LDAP with starttls on redmine - ldap

Redmine does not use StartTLS by default. When I configure my LDAP server to require TLS, redmine fails to authenticate users.
With openldap you might see "Confidentially required" error message in redmine logs.

Make sure LDAPS is NOT enabled. ldaps:// is a different encryption scheme than StartTLS. With StartTLS unecrypted connection is promoted to encrypted over same port.
When using redmine 3.2.4 find a file with name redmine/app/models/auth_source_ldap.rb
search for "encryption", find:
options = { :host => self.host,
:port => self.port,
:encryption => (self.tls ? :simple_tls : nil)
}
When LDAPS is unchecked, we want to use StartTLS:
:encryption => (self.tls ? :simple_tls : :start_tls)
Save and restart your web server. Redmine should now use encrypted connection.

I know this is old but I just had a similar problem but with Redmine 4.1.2.
I had to make a similiar change to get StartTLS to work without LDAPS:
in redmine/app/models/auth_source_ldap.rb
Search for this block of code
if tls
options[:encryption] = {
:method => :simple_tls,
# Always provide non-empty tls_options, to make sure, that all
# OpenSSL::SSL::SSLContext::DEFAULT_PARAMS as well as the default cert
# store are used.
:tls_options => { :verify_mode => verify_peer? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE }
}
and update it with the an else clause as:
if tls
options[:encryption] = {
:method => :simple_tls,
# Always provide non-empty tls_options, to make sure, that all
# OpenSSL::SSL::SSLContext::DEFAULT_PARAMS as well as the default cert
# store are used.
:tls_options => { :verify_mode => verify_peer? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE }
}
else
options[:encryption] = {
:method => :start_tls,
:tls_options => { :verify_mode => OpenSSL::SSL::VERIFY_NONE}
}
end

Related

How can I disable tls/crypto on apache 2.4, php 8, sendmail, typo3 11 with local mail exchange server?

These are my settings:
sendmail.ini
smtp_server = 10.1.xxx.xxx
smtp_port=25
smtp_ssl=none
php.ini
[mail function]
SMTP = 10.1.xxx.xxx
smtp_port = 25
sendmail_path = "C:\Webserver\sendmail\sendmail.exe -t"
Typo3
'MAIL' => [
'defaultMailFromAddress' => 'noreply#domain.org',
'defaultMailFromName' => 'Domain',
'transport' => 'smtp',
'transport_sendmail_command' => '',
'transport_smtp_encrypt' => false,
'transport_smtp_password' => '',
'transport_smtp_server' => '10.1.xxx.xxx:25',
'transport_smtp_username' => '',
],
SSL certificate is provided by a netscaler configuration
Typo3 Test Mail Setup
Could not deliver mail
Please verify $GLOBALS['TYPO3_CONF_VARS']['MAIL'][*] settings are valid.
Error message: Unable to connect with STARTTLS: stream_socket_enable_crypto():
Peer certificate CN=*.domain.de' did not match expected CN=10.1.xxx.xxx'
Ehm, with transport_smtp_encrypt=false the connection will be tried via STARTTLS. For using an SSL-Connection, transport_smtp_encrypt has to be true.
Important: #91070 - SMTP transport option ‘transport_smtp_encrypt’ changed to boolean
so there is no chance to deactivate encryption as false uses Starttls and true ssl - thanks for the information
#alexinge I think STARTTLS is only used if the server that you try to connect to is able to handle it. As the changelog of version 4.4 of symfony/mailer says (highlight by me):
STARTTLS cannot be enabled anymore (it is used automatically if TLS is disabled and the server supports STARTTLS)
So you might try to change the configuration of the mail server (if you have access to that) or maybe use another port (587 with 'transport_smtp_encrypt' => false or 465 with 'transport_smtp_encrypt' => true).

Logstash to Elasticsearch Bulk Request , SSL peer shut down incorrectly- Manticore::ClientProtocolException logstash

ES version - 2.3.5 , Logstash - 2.4
'Attempted to send bulk request to Elasticsearch, configured at ["xxxx.com:9200"] ,
An error occurred and it failed! Are you sure you can reach elasticsearch from this machine using the configuration provided ?
Error:
"SSL peer shut down incorrectly", Manticore::ClientProtocolException
logstash"'
My logstash Output section:
output
{
stdout { codec => rubydebug }
stdout { codec => json }
elasticsearch
{
user => "xxxx"
password => "xxx"
index => "wrike_jan"
document_type => "data"
hosts => ["xxxx.com:9200"]
ssl => true
ssl_certificate_verification => false
truststore => "elasticsearch-2.3.5/config/truststore.jks"
truststore_password => "83dfcdddxxxxx"
}
}
Logstash file is executed , but it is failing to send the data to ES.
Could you please suggest, thank you.
Be particular about http or https in the url, in the above case i am sending data to https but my ES is using http.
Later, upgrade of logstash version solved to send data to ES.

