough for wireshark to be able getting the session key from watching the handshake for decoding the later parts. Thus, you need to avoid any forward secrecy.
Otherwise any (https) server that is accessible (and willing to talk) to your client will do.
In case you are in an environment that is supported (e.g. any unix/linux), you might try using openssl. It allows setting up a server that will do handshake. And it will log the handshake such that you will be able looking at what is going on. This will eliminate the need for using wireshark for debugging.
For achieving this you need a Web Server accepting connection over TLS.I have achieved this on Apache Tomcat web Server.
TLS configuration needs to be done in the server.xml file present in config directory of Tomcat webserver. Connector tag needs to be added in the server.xml file that contains information like
TLS version to be used, port, List of supported Cipher Suites, Keystore path and password, Truststore path and password.
Any regular Rest client can be used to make a call like Postman client. But to use that over TLS/SSL certificate is needed to be installed in Chrome browser.
Hope this answers your doubt.
I have a bunch of linux servers configured to push logs to another fluentd server using the fluent-secure-output plugin. Now I'd like to configure our windows servers using nxlogs.
I read a bit on the om_ssl nxlogs module, but I am puzzled about the shared key. Basically, fluentd's secure-output plugin requires a shared key to be identical everywhere for authentication (this is not tied to the certificates at all). But I can't see how I could specify this key in nxlog's om_ssl configuration.
Is this even supported at all? Is it possible to use nxlogs to forward to an ssl fluentd server?
It looks like they have their own authentication protocol over TLS that uses shared_keys (i.e. passphrase) on the client side instead of using private keys. I don't know why that is needed but NXLog and most other log aggregator solutions (rsyslog, syslog-ng, logstash, etc) use plain TLS which can provide proper authentication for both the client and the server.
The protocol is described in their GitHub README and I doubt it will work with NXLog's om_ssl or anything else other than Fluentd's out_secure_forward.
The Fluentd input/output plugin to forward fluentd messages over SSL with authentication, works only between the two plugin (which is actually the same one) using authentication by shared_key check from both of client(out_secure_forward) and server(in_secure_forward).
So unfortunately you can't sent it through your nxlog only through out_secure_forward.
I've created a Spring Boot application that I'm running as a poor man's daemon to call another Java service on another tomcat instance. I'm getting an SSL error when connecting to the other Java service but if I hit the other service with something like SoapUi(or Postman) using the same URL and headers I get an OK response. So something must be wrong with my Spring Boot configuration.
I'm using the same JKS for Spring Boot and SoapUI. I've tried using the cert in the application.properties as well as specifying it on the command line using -Djavax.net.ssl.keyStore as well as the related password parameter.
When I run the other service locally without SSL I can connect just fine via my Spring Boot application.
The SSL error I'm getting is: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
Best I can think is that SoapUI(or Postman) identify's itself as a client application and my Spring Boot identifies itself as a server? So I think I'm asking how can I make Spring Boot identify itself as a client but I'm still not sure I understand the SSL error to begin with.
You have a multitude of problems. First off, soapui doesn't do verification of the server SSL certificate when it connects, java by default does not. You can however configure java client to also ignore server cert verification.
How to ignore depends on what client you use, apache httpclient is the most common one and you can find details on that in this thread.
Now, you should not really do that. Instead, you should have a trust store that contains the certificates that would validate the server cert. In that case you would be interested in truststore configuration, not a keystore - keystore is for other way around, when you're identifying yourself to some other party. You'd need to import the root CA and intermediate certificates to your trust store, then point to that in your configuration.
I'm working with Delphi and using Indy components for SSL connection. I had Fiddler2 running and was able to see SSL traffic, but had to upgrade Indy to newer version because it had some errors. For compatibility between Indy and OpenSSL I also upgraded to OpenSSL1.0.2a. After this upgrade it seems that it has switched to SSL3.3 a newer protocol than what was used before. I installed Fiddler4.5, .NET framework 4.5 and enabled TLS1.2 as descriped on http://blogs.telerik.com/fiddler/posts/13-02-11/fiddler-and-modern-tls-versions. I also reimported Fiddler's certificate to my trusted root certificates, however i can still not decrypt the SSL traffic.
Following is written in Fiddler:
This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
Fiddler's HTTPS Decryption feature is enabled, but this specific tunnel was configured not to be decrypted. Session Flag 'X-No-Decrypt' was set to: 'PeekYieldedUnknownProtocol'.
A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.
Version: 3.3 (TLS/1.2)
I tried to search Indy and OpenSSL source for the string "X-No-Decrypt", but it does not seem to be included anywhere. Accoring to fiddlers documentation it seems to be a string that you can include if you dont want fiddler to decrypt this particular session, but i have no idea where this string is included from.
Any suggestions?
Thanks /Rune
The text PeekYieldedUnknownProtocol indicates that when Fiddler looked at the first bytes sent by the client within the CONNECT tunnel, those bytes were not those of a HTTPS handshake. To avoid breaking whatever type of traffic is flowing through the tunnel, Fiddler simply passes the bytes back and forth without interpreting them.
To debug this further, your best bet would be to contact me using Help > Send Feedback in Fiddler. If you can send me a SAZ File (File > Save Session Archive) containing the traffic, I can investigate this problem further.
If you can't share a SAZ file, please at least right-click on the CONNECT in the Web Sessions list and choose Properties. Update your question with the value of the x-CONNECT-Peek flag.