NXLog with HTTPS: How to configure SSL and certificate? - ssl

I'm trying to use NXLog to post to a service in https.
Unfortunately, I keep receiving this error for every post attempts:
2018-12-19 09:11:14 ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)
The service we are trying to reach is an HTTPS endpoint with a "Let's encrypt" certificate. I have no problem posting to the endpoint with tools like Postman. But NXLog keeps complaining.
I tried to play with the multiple options of the https module but since I don't really understand what they are and the documentation is not very helpful, I need help.
I tried to put HTTPSAllowUntrusted to TRUE but it doesn't change anything. Also tried to provide .pem file from mozilla and various source in HTTPSCADir and HTTPSCAFile but that doesn't change anything too.
Here is my latest .conf file attemps. Any help to be able to configure SSL would be welcome.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension csv>
Module xm_csv
Fields $contentName, $deviceName, $startTime, $endTime, $contentId, $deviceId
FieldTypes string, string, string, string, string, string
Delimiter ,
</Extension>
<Extension exec>
Module xm_exec
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_file
File "C:\\MagicInfo Premium\\runtime\\upload\\pop\\report\\*W*.csv"
Exec csv->parse_csv(); to_json();
</Input>
<Output http>
Module om_http
URL https://my-service.com/api/v1/proof-of-play-log/
HTTPSCAFile %CERTDIR%/cacert.pem
ContentType application/json
</Output>
<Route 1>
Path in => http
</Route>
To summarize: What .pem file do I need and what parameter needs to be set to do a simple post to an https endpoint that has a "Let's encrypt" certificate.
EDIT
Finally, I realised NXLog is completely buggy and badly coded so we changed to another solution...

The Intermediates May Be Missing
This is rare and may not be the solution to your problem, but it is a solution to some problems with exactly the same symptoms.
The untrusted very option may be failing because it may allow untrusted cert chains, but not orphaned / incomplete chains (which is slightly different). Though, on second thought, that’s probably not possible to distinguish...
But if it is the case, the extra certa you’d want to include are the intermediates listed in the “active” and “backup” sections at https://letsencrypt.org/certificates/

Related

Custom error page in tomcat for HTTP 501 error

Before anything else, I've already read all those solutions that says I put an error-page block in my application's or tomcat's conf/web.xml and add an error-code block inside with the corresponding location and those didn't work (did those for 404 errors and those worked).
What I already did inside my application's and tomcat's web.xml:
<error-page> <!-- this worked -->
<error-code>404</error-code>
<location>/pageNotFound.html</location>
</error-page>
<error-page> <!-- this did not work -->
<error-code>501</error-code>
<location>/pageNotFound.html</location>
</error-page>
I'm using Tomcat 8.5.63, and the goal is to remove the "Apache Tomcat/8.5.63" part on the response whenever a 501 error appears.
I want to remove this part:
tomcat error response page
The way I'm testing this is that I intercept a request using a pentest tool (I'm using burp suite community) and modify a request to include a Transfer-Encoding: cow header (yes I know that header is invalid).
Any ideas on how to implement a custom page so that the 501 can be handled properly?
The error pages you declare are used in two situations:
To allow developers to customize the appearance of content returned to a Web client
when a servlet generates an error, the deployment descriptor defines a list of error
page descriptions. The syntax allows the configuration of resources to be returned by
the container either when a servlet or filter calls sendError on the response for
specific status codes, or if the servlet generates an exception or error that propagates
to the container.
(Servlet 4.0 Specification, section 10.9.2)
In your case the error happens much earlier during the processing of the HTTP request itself. Therefore you need to modify the server's configuration (server.xml) and add a custom ErrorReportValve (cf. documentation). If all you want is to omit the server's version string, just add:
<Host>
<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" />
...
</Host>

How to enable certain cipher-suites in WildFly?

