I'm using jetty v9.4.9. I want to authenticate the requests using client certificate. I have configured keystore file in 'jetty-base\etc'. I'm using self-signed certificates in both server and client.
I have a server certificate and root certificate. I have used OpenSSL to generate keystore file.
From https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html,
Generating pkcs12 file:
$ cat example.crt intermediate.crt [intermediate2.crt] ... rootCA.crt > cert-chain.txt
$ openssl pkcs12 -export -inkey example.key -in cert-chain.txt -out example.pkcs12
Loading keystore file:
$ keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Using above methods, I have generatd 'new_keystore' file. I have configured the newely generated keystore file in jetty-base\start.d\ssl.ini as
jetty.sslContext.keyStorePath=etc\new_keystore
jetty.sslContext.trustStorePath=etc\new_keystore
Now I'm sending request using cURL in Windows
Request:
curl -v --cacert root.crt --key client.key --cert client.crt https://localhost:8443
This results in unknown certificate error
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, certificate unknown (558):
* error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
* Closing connection 0
curl: (35) error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
In jetty, how to identify the reason behind the unknown certificate error? Can it be configured to displayed on log file? How to debug and fix it?
Related
I have created a self signed certificate using keytool. Full command is
keytool -keystore server.p12 -alias server_key -keyalg rsa -ext ku=DigitalSignature,keyEncipherment,dataEncipherment
I added this keystore to my web server as well. There was no there. My question is about how to curl to the server without skipping verification. (I don't want to use -k option). I exported the server certificate using the following command
keytool -export -keystore server.p12 -alias server_key -file server.crt
With curl -v --cacert server.crt https://host:port, the following is the error even though server certificate is provided for curl.
* Rebuilt URL to: https://localhost:5443/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /home/innsh/Downloads/cacert.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
For testing purposes I am trying to setup an https server, only for communication within a local network. TLS two way authentication and also OCSP stapling has to be used (due to the requirements of the client).
For nginx I have a basic setup:
listen 44300 ssl default_server;
listen [::]:44300 ssl default_server;
ssl on;
ssl_certificate /home/user/work/Telematics2/server/certificate.crt;
ssl_certificate_key /home/user/work/Telematics2/server/certKey.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_verify_client optional_no_ca;
ssl_client_certificate /home/user/work/Telematics2/client/certificate.crt;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/user/work/Telematics2/server/concat.crt;
For testing I created server and client keys on my local machine with following commands:
openssl genrsa -out rootCA.key 1024
openssl req -new -x509 -days 3650 -key rootCA.key -out rootCA.crt -config validation.cnf -subj /C=DE/ST=BW/L=Earth/O=CompanyName/OU=IT/CN=X.X.X.X/emailAddress=email#example.com
openssl genrsa -out certKey.key 1024
openssl req -new -x509 -days 3650 -key certKey.key -out certificate.crt -config validation.cnf -subj /C=DE/ST=BW/L=Earth/O=CompanyName/OU=IT/CN=X.X.X.X/emailAddress=email#example.com
openssl x509 -x509toreq -in certificate.crt -out CSR.csr -signkey certKey.key
openssl ca -batch -startdate 150813080000Z -enddate 250813090000Z -keyfile rootCA.key -cert rootCA.crt -policy policy_anything -config validation.cnf -notext -out certificate.crt -infiles CSR.csr
openssl req -new -nodes -out ocspSigning.csr -keyout ocspSigning.key -subj /C=DE/ST=BW/L=Earth/O=CompanyName/OU=IT/CN=X.X.X.X/emailAddress=email#example.com
yes | openssl ca -keyfile rootCA.key -cert rootCA.crt -in ocspSigning.csr -out ocspSigning.crt -config validation.cnf
The config contains following extra lines:
[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://X.X.X.X:8080
[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning
I then started an OCSP server with openssl:
openssl ocsp -index demoCA/index.txt -port 8080 -rsigner ocspSigning.crt -rkey ocspSigning.key -CA rootCA.crt -text
and tried to access a simple html file on the server:
curl -v -L -k --cert /home/user/work/Telematics2/client/certificate.crt --key /home/user/work/Telematics2/client/certKey.key https://X.X.X.X:44300/index.html --cert-status --cacert /home/user/work/Telematics2/server/rootCA.crt
This gives me the following output:
* Trying X.X.X.X...
* TCP_NODELAY set
* Connected to X.X.X.X (X.X.X.X) port 44300 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /home/user/work/Telematics2/server/rootCA.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=DE; ST=BW; L=Earth; O=CompanyName; OU=IT; CN=X.X.X.X; emailAddress=email#example.com
* start date: Aug 13 08:00:00 2015 GMT
* expire date: Aug 13 09:00:00 2025 GMT
* issuer: C=DE; ST=BW; L=Earth; O=CompanyName; OU=IT; CN=X.X.X.X; emailAddress=email#example.com
* SSL certificate verify ok.
* No OCSP response received
* stopped the pause stream!
