I am trying to call some REST API toward the server authorises only certificates. I have set the certificates in Postman (.crt, .key and .pfx files and passphrase). But when I make a REST API call, I see Postman console logs that certificate files are included in the request but I get
Error: mac verify failure
I searched on internet and found some conversations suggesting this error is caused by wrong or missing passphrase, but I am sure I am providing correct passphrase (the one I set when converting pfx file to .crt file).
I am not sure if I should provide the passphrase I set while converting pfx file to crt file or somthing else?
Any help is highly appreciated.
Thanks
Please try to select only the CRT and Key files and leave PFX empty.
If you used a passphrease for generating the CRT File, you have to put it in the "passphrase" field. Otherwise leave "passphrase" blank.
If its still not working, please provide more informations.
Related
I'm new to Jmeter and I have the following case:
I'm trying to record using Jmeter by going to github.com/login. I set localhost and port to jmeter, also to Mozilla. Certificate created by jmeter is added to mozilla.
If I access for example stackoverflow, it works, but if I want to go to github I don't have the button Accept the risk and continue as it was for stackoverflow, therefore github can't be accessed. I even installed a clean Mozilla in order to not have any old certificate for github.
Does anyone know why is this happening?
jmeter configuration
github certificate message
firefox proxy config
Later edit: This is how it looks for example
stackoverflow
I'm not able to access facebook, google besides github.
It is a matter of certificate installation. Once you install the certificate, there shouldn't be an "Accept the risk and continue". Rather you should be able to directly navigate to the website.
Please try the below steps to install appropriately in Firefox
Launch Firefox -> Navigate to Options -> Search Certificates -> Click View Certificates -> Click on "Authorities" tab -> Click Import -> Choose certificate file types to include ".crt" files in the File Browser Pop-up -> Choose "ApacheJMeterTemporaryRootCA.crt"
Pop-up such as this should appear if you have followed appropriately
Check Trust this CA to identify Websites -> Click OK -> Navigate to Authorities tab once again -> Ensure JMeter certificate is available
If all the above steps are followed, you should be able to record https://github.com/login without any hiccups
Why this error appears in the first place
Basically when a browser tries to access a website via HTTPS, it tries to establish a secure connection post validation of the SSL certificate. In our case, since JMeter is the proxy with which Firefox interacts, Firefox believes it is the actual server and hence it is trying its best to ensure your safety by preventing you from sending the request since JMeter's SSL certificate is not one of the approved SSLs (not part of Trusted CA certificates).
How the certificate helps
When you add the JMeter's Root CA certificate into Trusted CA folder, you let Firefox know that SSL provided by JMeter is trustworthy and hence things are alright
Hope this helps!
You need to import JMeter's certificate into Firefox browser in order to be able to intercept and decrypt secure traffic, see HTTPS recording and certificates chapter of the HTTP(S) Test Script Recorder documentation for more details.
Remember that JMeter's MITM certificate has limited lifetime (7 days as of JMeter 5.3), so it might be the case you need to re-import the certificate if it's expired. The lifetime of the certificate is controlled by proxy.cert.validity property
If you still experience problems try cleaning your browser history and remove everything from the beginning of the time, it will remove cached certificates as well
More information: Recording HTTPS Traffic with JMeter's Proxy Server
Also be aware that you can use an alternative way of recording a JMeter test - JMeter Chrome Extension, in this case you won't have to worry about proxies and SSL certificates
Ignore the following, go to "#edit2"
i read a lot about SSL certificates but still i can't figure out the following:
I have a program that does a POST to my API, how do i make this program do it using the Certificate, i mean to protect the information sent.
Do i have to include the certificate in the client? or when it does the post it first asks the server for the certificate?
In the case that it should include the certificate, isn't that unsafe?
Because stackoverflow asks me to say the following:
I already tried reading a lot about SSL certificates, this https://medium.freecodecamp.org/https-explained-with-carrier-pigeons-7029d2193351 helped me a lot but still i don't get how it works for my case.
If there is any way i can try, any website that i can easy use to make an HTTPS Post, please tell me.
Thanks in advance
#edit1: To be honest, after posting this i found the right words to search on google and i found this post:
https://security.stackexchange.com/questions/110621/ssl-newbie-does-https-client-also-need-a-certificate
But i wanted to know if this applies for the following case:
file.exe doing POST to api on server (sending username and password), server answering the file.exe with "you are logged in" or "nop, wrong pw/user".
If i have SSL enabled on my page, will my .exe send the information in plain-text? and, will my API answer with plain-text?
Should i do this with POST or GET? i read that POST is better because it sends the information on the Body instead of the URL, but will the answer from the API be protected by the certificate in this case?
Thanks in advance.
#edit2: Editing 1 more time because thanks to #Ladislav Louka (idk the right way to tag someone) i found that i can intercept the packets and check that this by myself.
My last question is:
Do i need to include the certificate on the client to make everything secure? I mean, does the server really need to know if it's my client that is doing Requests? Couldn't this be unsafe because the certificate could be stolen? like the secret key? and then used for another app to do a brute force attack on my page?
We are facing CORS issue in Jmeter UI recording:
CORS request did not succeed
We have website uat.torchmarkets.com which internally calls tradeuat.torchmarkets.com in which has security check for Cross Domain Request. Sharing. We want to do UI recoding for uat.torchmarkets.com
Below is jmeter UI recorder setting
Below is proxy settings in browser. The subdomain loadtesting.torchmarkets.com is whitelisted.
Below is there CORS error

Any help to solve this issue will be much appreciated!
Thanks in advance!!
In my case the CORS error vanished after importing JMeter's certificate.
In JMeter's bin folder, you will find a .crt file. This one needs to be imported into the browser. I have tested it only with Firefox.
In Firefox, go to Privacy & Security settings section where you
find View Certificates...
Select the Authorities tab
Click on Import... and browse for JMeter's certificate
Check This certificate can identify web sites. and confirm
From that point on you should see no further CORS errors, until the certificate expires, which is by default 7 days.
Optionally, in the bin folder of JMeter find the file jmeter.properties and change the validity period of the certificate if you need it for longer than the default 7 days by changing the value proxy.cert.validity and let the certificate regenerate.
Im having issues with angular.io in my enterprise network caused by the certificate. Looking more in detail I noticed its been signed for *.firebaseapp.com. However it looks valid in my phone. Android screenshot
It doesnt make any sense, you cant have a valid ssl connection if the certificate was signed for another domain. Does anoyone understand whats happening with that certificate and why its look valid for my android browsers?
Thanks
If you look at the certificate details all look at the long list of Subject Alternative Names you will see that *.angular.io is covered under there. You can read more about those here.
Basically, it's just a list of hostnames that can used with one certificate.
.
I'm having a hard time adding my SSL cert on Parse.
I get this "App's custom domain name must match certificate CN" error. I've been following this https://www.digicert.com/csr-creation-ssl-installation-parse-php-sdk.htm#install_ssl_certificate tutorial even though i'm using javascript for my backend not PHP.
I get a checkmark (no errors) when I add my Host name so there's nothing wrong with that it would seem. I've created a .pem file with the entire SSL cert trust chain, tried uploading it but I get the same error. And just for the heck of it I also uploaded my Primary Cert without attaching intermediary or root certs which didn't work either.
I've created the CSR similar to what was shown in the example. Are there any other online help like a pay per session with a Parse developer? Because this is driving me crazy
In the Parse docs Https section it just says to upload your custom domain cert. I have my cert for my custom domain and I'm trying to upload it so why am I getting this error?