I am currently trying to integrate Sonos to DR (Danish Broadcasting Corporation) and I am also finding that the self test suite is failing the following Sonos self test error.
INFO Start Test Case: ssl_validation
test_support_secure_renegotiation
Failed ssl_validation test_support_secure_renegotiation
Instance Messages:
Fail: There was an exception while scanning the domain (drod05a-
vh.akamaihd.net) for secure session renegotiation:
sslyze.utils.ctSSL.errors.SSLErrorSSL - error:140E0197:SSL
routines:SSL_shutdown:shutdown while in init
I have tried to test secure renegotiation with sslyze and I am getting the following response
Session Renegotiation:
Client-initiated Renegotiation: OK - Rejected
Secure Renegotiation: OK - Supported
In the following references to what looks like an identical problems, one of the answers is to ignore the failed Sonos self test.
Another - ssl_validation reference
So my question is - is this still a self test issue and is this still a problem ?
yet another reference to an identical problem ...
AWS - ssl_validation reference
I am confused whether or not this is a bug or a problem with our Sonos integration ?
Can we proceed with the APP verification and registration with this failing test ?
Please help - I am not sure how to move on.
Certain combos of OpenSSL and OS continue to cause issues with SSL tests in the self test. You can ignore these errors.
Related
I'm currently evaluating the WSO2 Software suite and decided to start with the quickstart example to take off with prototyping as fast and with as little effort as possible. So I set up a fresh VM, installed all the components and fired up the API manager.
As I mentioned above, I started with the quickstart example from their website which is the simplest thing one can imagine. I followed it step by step to the letter and I got a message informing me about an internal system error. This has something to do with the SSL engine, but I can't really figure out what's wrong.
The response from the API Manager itself:
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code>101500</am:code>
<am:type>Status report</am:type>
<am:message>Runtime Error</am:message>
<am:description>Error in Sender</am:description>
</am:fault>
And the log from the wso2am server:
[2020-02-16 14:10:02,649] ERROR - TargetHandler I/O error: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
<trimmed>
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:255) ~[httpcore-nio_4.3.3.wso2v4.jar:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:293) ~[httpcore-nio_4.3.3.wso2v4.jar:?]
... 9 more
<trimmed>
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:293) ~[httpcore-nio_4.3.3.wso2v4.jar:?]
... 9 more
<trimmed>
[2020-02-16 14:10:02,698] INFO - LogMediator STATUS = Executing default 'fault' sequence, ERROR_CODE = 101500, ERROR_MESSAGE = Error in Sender
(I tried to trim it as best I can as you can see but with no real expertise in Java it's difficult to tell which parts of the trace are relevant)
I'm having problems enabling TLS in Elasticsearch 7.1.1 running on Windows 7.
I have a single node with certificates created as
elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12
The elasticsearch.yml file has the following settings
node.name: node1
discovery.type: single-node
xpack.security.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'
xpack.security.transport.ssl.truststore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'
This works fine but when I add the below
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'
xpack.security.http.ssl.truststore.path: 'C:\elasticsearch-7.1.1\config\certs\elastic-certificates.p12'
and start up elasticsearch I see the following error
[2019-06-25T07:34:19,659][WARN ][o.e.h.AbstractHttpServerTransport]
[node1] caught exception while handling client http traffic, closing
connection Netty4HttpChannel{localAddress=0.0.0.0/0.0.0.0:9200,
remoteAddress=/127.0.0.1:6757}
io.netty.handler.codec.DecoderException:
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:
This is repeated every 10-15 seconds.
https is enabled though and I can access the node using https://localhost:9200
I don't know why I receive the above error though as nothing else is running and accessing elasticsearch.
Any help would be much appreciated.
Thanks heaps
It was pointed out to me, on the elastic forum, that the above is a warning and not an error. I still couldn't understand what was causing it as I wasn't running any service or anything else that could be causing it but eventually found something called heartbeat that was running. This was obviously setup in an earlier version/previous installation of Kibana and this was still running, making a call using http and thus causing the above error (this is used for creating dummy data to use for/by to demo Kibana).
I came across this problem too. And IF you have previously installed Elastic Search then high chance you got some residual indices with "red" status, which makes the process of enabling TLS unsuccessful.
Try this command to verify your indices and their statuses
curl -XGET https://localhost:9200/_cat/indices
then delete those with red status.
I'm kinda at a loss here.
Trying to set up proton with SSL / TLS access, but after creating the certificates with the (modified) shell scripts
supplied by the AppDev-Pack and linking the keyring and everything in notes.ini, I always seem to get
the error "Handshake failed with fatal error SSL_ERROR_SSL: error: 100000f7:SSL routines:OPENSSL_internal:
WRONG_VERSION_NUMBER".
Tried both a windows and linux server, as well as using the accessing node.js app with and without
certificates - but with no success.