* Closing connection 0
* TLSv1.3 (OUT), TLS Unknown, Unknown (21):
* TLSv1.3 (OUT), TLS alert, Client hello (1):
curl: (91) No OCSP response received
and the nginx error.log says:
2020/02/19 14:53:04 [error] 29340#29340: OCSP_basic_verify() failed (SSL: error:2706A067:OCSP routines:ocsp_check_delegated:missing ocspsigning usage error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted) while requesting certificate status, responder: X.X.X.X, peer: X.X.X.X:8080, certificate: "/home/user/work/Telematics2/server/certificate.crt"
But the above started ocsp server actually prints:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = DE, ST = BW, O = CompanyName, OU = IT, CN = X.X.X.X, emailAddress = email#example.com
Produced At: Feb 19 14:17:18 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 3CFD1A620E876EB93992CA04B1903C354AC6C614
Issuer Key Hash: 1E01DD83D567E3E111FD89E26B2636964C26AFDC
Serial Number: 01
Cert Status: good
This Update: Feb 19 14:17:18 2020 GMT
I am not really an expert on this topic so I don't really know what to do next. I feel like the issue might be with the certificates, because it is the part I am most unsure about. I don't really need the security provided by OCSP but the client requires this step for a successful authentication, but it would be fine if I can just trust any CA if this is somehow possible.
Probably because your ocspserver is running on localhost. Assuming you server from which youre trying to access the https url is not in the same machine Not sure.Trying to do a similar thing. Please let me know if i am wrong. or if you have a solution
Trying to integrate some APIs and landing into a handshake failure error. i don't know where i am going wrong.
here is the curl request
curl -v -k --request POST --header 'Content-Type: application/xml' https://10.156.145.219:8017 --header 'Content-Type: application/xml' --data-raw '<?xml version="1.0" encoding="UTF-8"?>
<ns0:getfinancialresourceinformationrequest xmlns:ns0="http://www.ericsson.com/em/emm/serviceprovider/v1_0/frontend">
> > > <resource>fri:000001#ens.esdsacco/SP</resource>
> > > <accountholderid>ID:256780292729/MSISDN</accountholderid>
> > > <extension>
> > > <requestType>msg</requestType>
> > > <operationType>LOANAPPLICATION</operationType>
> > > <amount>6000</amount>
> > > </extension>
> > > </ns0:getfinancialresourceinformationrequest>' --cacert 63.35.60.38-testbed.crt
Note: Unnecessary use of -X or --request, POST is already inferred.
* Rebuilt URL to: https://10.156.145.219:8017/
* Trying 10.156.145.219...
* TCP_NODELAY set
* Connected to 10.156.145.219 (10.156.145.219) port 8017 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: 63.35.60.38-testbed.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Any help out there?
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
The server is requesting a client certificate for mutual authentication but you don't provide one. Therefore the server will abandon the handshake. Check your API documentation of what kind of client certificate is expected and where do you get it.
I have set up an elsatic stack in my laptop and I have configured full stack (filebeat, logstash, elasticsearch and kibana) in it. But now I need to connect filebeat and logstash in a secure manner using SSL. But after using the self signed certificates taht I have created on my own it throws the following error when I try to verify the certificate with following curl request
**curl -v --cacert ca.crt https://localhost:5044**
The error -->
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
It gives the above sslv3 handshake failure.
I have followed the following guideline to create the self signed certificate that can be configured with logstash
https://benjaminknofe.com/blog/2018/07/08/logstash-authentication-with-ssl-certificates/
I have followed those steps that suitable to my implementation.
Here is the full handshake output that i have received from the curl request
* Rebuilt URL to: https://localhost:5044/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: ca.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Here is my logstash.config file tha used in openssl key creation. I have given common name as localhost because that's how I mapped in /etc/hosts
127.0.0.1 localhostt
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = XXXXXX
localityName = XXXXXX
postalCode = XXXXXX
organizationName = XXXXXX
organizationalUnitName = XXXXXX
commonName = localhost
emailAddress = XXXXXX
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = #alt_names
[alt_names]
DNS.1 = localhost
logstash input plugin
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["/home/ssl/ca.crt"]
ssl_certificate => "/home/ssl/logstash.crt"
ssl_key => "/home/ssl/logstash.key"
#ssl_verify_mode => "force_peer"
client_inactivity_timeout => 1000
}
}
I expected to have configured ssl certificates that are accepted by logstash. But they are not accepted when I try to verify them with the curl reuqests
I have setup docker in non-ssl mode by editing /etc/default/docker and setting DOCKER_OPTS="-H=0.0.0.0:2375".
Now when I start docker and connect to it using curl curl -sv http://10.24.16.17:2375/v1.22/containers/json, I get some response.
When I secure the docker using certificates (ca.pem, server-key.pem, server-cert.pem) and editing /etc/default/docker
DOCKER_OPTS="--tlsverify --tlscacert=/home/ubuntu/certs/ca.pem --tlscert=/home/ubuntu/certs/server-cert.pem --tlskey=/home/ubuntu/certs/server-key.pem -H=0.0.0.0:2376"
I am not able to connect service using curl:
curl -sv https://10.24.16.17:2376/v1.22/containers/json
I get the following output:
* Hostname was NOT found in DNS cache
* Trying 10.24.16.17...
* Connected to 10.24.16.17 (10.24.16.17) port 2376 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
I am able to run docker ps -a command using CLI though, only cURL to hit the API endpoint does not work.
When I try curl -sv --cacert /home/ubuntu/certs/ca.pem https://10.24.16.17:2376/v1.22/containers/json, I get:
* Hostname was NOT found in DNS cache
* Trying 10.24.16.17...
* Connected to 10.24.16.17 (10.24.16.17) port 2376 (#0)
* successfully set certificate verify locations:
* CAfile: /home/ubuntu/certs/ca.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
* Closing connection 0
I read somewhere that the above error may be due to corrupt ca.pem file, but that may not be the case as the command docker ps -a was able to connect to docker host using the same ca.pem file.