I ran into this issue during my testing of django-channels and daphne (but the issue is not exclusive to them).
--- <exception caught here> ---
File "/Users/****/lib/python3.6/site-packages/twisted/internet/base.py", line 896, in runUntilCurrent
call.func(*call.args, **call.kw)
File "/Users/****/lib/python3.6/site-packages/twisted/web/http.py", line 2288, in forceAbortClient
self.transport.abortConnection()
File "/Users/****/lib/python3.6/site-packages/twisted/protocols/tls.py", line 435, in abortConnection
self._shutdownTLS()
File "/Users/****/lib/python3.6/site-packages/twisted/protocols/tls.py", line 338, in _shutdownTLS
shutdownSuccess = self._tlsConnection.shutdown()
builtins.AttributeError: 'NoneType' object has no attribute 'shutdown'
This is only the case when HTTP/2 is in use. HTTP1.1 works fine and I've never had an issue like this. I've done a bit of investigating and I've noticed that self._tlsConnection.shutdown() is called 2x, once when the timeout is exceeded and self._tlsConnection is set to None, then again for some unknown reason. I'm not knowledgeable enough in HTTP standards to know if this is expected behavior. Am I doing something wrong or is this a bug?
How to reproduce
Install Twisted with HTTP/2 and TLS support
pip install -U twisted[http2,tls]
Create TLS certificates
openssl genrsa -aes256 -passout pass:SuperSecretPassword -out server.key 2048
openssl req -new -key server.key -passin pass:SuperSecretPassword -out server.csr
openssl x509 -req -passin pass:SuperSecretPassword -days 1024 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server_no_pass.key -passin pass:SuperSecretPassword
mv server_no_pass.key server.key
Create a simple TLS server (it's not django-channels, it's klein, because this issue isn't exclusive to channels). This will start a server on https://0.0.0.0:9999
from klein import route, run
#route('/')
def hello(request):
return 'hello'
run(endpoint_description='ssl:9999:interface=0.0.0.0:certKey=server.crt:privateKey=server.key')
On a web browser, go to https://localhost:9999. Open the developer tools and navigate to network tab. Enable the protocol option and ensure it's HTTP/2.0. I've tested on both Chrome and Firefox.
Wait a few minutes and the server will hit the traceback.
Related
I have a basic nginx home server setup which i use Client certificates to allow outside access. I have followed this guide to get everything setup which works as expected:
https://gist.github.com/rkaramandi/20a04a41536f3d7e6d2f26b0b9605ab6
in summary:
openssl genrsa -aes256 -out ca.privkey 4096
openssl req -new -x509 -days 365 -key ca.privkey -out ca.crt
openssl genrsa -aes256 -out bobs-ipad.privkey 4096
openssl req -new -out bobs-ipad.csr -key bobs-ipad.privkey
openssl x509 -req -days 365 -in bobs-ipad.csr -CA ca.crt -CAkey ca.privkey -set_serial 100 -out bobs-ipad.crt
openssl pkcs12 -export -clcerts -in bobs-ipad.crt -inkey bobs-ipad.privkey -out bobs-ipad.p12
Also openssl pkcs12 -in bobs-ipad.p12 -out bobs-ipad.pem -nodes to generate a pem file as well.
And in nginx config:
ssl_client_certificate <path>/ca.crt;
# ssl_crl <path>/ca.crl;
ssl_verify_client optional;
...
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
I am able to access the server from outside and only signed certificates on the client machine allow access.
However if one of the signed certificates were to be compromised i'd have to re-generate the CA and re-distribute the new signed client certificates. I understand that a CRL file can be used to revoke certificates using ssl_crl <path to crl>; in the nginx config but i am not sure to generate this using the guide i followed.
A command like this can be used openssl ca -gencrl -keyfile ca.privkey -cert ca.crt -out ca.crl
But this relies on a configuration file with an index of the certificates i believe?
Is there anyway of using a command like the above to input a (or list of) pem or p12 client certificate(s) -in bobs-ipad.pem that i want to revoke?
If not perhaps i need to start again and have a config with index file to then -revoke the certificates and re-generate the crl file.
Thanks in advance,
Richard
It doesn't seem like this is possible. I have found some other guides to get this working with a configuration file (and generating a new CA): https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
https://www.djouxtech.net/posts/nginx-client-certificate-authentication/
Twisted supports http1 + http2.