Also tried the troubleshoot section of https://doc.cwpcollaboration.com/appdevpack/docs/en/proton-admin.html and it connected just fine,
but won't if i connect with node.js.
Looks like the error is thrown before a certificate is even checked?
In this example the error is thrown after trying to get a document by UNID.
notes.ini (proton parts)
gRPC Client Error
If someone has an idea how to fix that issue or where to start - that would really help me.
Thanks in advance.
It appears that the client side does not have the secure flag set. At least I get a similar stack when I try to connect without TLS when the server expects TLS.
See the secure attribute when calling useServer() function, and you'll also need to provide the credentials attributes.
What we are trying to do is send an email from a pod (running Linux based on the image "microsoft/dotnet") on a client's Openshift environment using MailKit:
https://github.com/jstedfast/MailKit
We get an exception thrown when trying to set up the SSL Handshake:
MailKit.Security.SslHandshakeException: An error occurred while
attempting to establish an SSL or TLS connection.
System.Security.Cryptography.CryptographicException: Error occurred
during a cryptographic operation
We have tried using the.NET SMTP client as well and it worked (using a secure connection)! Unfortunately this component is now obsolete and Microsoft recommends to use MailKit.
Going through the .NET source code the exception raised is a generic catch all exception which looks like it comes from unexpected code returned from the OpenSSL library. Unfortunately I can't see how to get the error code (it is logged using "Debug.Fail", but I am unable to setup a trace to see it) so I am not sure what it is.
I have written a test just to build the X509Chain. When we have the Revocation Mode set to Online (the default) we get the exception. When the revocation is disabled it seems to build the chain OK.
When I run the test on our Test Openshift environment that is totally independent to the client's we get the following error, but do not see the exception: "unable to get certificate CRL"
The only thing I have noticed about the Revocation List is that there is a LDAP and HTTP URLs. Perhaps there is an issue processing the LDAP URL?
Any help on this would be appreciated!
This is something you should report to github.com/microsoft/dotnet
I am trying to monitor https traffic with Fiddler, using current newest version:2.4.4.5
I've successfully set up https, certificates and I can see the full https encrypted traffic for example browsing my bank's web site.
...however...
When I trying to monitor an other server I got this error message in the response window:
"Failed to secure existing connection for 77.87.178.160. A call to SSPI failed, see inner exception. InnerException: System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm"
For full Fiddler window see:
The client is not a in this case browser, but a custom client program, which communicates with its own server.
My question: Is this exception misleading and in reality some other error prevents the secure channel to set up?
...or...
We have still chance to monitor this https communication?
Thx in advance
What is the client program?
This error typically indicates that that client application is only offering certain HTTPS ciphers, and those ciphers are not supported by Fiddler.
However, in this case, the specific problem here is almost certainly this: http://blogs.msdn.com/b/ieinternals/archive/2009/12/08/aes-is-not-a-valid-cipher-for-sslv3.aspx
The client is trying to use AES with SSLv3, but that isn't one of the valid ciphers for SSL3. As a consequence, the connection fails.
You might be able to workaround this by clicking Rules > Customize Rules. Scroll down to the Main() function and add the following line within the function:
CONFIG.oAcceptedServerHTTPSProtocols =
System.Security.Authentication.SslProtocols.Ssl3;
Please let me know if this works.
NOTE Current versions of Fiddler offer a UI link for this: Look at the lis of enabled protocols on the HTTPS tab.
Unbelievably this issue is still present some 6 years later.
Just installed the latest version of Fiddle (v5.0.20194.41348), and sure enough on Win7 using Chrome or IE it keeps failing with the dreaded error:
"fiddler.network.https> HTTPS handshake to google.com (for #1) failed. System.ComponentModel.Win32Exception The client and server cannot communicate, because they do not possess a common algorithm"
After some hours of testing, I found a middle ground solution which seems to work with virtually all websites. The aim was to get the highest possible security with no errors in the log. Without needing to add any code, simply changing this line under Tools > Options > HTTPS > Protocols is what worked for me (just copy and paste it):
<client>;ssl3;tls1.1;tls1.2
Basically removed the ssl2 and tls1.0 protocols which leaves us with some pretty decent security and no errors so far. Having spent hours of frustration with this error, hope someone out there might find this useful, and a big thanks to EricLaw who discovered the root of the problem.
Yes I too have seen this error when working outside of fiddler and it was connected with AuthenticateAsServer but only went wrong when using IE10 and not Chrome as the browser.
Odd thing is that it did not break all the time for IE10 using SslProtocols.Tls for the protocol so I will add a bit of code to switch the protocol if one fails
The protocol that can be used also seems to change on if you are using a proxy server like Fiddler or using an invisible server by hijacking the DNS via the hosts file to divert traffic to the server