I am using HTTPRequest node to make requests using TLS. Is there a way to skip certificate validation (checking the certificate chain, the expiration date) with standard IIB settings? I know this is risky.
In order to do this kind of things, there is a lot of workaround, but they are not that easy and quite horrible. I would suggest you to use a JavaCompute Node, using unix curl/wget commands for example (if running on Unix), or any other solution that is working on Java.
But I can confirm, you cannot use the default IIB nodes (like HTTPRequest) for this purpose.
According to this, you have to handle the exception yourself because IBM will not provide you a flag since it is a major security risk.
Related
I'm have compatibility issues with WebRTC implementation and our Oracle (AcmePacket) SBC. I think I could work around the issue that they confirmed and will fix somewhere next year, by using a certificate that is signed by a CA for DTLS.
I have been looking around but couldn't find any reference: would it be possible to load my own RTCCertificate from a file?
I know that from a security perspective this is a bad idea, but it's for a proof-of-concept application, and by the time we would use this in production, the bug on the Oracle SBC would be fixed OR we can run rtpengine inbetween which would handle the self-signed random certificate correctly.
I don't believe this is possible (in the browser). RTCPeerConnection does allow you to pass a certificate, but can only be generated using generateCertificate
Running a bridge I think is your only option in this case unfortunately.
I would like to connect to MariaDB database via SSL in Quarkus application. However, I cannot find a way how to define the SSL-related information in Quarkus application.
How to provide the certificate which is needed in database connection in Quarkus application?
Is it even possible?
If not, I assume that many would be interested in that feature.
I searched information from https://quarkus.io/guides/datasource but did not find anything regarding this.
MariaDB reference: https://mariadb.com/kb/en/library/using-tls-ssl-with-mariadb-java-connector/
There's no reason for it to not work. Just include what you need in your JDBC url.
Be aware though that if you are using native images, you should read this guide that will guide you through configuring everything properly: https://quarkus.io/guides/native-and-ssl .
We switched from a legacy Apache server serving as a load balancer (among other things) to haproxy. Apache would preserve header capitalization from upstream servers while haproxy transforms every header into lowercase. Is there a way to modify this behavior?
(I am aware that headers are supposed to be case-insensitive, unfortunately we have a legacy application that only supports a specific case in a specific header. Also, wouldn't modifying headers result in wasted compute cycles?)
Thanks to #mjf answer I found a specific way to fix it without recompiling haproxy.
For 2.0, add no option http-use-htx to your haproxy.cfg, for 2.0 [1].
For 2.1 add a set of option h1-case-adjust-bogus-server + h1-case-adjust, for 2.1 [2].
Maybe this patch may help to solve your issue.
I would think that the OP is experiencing an haproxy bug.
The excuse in that patch and the implication of the setting about how it is the applications fault is, well, a fallacy, to avoid using a stronger term. If you have an client/server solution where your client is talking to your own dedicated server which is putting in headers in a specific casing/capitalization, then accepting them in a different capitalization in the application IS the security risk, not the other way round. While it is true that the RFC says that the headers are case insensitive, it doesn't imply at all that a proxy is free to change it. For that reason (i.e. that a dedicated client talking to its dedicated server should legitimately expect it to retain the casing and should consider a change suspicious) I strongly believe that it should be classified as a bug, not a "feature to support bogus apps"; it is a bogus reasoning for an haproxy bug. Haproxy should (at least by default) retain the casing of the headers.
I am trying to monitor a https URL using VirtualUser Generator, I have the pfx certificate of the user which is used to login as a user on the portal. I used the Openssl utility with Loadrunner to convert the same to PEM and used web_set_certificate_ex on my script but still I see the script demands user certificate for the user. Please help...
I am trying to monitor
I don't know exactly what you mean by trying to "monitor" the URL using vugen but the latter part of your question sounds like you're trying to record a script and play it back. Since this is generally the function of vugen I'll answer this question. I'm also going to assume you're recording in the web/http protocol and not something like truClient.
Here's the thing - vugen will generally take care of the certificate exchange for you. The primary exception to this is mobile testing. I also actually made the same mistake I think you're making when I first started perf testing. I spent quite a bit of time futzing with certificates, but that is generally unnecessary.
You should make an attempt to record a very simple script, like login, and play it back. If it works, you're set. If you happen to be testing a middleware application you should consider recording in clear text and adding an 's' to your http:// URI.
Very simple advice, but if I understand the nature of your inquiry, it should work.
Try recording without certificate and see weather you can see the request bodies, if not, then you can think of placing client certificates also make sure you are using the right socket, SSL version and cipers to record the application.
We are going to put FitNesse on a server and wants to have a AD/LDAP authentication solution for this.
Does anyone have experience with good and easy to set up solutions for this?
Thanks in advance. Magnus
One straightforward method would be to download the standard edition of the UnboundID LDAP SDK and get a copy of the jsse.jar file and install both jar files in the fitness lib directory. Create a class in the fitness.authentication package that extends the fitness.authentication.Authenticator class and overrides the isAuthenticated() method. Specify the required properties such as hostname, port, simple or SASL bind, whether to use SSL or StartTLS, base object, search scope, and so forth.
The jsse.jar will provide the necessary SSL classes so that SSL and StartTLS can be implemented as required.
see also
LDAP: Programming practices
It is possible, but it would require either finding or creating a plugin to do it.
I found the following, but I have never tried it:
https://github.com/timander/fitnesse-ldap-authenticator.
Also out there, but older is: https://github.com/dleonard0/fitnesse
You can start there, but you might have to get your hands dirty. Unfortunately, I'm just not that familiar with that part of the code.
See here: http://fitnesse.org/FitNesse.UserGuide.AdministeringFitNesse.SecurityDescription.SpnegoAuthentication
I need to give many more characters to make stakeoverflow happy.