Chef provisioning ssh times out when used with chef zero

I am using Chef zero on my windows machine to ssh into a red hat linux machine and execute a command that's inside of a recipe. When I run the code below, it tries to SSH for 120 secs and times out. I'm not sure why this is happening. Any idea why this is happening?
require 'chef/provisioning'
require 'chef/provisioning/ssh_driver'
with_driver 'ssh'
machine "ssh" do
attribute "short_dns", new_resource.short_dns
attribute "long_dns", load_balancer_name
recipe "mycookbook::add_short_dns"
machine_options :transport_options => {
'is_windows' => false,
'ip_address' => '10.16.99.124',
'username' => 'myusername',
'ssh_options' => {
'password' => 'mypassword'
}
}
converge true
end
here is the error
- been waiting 110/120 -- sleeping 10 seconds for ssh (10.16.99.124 on ssh:C:/Users/user/.chef/provisioning/ssh) to be connectable ...[2015-06-23T14:54:33-05:00] INFO: Executing sudo pwd on myusername#10.16.99.124
================================================================================
Error executing action `converge` on resource 'machine[ssh]'
================================================================================
RuntimeError
------------
Machine ssh (10.16.99.124 on ssh:C:/Users/user/.chef/provisioning/ssh) did not become ready within 120 seconds
I'm still fighting with Chef Provisioning myself, so this may not be as helpful as I would like. One thing is that each of these is a key/value pair, so want to declare your variables differently (see below):
require 'chef/provisioning/ssh_driver'
with_driver 'ssh'
with_machine_options :transport_options => {
:username => 'centos',
:ssh_options => {
:password => 'password'
}
}
Amir,
Does the :C/Users/user/.chef/provisioning/ssh directory exist on your workstation? If not try creating it and making sure permissions are correct then try
Try to use the snippet below, notice extra options that will help you to debug an issue.
1) DEBUG level will allow to see SSH communication.
2) If you don't overwrite prefix, it will use SUDO by default
3) Sometimes when you recreate remote server, your "known_hosts" file remembers it and the next time you try to SSH into server after recreation, you receive thie message "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED". In fact SSH session hangs, but you don't see that on the client side. So better ignore it.
:transport_options => {
:is_windows => false,
:username => 'YOURUSER',
:ssh_options => {
:password => 'YOURPASSWRD',
:verbose => Logger::DEBUG,
:user_known_hosts_file => '/dev/null'
},
:options => {
:prefix => ''
}
},

How to use Vagrant & Puppet with https

I am trying for hours, but I just can't figure it out, how to enable a https connection with vagrant and puppet.
I have a folder files/htdocs which contains different configs-files. Like vhosts. It was a preset, with an empty ssl and empty vhosts_ssl folder. It put my ssl certificate in the ssl folder and my httpd-ssl.conf in the vhosts_ssl folder. Those files where working lokal with my MAMP Webserver.
In the Puppet config I wrote the following:
file { "/etc/httpd/vhosts":
replace => true,
ensure => present,
source => "/vagrant/files/httpd/vhosts",
recurse => true,
}
file { "/etc/httpd/vhosts_ssl":
replace => true,
ensure => present,
source => "/vagrant/files/httpd/vhosts_ssl/httpd-ssl.conf",
}
file { "/etc/httpd/ssl":
replace => true,
ensure => present,
source => "/vagrant/files/httpd/ssl",
recurse => true,
}
The normal vhosts are working, therefore I thougt I can copy the structure and just enter the new paths for ssl and vhosts_ssl.
But its not working. Maybe you know how to fix this.
Thanks.
I think I found a solution, but I have no time to test it right know.
Here is the link to the possible solution.
https://forge.puppetlabs.com/puppetlabs/apache
I will update my Questing/Answere when I tried it.

BigCommerce PHP API Ciper Error

I am using the BigCommerce PHP API and am receiving this error when it attempts to connect to either my store or the webdav store:
failed setting cipher list
From the same server I have connected to both sites using cURL via the command line. I have the cURL php module installed with SSL enabled. Any thoughts would be appreciated.
I think you have to enable the 'rsa_rc4_128_sha' cipher. It might not be enabled by default. Can you try
Connection::setCipher()
before making a request? By default this sets the cipher to the above cipher as default.
There is some history on this in the BC github repos -
https://github.com/bigcommerce/bigcommerce-api-php/pull/10
https://github.com/bigcommerce/bigcommerce-api-php/pull/11
Hope this helps.
I was using wamp and tested this just now.
To fix this I updated the connection api file with
curl_setopt($this->curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($this->curl, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($this->curl, CURLOPT_CAINFO, 'C:\xampp\htdocs\big\Bigcommerce\Certs\cacert.pem');
and the file from
http://curl.haxx.se/docs/caextract.html
We use an object based upon the following
<?php
// provision for laziness
if(
(array_key_exists('store_url', (array)$settings)) &&
(array_key_exists('username', $settings)) &&
(array_key_exists('api_key', $settings))
) {
// Config Basic
BC::configure(
array(
'store_url' => $settings['store_url'],
'username' => $settings['username'],
'api_key' => $settings['api_key']
)
);
// Set Cipher if needed
if(array_key_exists('cipher',$settings)) {
BC::setCipher('RC4-SHA');
} else {
BC::verifyPeer(false);
}
// Set Proxy if needed
if(array_key_exists('proxy',$settings)) {
BC::useProxy($settings['proxy']['url'], $settings['proxy']['port']);
}
}
// Run your code here...