I want to explicitly enable certain cipher-suites on my WildFly application server.
Therefore I tried to edit the configuration in wildflys standalone.xml.
Let's assume I want to enable the AES128-GCM-SHA256 cipher (cipher suite names from: OpenSSL documentation).
I've edited the standalone.xml file of my WildFly server like this:
<https-listener name="listener" socket-binding="https" security-realm="ssl-realm" enabled-cipher-suites="AES128-GCM-SHA256"/>
The WildFly boots up normally but when I open the page in my browser an error message appears.
Chrome says:
ERR_SSL_PROTOCOL_ERROR
Firefox says:
ssl_error_internal_error_alert
I've tried this with WildFly 8.1 and 8.2.
Anybody out there who can give my an advice how to correctly enable certain cipher-suites?
Regards Tom
You have to add a attribute called "enabled-cipher-suites" to the "https-listener" found at "subsystem undertow" -> "server".
An example for this configuration can be found here.
Unfortunately this example is wrong when it comes to the value of this attribute. You must not name such things as "ALL:!MD5:!DHA" but instead some explicit cipher suites.
You have to call em by their SSL or TLS cipher suites names and not their OpenSSL names.
So instead of "AES128-GCM-SHA256" you have to write "TLS_RSA_WITH_AES_128_GCM_SHA256".
To make the confusion complete you have to use "," instead of ":" as delimiter if you want to name more than one suite.
Regards
Ben
I can confirm Ben's answer. The documentation for how to configure this is sparse. I would suggest the following ciphers to support:
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
in addition, the 'ALL' tag does not work and the best method is to list the ones that you wish to include and not the ones that you wish to exclude as that '!' marking does not appear to be supported.

Setting up ActiveMQ with HTTPS REST

By following https://activemq.apache.org/rest.html, I'm able to push messages via the REST API (e.g. curl -u admin:admin -d "body=message" http://localhost:8161/api/message/TEST?type=queue works, and I can see in the admin console) However, I'd like to be able to use HTTPS. I found https://activemq.apache.org/http-and-https-transports-reference.html and http://troyjsd.blogspot.co.uk/2013/06/activemq-https.html but couldn't manage to make it work. Based on these two outdated/incomplete links:
I added to conf/activemq.xml
Imported self-signed certificate into JDK keystore (per http://troyjsd.blogspot.co.uk/2013/06/activemq-https.html)
Copied xstream and httpclient jars from lib/optional to lib/ (both under ActiveMQ directory, obviously)
So,
How can I set ActiveMQ so that it can be used with a HTTPS REST endpoint?
Assuming I did step 1, how can I test it (a similar curl command example like the above)?
I use ActiveMQ 5.9.1 and Mac OS 10.9.4
Uncomment the following section of conf/jetty.xml.
<!--
Enable this connector if you wish to use https with web console
-->
<!--
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8162" />
<property name="keystore" value="file:${activemq.conf}/broker.ks" />
<property name="password" value="password" />
</bean>
-->
Jetty powers not only the WebConsole, but all HTTP stuff in ActiveMQ.
It should work out of the box for testing, but you probably want to roll your own keystore/certificate for real use.
You could use curl as before on port 8162 with HTTPS given you supply the "insecure" flag -k.
Otherwise, you need to create a trust store in pem format and supply it - see this SO for details. Curl accept the argument --cacert <filename.pem> with your certificate or issuing CA in it.

