I am working on a project using libtorrent for some clients and a open tracker using mono torrent.
Pc1: Runs a tracker using mono torrent, which hosts the .torrent
Pc2: Runs a lib torrent client and hosts the content referenced in the torrent and has the .torrent, which is added to the client by passing a signed certificate, a matching private key, and dhparams and the password for the signed certificate.
Pc3: the same as Pc2 but does not host any content referenced by the torrent
The torrent is created with a CA certificate and a private key matching the CA which the signed certificates is signed against, using openssl. With no errors. (This is done on a seperate Pc from the other 3).
When I run the tracker I get no errors, only that it's running and tracking the torrent.
When I run the clients it gives me a torrent need cert alert, and I then set_ssl_certificate on the handle for the torrent, and then resumes, and I get a torrent_error_alert telling me that the torrent doesn't exist, and finaly it changes state to checking and then seeding/downloading depending on which client it is (the uploader or downloader).
The problem is then, that there is no traffic between the clients.
I can see that they are connected to the tracker, and are listening on both normal ports and the ssl ports, but there is never a connection between the two clients (Using TcpView).
There is no difference when I run with or without admin rights.
Anyone who has experienced this, or might have a solution/pointer in the right direction?
Many thanks in advance.
Related
I'm trying to make a Progresive Web App, with wamp server, but I need an environment that closely mimic production environment. So I'm using a virtual host to mimic a real domain, and using a self signed certificates to use an HTTPS.
The Problem is self signed certificates is not trusted by the browser, and makes my Service worker failed to register.
I've tried the solution from this thread Can you use a service worker with a self-signed certificate?, by creating a new shortcut on my desktop with the targets
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors --unsafely-treat-insecure-origin-as-secure=https://myvirtualhostname.com
But that doesn't solve the problem. Please anybody could help on this matter??
You should not need the --unsafely-treat-insecure-origin-as-secure flag, since that applies to insecure HTTP origins.
The --ignore-certificate-errors flag will give a warning on Chrome, but you can ignore this, it will work.
I am having problems decrypting any SSL traffic (my Windows 10 PC) using (thelatest version of) Fiddler.
I have tried Eric's (created Fiddler) post on resetting certificates to no avail:
http://textslashplain.com/2015/10/30/reset-fiddlers-https-certificates/
I am seeing the following error in the logs on all SSL requests:
09:50:02:3744 fiddler.network.https> HTTPS handshake to www.fiddler2.com (for #1) failed. System.Security.Cryptography.CryptographicException Unspecified error
To try and isolate the issue I installed Charles and it is able to decrpyt SSL requests so I dont believe it is a system-wide / local network issue.
Any help much appreciated as Fiddler is such an excellent tool.
So I have now got Fiddler working again, these steps fixed my problem:
Remove Fiddler certificates (via the GUI, and manually check in Certificates mmc)
Uninstall Fiddler, including all settings data
Use a registry cleaner to clean up orphan / broken entries
Delete any remnant folder related to Fiddler
Download latest version of Fiddler
Install using all defaults (dont install to a custom location)
Set HTTPS Capture and Decrypt in Fiddler
I faced similar issue on mac with Fiddler. This was the first time I was using fiddler with mac.
The problem was the mac was not trusting the Fiddler
certificate.
To solve it I first of all, go to the Fiddler and then choose
Tools>Options>HTTPS
check Decrypt HTTPS Traffic
In the same dialog, then go to actions and click on export root certificate to the Desktop
click ok and close the fiddler.
Now the fiddler certificate has been downloaded on your desktop. In my case its name was FiddlerRoot.cer .
Double click on it and it will open in the keychain.
Select certificate option from left hand under category
You will find there is a certificate with name DO_NOT_TRUST_FiddlerRoot
Right click on the certificate and click on the Trust to make it expand. Here is how my dialog looks now.
In your case instead of Always trust, use system defaults would have been selected by default. Select Always trust.
Clear cookies and cache of your browser and then restart the browser.
Now if I start my fiddler it is able to decrypt the https website.
We are developing a local server app (written in nodejs for now), used by our web site to manipulate local files and folders (browse, upload, download...).
Basically, the customer installs the nodejs app, which starts a local server listening on 127.0.0.1.
Then, when (for instance) a list of local folders is needed on the web site, a JS script queries the local server, which returns the local folders, and they are displayed on the web site.
The problem is when the web site is configured in HTTPS, the web site's JS refuses to communicate with the HTTP-non-S nodejs app.
We are exploring various options :
using self-signed certificates deployed with the app, and trusting them on the machine during install, but I feel there will be a LOT of times when it won't work
using "proper" certificates for local.example.com, with a DNS entry where local.example.com points to 127.0.0.1, but it seems that distributing private keys to the general public is prohibited by the CGU of most (if not all) certificate authorities.