How to setup a twisted http2 server over TCP (neither ALPN nor protocol-upgrade)?
The server should answer to this query:
curl --http2-prior-knowledge http://localhost:8000/
Twisted should set up HTTP/2 servers for you auto-magically. Make sure you install twisted's http2 modules. The simplest way is to use pip:
pip install -U twisted[http2]
However, I've noticed a few times that it doesn't do run the HTTP/2 stuff out of the box. I had to uninstall h2, hyper and hyperframe, then reinstall them.
pip uninstall h2 hyperframe hyper
pip install -U twisted[http2]
Using a self signed certificate, here's a small klein webserver example.
openssl genrsa -aes256 -passout pass:SuperSecretPassword -out server.key 4096
openssl req -new -key server.key -passin pass:SuperSecretPassword -out server.csr
# Common Name (e.g. server FQDN or YOUR name) []:localhost
openssl x509 -req -passin pass:SuperSecretPassword -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server_no_pass.key -passin pass:SuperSecretPassword
mv server_no_pass.key server.key
cat server.crt server.key > selfsigned.pem
rm server.crt server.csr server.key
from klein import route, run
#route("/")
def hello(req):
if req.clientproto == b"HTTP/2":
return "http2"
return "http1.1"
run(endpoint_description="ssl:8000:privateKey=selfsigned.pem")
Update
While it's not best practice, there's nothing prohibiting you from running HTTP/2 server on a non-TLS connection. I believe most browsers won't support a non-TLS HTTP/2 server though (at least I couldn't get Firefox and Chrome to work with it). Twisted won't work out the box for you either, so that means you'll have to implement your own server. Follow the twisted example on the hyper-h2 site. Then replace endpoints.SSL4ServerEndpoint with endpoints.TCP4ServerEndpoint.
# ...
endpoint = endpoints.TCP4ServerEndpoint(reactor, 8080, backlog=128)
endpoint.listen(H2Factory(root))
reactor.run()
I'm using Mosquitto version 1.4.8 on my test PC and the server. The server is accessible via ha.euroicc.com.
I've generated certificates and keys using the following script:
#! /usr/bin/env bash
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
# Serial should be different from the server one, otherwise curl will return NSS error -8054
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
# Verify Server Certificate
openssl verify -purpose sslserver -CAfile ca.crt server.crt
# Verify Client Certificate
openssl verify -purpose sslclient -CAfile ca.crt client.crt
I've put 'd', 'dd' and 'dddd' everywhere except for common name.
The common name for ca is 'd' and for server/client is 'ha.euroicc.com'.
CN for server/client needs to be this value, or it doesn't work at all!
My current mosquitto config file:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
persistence_file mosquitto.db
log_dest syslog
log_dest stdout
log_dest topic
log_type error
log_type warning
log_type notice
log_type information
connection_messages true
log_timestamp true
password_file /etc/mosquitto/passwd
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
allow_anonymous false
port 8883
cafile /etc/mosquitto/certs/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
require_certificate true
I use this command to subscribe from test PC:
mosquitto_sub -h ha.euroicc.com -t "topic/test" -u "damjan" -P "damjan" -p 8883 --cafile ca.crt --key client.key --cert client.crt
And get these errors:
On test PC:
Error: A TLS error occurred.
On server:
1532564086: OpenSSL Error: error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
1532564086: Socket error on client <unknown>, disconnecting.
I've tried without require_certificate set on the server side, and not using client key/cert on the client side and subscription works in this case. This means that username/password parameters are fine.
That means that I either generated certificates and keys with a problem, my mosquitto.conf is bad or I'm using mosquitto_sub with a problem. Maybe something else?
I'm really at loss here and can't figure out what to try next...
Every bit of information helps.
Had a similar issue while upgrading to 2.0 because of the updated TLS/SSL bindings several know weak algorithms are not supported anymore.
In my case the signature of the certificate was sha1WithRSAEncryption where sha1 is the weak part. The same would be for e.g. MD5.
Check your certificate with openssl x509 -text -noout -in your.crt
Resigning the certificate with sha256WithRSAEncryption fixed it for me.
There is no need to create a new key.
