I need to connect to Redis with SSL. I have a host and port number but also a servername for TLS SNI. The openssl equivalent is :
openssl s_client [-connect host:port] [-servername name].
I couldn't find in Lettuce wiki the option for SNI. Can anyone bring some light here? Thanks.
Related
SYSTEM INFORMATION
OS type and version CentOS Linux 7.5.1804
Webmin version [1.998]
Virtualmin version [7.1]
I installed a wildcard ssl certificate from Letsencrypt but in the browser when verifying the certificate it shows CN = “domain.com” not “*.domain.com”.
What do I need to do, what settings to enter in order to display the correct wildcard certificate?
Thanks!
The server is not properly configured. TLS works with IPv4 for both 2much.info and bauhaus.2much.info. For IPv6 though there is no address with 2much.info but there is one for bauhaus.2much.info. Only, TLS is not enabled here, it returns instead plain HTTP on port 443.
IPv6 capable clients will usually prefer IPv6 to IPv4. The attempt of using Opera without VPN might be done in a IPv4 environment, so the working IPv4 address is used. When using the VPN though other systems will access the target and these might be IPv6 enabled - in which case the access fails.
This can also be seen in a IPv6 capable environment. It is working with IPv4:
$ openssl s_client -connect bauhaus.2much.info:443 -4
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
But failing with IPv6
$ openssl s_client -connect bauhaus.2much.info:443 -6
CONNECTED(00000003)
140692571469632:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
There are lot of tools change the sni in data packet. Does ssh use sni or how HTTP injector likes software change the SNI and browse the around the internet.
SNI is an extension to the TLS protocol which allows a client to specify a virtual domain during the connection handshake, as part of the ClientHello message.
SSH and TLS are different protocols and SSH does not use SNI. Changing the SNI while making an HTTPS request just requires changing the value the TLS client presents to the target server while connecting, which is, by default, the name of the host used to resolve the IP address of the TLS server; this can be done by openssl, for example, or even by manually adding an entry to your /etc/hosts, pointing a fabricated host name to a TLS server IP address and using the former to connect to the latter. In these cases, TLS clients complain about the name mismatch between the server certificate and the host name (SNI) you are using - but that can usually be turned off.
Here is how to use a fake SNI example.com while connecting to www.google.com using the openssl's -servername argument:
openssl s_client -connect www.google.com:443 -servername example.com
And here is how to perform a full HTTPS request using cURL, passing the --insecure option to stop it complaining about the certificate name mismatch as well as manually specifying the Host header (which cURL would otherwise take from the passed URL), with the --connect-to argument used to resolve our host:port fabricated pair to the real one:
curl --connect-to example.com:443:www.google.com:443 --insecure \
-H "Host: www.google.com" https://example.com/
I have this problem using centos 7 the problem is when i try to connect with ssl and I'am using local internet provider the handshaking will block after client hello,
openssl version: OpenSSL 1.1.0g 2 Nov 2017
openssl s_client -connect 151.3.144.205:9093 -state -nbio 2>&1
CONNECTED(00000003)
Turned on non blocking io
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
write R BLOCK
If I use a mobile connection the handshaking goes ahead.
the certificates are generating for kafka server and I use the common guide to generate it.
I guess is a problem with openssl
I guess is a problem with openssl
If it would be a problem with openssl then it would not work with the mobile connection either, assuming that you are using the same openssl with mobile and without.
It is more likely that there is some firewall which blocks access on your normal connection and that by using the mobile connection you bypass the firewall. Thus, search for the cause of the problem in your network and not in openssl.
We found the problem in Centos 7 or Openssl version, we have installed a debian server machine with the same Kafka and zookeper configuration and we have solve the problem.
I guess that there is a bug in Openssl Centos version, becouse it's impossible
that the communication tcp by ssl secutity were interrupted by the firs client presentation and no server hello response.
I am trying to run a calendar server (Caldavd). I ran into trouble when I enabled SSL. I get the error:
"Unable to Connect Securely
Firefox cannot guarantee the safety of your data on localhost:8443 because it uses SSLv3, a broken security protocol."
I am running on Ubuntu 12.04, have created a self signed certificate, using openssl 1.0.2 (the latest, as far as I can tell), and have added the line
SSLProtocol All -SSLv2 -SSLv3
to my site configuration file.
I am a newbie to Apache, not a sysadmin. I understand why Firefox wants to disable SSLv3 but I don't know what else I need to do.
Verify that you have all the weak ciphers disabled. Since the server is internal use OpenSSL.
openssl s_client -connect localhost:8443 -cipher 'ALL:!RC4' -no_ssl2 -no_tls1_1 -no_tls1_2
If the connection is successful then you know the configurations worked.
How to disable weak ciphers in Apache: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
I am running Django 1.7 with gunicorn. I am able to use https using gunicorn by passing certificate and key file as parameter.
When I validate my server by geotrust ssl tools, it says everything is fine except -
This server may be vulnerable: SSLv3 is enabled
Disable SSLv3 and use TLS 1.0 or higher.
I am new to this and not able to understand how to do this. Is this is related to machine or this is related to gunicorn?
gunicorn --ssl-version TLSv1_2 -b 0.0.0.0:8000 project:app
This should enable TLSV1.2 in 8000 port. you can also check if TLSV1 is still active by running below command. if connection established, then target uses tlsv1
openssl s_client -connect hostname:port -tls1
You can also check for tlsv1.2:
openssl s_client -connect hostname:port -tls1_2
Replying to an old thread here, in order to disable anything but TLSv1.2+ and weak ciphers, allowing to pass SSLLabs tests
Gunicorn option --ssl-version allows to set minimal SSL version to use.
Gunicorn --ciphers allows to enable / disable cipher sets or specific ciphers.
Both options accept OpenSSL standard directives.
Good cipher lists can be found on cipherli.st
As of April 2021, in order to have a secure SSL connection according to SSLLabs, I made the following
/usr/bin/gunicorn --ssl-version=TLSv1_2 --ciphers='DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK' --certfile=/etc/pki/tls/certs/mycert.crt --keyfile=/etc/pki/tls/private/mykey.key
Warning: The singlequotes need to be removed if the commandline is to be put in a systemd unit file.