remove server header tomcat

I am able to rename the value of org.apache.coyote.http11.Http11Protocol.SERVER to anything else, so the HTTP-Response-Header contains something like:
Server:Apache
instead of the default
Server:Apache-Coyote/1.1
Using a empty value for org.apache.coyote.http11.Http11Protocol.SERVER does not remove the Server-Header.
How can I remove the Server-Header from my responses?
You can modify your tomcat server.xml and add a "server" option and set it to whatever you want. The server option should be set for any http or ssl connectors that you have running. For example, below is a sample HTTP Connector configuration from an example server.xml file
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" enableLookups="false" xpoweredby="false" server="Web"/>
Short answer - you can't remove the header, but you should modify it (see other answers).
The server header is defined in the RFC and it is mandatory. (not defined as optional in the spec)
Taken from http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.38
14.38 Server
The Server response-header field contains information about the software used by the origin server to handle the request.
The field can contain multiple product tokens (section 3.8) and
comments identifying the server and any significant subproducts. The
product tokens are listed in order of their significance for
identifying the application.
If the response is being forwarded through a proxy, the proxy application MUST NOT modify the Server
response-header. Instead, it SHOULD include a Via field (as described
in section 14.45).
Note: Revealing the specific software version of the server might
allow the server machine to become more vulnerable to attacks
against software that is known to contain security holes. Server
implementors are encouraged to make this field a configurable
option.
It should be possible since Tomcat 5.5. Check out this discussion: https://mail-archives.apache.org/mod_mbox/tomcat-users/200508.mbox/%3C42FBE8AA.1060401#joedog.org%3E
and this link:
https://tomcat.apache.org/tomcat-4.1-doc/config/coyote.html
Accordingly the following should set the server header to TEST. Empty should make it empty.
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8180" inProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" connectionTimeout="20000" useURIValidationHack="false" server="TEST"/>
Setting the Server header to Apache should security-wise be good enough in most cases. Just from that it won't be possible to infer which OS nor which exact version with which modules and the versions of the modules running.
if you are using embedded tomcat then you can try below code.
import org.apache.catalina.startup.Tomcat;
final Tomcat server = new Tomcat();
server.getConnector().setXpoweredBy(false);
server.getConnector().setAttribute("server", "");
For Web application.
Set Server header from the code.
It worked for me in Java Spring boot project.
response.setHeader("Server", "none");
Try adding from code if it is deployed in tomcat.

Getting request and creating HTTP response using Tomcat

I am currently trying to use embeded Tomcat for my application and am trying to set it up to get the URL of the http request.
Some Background:
I am using the same code as in the first answer for the post here : Howto embed Tomcat 6?
The only change I have made is :
private String catalinaHome = "/home/xyz/tomcat"; // This dir is created and has full access permissions
Also , I am looking at: http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/startup/Embedded.html
There are no server.xml and tomcat-users.xml that I could find, so I created a tomcat-users.xml since I was getting an exception :Memory database file /home/xyz/tomcat/conf/tomcat-users.xml cannot be read .
tomcat-users.xml:
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
</tomcat-users>
The code uses container.setRealm(new MemoryRealm());
It appears from here : http://tomcat.apache.org/tomcat-4.1-doc/catalina/funcspecs/fs-memory-realm.html that I should have a server.xml file and there should already be one created by default.
1] Do I need to create a server.xml, what should be the default in it ?
I have put a file with default from here : http://www.akadia.com/download/soug/tomcat/html/tomcat_server_xml.html , but just want to know what is the right thing to do ?
2]When I access http://localhost:8089/mywebapp/index.html, all i get is The requested resource () is not available, though I have an index.html page at the "webappDir" in the code
3] My only need from the embedded tomcat is to intercept so as to get the URL passed to tomcat in my code. I can then parse the URL [do my stuff] and then create a http payload and send an http response back.
I would appreciate any pointers, especially for 3] ?
Thanks!
Ok, for your first question, yo do not need server.xml. If you check the code of your initial post they are setting the parameters there. So that is what server.xml would encapsulate. In reality what happens is that Tomcat will parse server.xml for the properties you are defining on your java file where you instanciate the catalina call to start. But since it is embedded you are setting all those parameters on you class instead.
For your second question, check your logs directory and see what is being parsed. Something is happening after your service starts because it should already redirect you once you call the port. either way, just try http://localhost:8089 and see what you get back in return from tomcat. It should give you some kind of response back from the server itself.
if you do it like this "http://localhost:8089/mywebapp/index.html" you are trying to access a created context, and that might not be configured correctly, but that is just a guess right now.
Try this first and tell me what you get back. we can troubleshoot from this point and see if I can help more in that sense.
Quick question, is this windows or linux you are installing on?
If it is linux the configurations filea are located usually on /etc/tomcat6. (at least on ubuntu they are). Reply back with the version you have installed. I might be able to help you out.
I guess I should also elaborate here a little more. Tomcat is a service in linux as well, so in ubuntu you have to start tomcat in order to access it.
$: sudo service tomcat6 start
then it starts tomcat on port 8080 (usually if not changed) of your localhost. hence you type localhost:8080 to access the website for configuration of tomcat that gives you a It works prompt for you.
Let me know if you have more questions, I will try to respond to the best of my knowledge