You can either create a new CSR from your existing key and information from your certificate:
openssl x509 -x509toreq -in sha1.crt -signkey sha1.key -out sha256-new.csr -sha256
or overwrite the algorithm while signing the existing CSR again:
openssl x509 -req -days 360 -in sha1.csr -CA DummyCA-DonotTrust.pem -CAkey DummyCA-DonotTrust.pem -CAcreateserial -out sha256.crt -sha256
Recent openssl version should use sha256 as default.
Debian has changed the default setting with openssl-1.1.1 see https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 and set CipherString = DEFAULT#SECLEVEL=2.
To get a list of supported algorithms run: openssl ciphers -s -v 'ALL:#SECLEVEL=2'
Ok, so the problem was that I was generating all of the files on my test PC, and then sending it to the server.
I've tried generating everything on the server, and then copying appropriate files to my test PC, and everything works fine.
I've followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt . With lesser changes like hostname etc.
I had the same issue.
To fix it, while generating server.crt, answer to question 'Common Name' with IP address of the machine where Mqtt broker is going to be run.
I first followed the instructions on AWS's documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html#generate-key-submit-csr
openssl genrsa -out mykey-private-key-file.pem 2048
openssl ecparam -name prime256v1 -out mykey-private-key-file.pem -genkey
openssl req -sha512 -new -key mykey-private-key-file.pem -out mykey-csr.pem
But when we tried to submit our CSR, then it complained, so then I followed the instructions on rapidssl:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985
openssl genrsa -des3 -out mykey-private-key-file.pem 2048
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem
We got our approval response with the x.509 Web Server Certificate and Intermediate CA.
When I copy the mykey-private-key-file.pem into the "Private Key" field on the EC2 Management Console, then it complains that:
"Error creating certificate
Unable to parse key; the body is encrypted."
I don't really know what I'm doing. I tried converting the private key like they suggest here: https://www.geekpete.com/blog/converting-ssl-pem-format-aws/ but then it doesn't match. Does this mean I have to go through the process all over again?
Since it took me a while to figure this out as well, I thought I would post my process here (in hopes that it saves someone some time).
This process assumes you already know how to request a certificate from your favorite certificate issuer.
You can just to a find-and-replace on "yourDomain" and then run the commands at a bash prompt. OSX or pretty much any flavor of Linux should do just fine.
# to generate a certificate request
openssl req -new -newkey rsa:2048 -nodes -keyout yourDomain.key -out yourDomain.csr
# Sumbit the CSR. When the CRT file comes back...
# Open the cert in a text editor...
# create a new file
vi yourDomain.crt
# press 'i' to start insert mode
# paste the contents of the CRT file you received
# prese ESC, then 'wq', then enter. This saves the file and exits VIM
# convert the CRT you just wrote to disk into the PEM format expected by ELB
openssl x509 -in yourDomain.crt -out yourDomain.pem -outform PEM
# convert the private key to PEM format expected by ELB
openssl rsa -in yourDomain.key -outform PEM -out yourDomain.pem.key
# display the contents of the private key file and certificate file so you can paste them into the dialog when setting up the listener on the ELB
cat yourDomain.pem.key
cat yourDomain.pem
Actually it was because of the copy and paste from my email. Even though I copied it into a text editor first. Totally lame error message.
But I did have to to run this step from the geekpete link.
openssl rsa -in yourwebsite_private.key -out pem-yourwebsite_private.key
Using Apache 2.2, SSL is configured. I am creating the key and temporary cert in command prompt. When I use
openssl genrsa -des3 -out server.key 1024
I am returned this output :
WARNING: can't open config file:
z:/strawberry_libs/build/2013Q3_/ssl/openssl. cnf error on line -1
of C:\Program Files\Apache Software Foundation\Apache2.2\conf\o
penssl.cnf
and then it creates the key.
So good and fine. The error is bothersome. Then I try to make the cert with
openssl req -new -key server.key -out server.csr
Now it shows an error and wont create it.
C:\temp>openssl req -new -key server.key -out server.csr WARNING:
can't open config file:
z:/strawberry_libs/build/2013Q3/ssl/openssl.cnf Unable to load
config info from z:/strawberry_libs/build/2013Q3/ssl/openssl.cnf
Not exactly sure how to proceed at this point as I can't get past this step for my assignment without the certification. If there is another way, or a way to correct the error that would be great.