Now I thought of maybe another mean. Can a "packaged" HTTPS server (written in any language, I don't care), "living" inside an exe file, which is signed with a proper SSL certificate, use the certificate of the app?
I'm not sure if I'm making any sense, I don't know certificates very well...
Thanks!
We ended up adding a self-signed root CA using certutil :
certutil.exe -user -addstore Root "mycert\rootca.cer"
Since we're adding a root CA, it generates a warning popup that the user has to accept, but it has been deemed acceptable by the powers that be.
There is a "check config" screen that can try to add the certificate again if it hasn't been properly added the first time.
There is a case when the group policies (GPO) prevent trusting self-signed certificates. In this case, certutil has a return code of 0 (the certificate is added) but the root CA is not trusted, so the local server does not work. So, after install, we have to check that the certificate is trusted using:
certutil.exe -user -verifystore Root xxx
(xxx being the certificate serial number). This command does exit with error if the certificate is untrusted either, so we parse the output for CERT_TRUST_IS_UNTRUSTED_ROOT or 0x800b0109.
My old Live system (Domino 8.5.3 / Windows 2003) is out on the DMZ and needs to be upgraded to a SHA-2 certificate. So, we have built a new Test server also out in the DMZ (Domino 9.0.1 FP6 / Windows 2008) box to move the site to.
I copied the entire Data directory from the Live over the top of the Test 9.0.1 folder to bring across all the databases and jQuery files etc...
I then followed this procedure to create the new certificate:
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool?open
I used the procedure to generate a new CSR which we sent to GoDaddy to have them reKey the SHA-2 for the new Test system.
They returned to CRT files.
1) gd_bundle-g2-g1.crt - This I believe holds the Root and Intermediate certificates. But, I only found two certificates in this.
2) 8e0702e83bd035e9.crt - This has the Site certificate
I extracted the two GoDaddy certificates:
godaddy_root_Base64_x509.cer
GoDaddy_Secure_CA-G2_Base64_X509.cer
Then used the following command to join them all together:
type server.key 8e0702e83bd035e9.crt GoDaddy_Secure_CA-G2_Base64_X509.cer godaddy_root_Base64_x509.cer > hbcln04_server.txt
I followed all the steps in the procedure above. The only difference is that the proceedure shows 2 intermediate certificates but GoDaddy only sent me one.
But, I was able to verify both the Keys and the Certificates as the procedure said.
There were no errors in the process.
I put the new kyr file down in the Data directory with the others and then went to the Website document and changed the reference there to the new kyr filename.
Note, this is a Website document not the Server document.
I even went to the Server document and followed a procedure to Disable and Enable the Website documents just in case the path to the Keyring.kyr file was corrupted.
However, because the new Test box is in the DMZ it is very difficult to test.
So, I have modified the servers Host file to map the certificates domain back to the same box. (Otherwise the DNS would keep taking it back to the Live system.)
There is a question as to whether mapping the domain to the IP of the Test box will work with HTTPS. But, I don't see why not.
But no matter what I do, I can't get the certificate to take hold.
I put in the URL for the site and if it is HTTP it works, But soon as I change it the HTTPS I get this:
This page can’t be displayed
List item Make sure the web address https:_Link_to_site is correct.
List item Look for the page with your search engine.
List item Refresh the page in a few minutes.
I then refresh the page and I get this:
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https:_Link_to_site again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Well unfortunately, I'm the site administrator!
The only things I have seen differ to the procedure is:
1) that I only had 1 intermediate cert and not 2 as in the example.
2) I'm using a Host file to map the domain to the server so it doesn't follow it's usual DNS.
Also note that there are no errors in the log. We did have a few around the Access to the Key files. The kyr file was fine, but the sth file had restricted access. This has been corrected now.
At the moment, I don't know where to even look for an error or what to turn on to see the error.
It seems the certificate just doesn't load.
Please help.
So I am trying to setup a test environment for bittorrent file tranfers with SSL protection and I am having some troubles and would need some guidence.
My setup:
PC1: Running opentracker and is acting as the Certificate Authority.
PC2: Running libtorrent example client compiled with support for SLL encryption. Also acts as the publisher of the torrent file.
PC3: Same as PC2 but is not publishing any file.
When I use this setup without SSL torrents everything works as expected. The file gets transferred and if you go into the trackers stats page (trackerip/stats) it shows that 1 torrents is beeing served and there are 2 peers connected.
However, when I use my SSL torrent this is not happening. First of all, no file is being transferred. Second of all the tracker doesn't seem to recognize the torrent file i.e the tracker tells me it is currently not serving any torrents.
What could be wrong with my setup? And how do I start troubleshooting this?
Could it be that the tracker have to support HTTPS? Maybe I can't use open tracker. Do anyone have experience with this?
It is very likely that something is missing in the torrent file, but should I not be getting any errors in that case?
I am using the libtorrent example project "make_torrent" to make my ssl torrent and when I inspect it, it contains my certificate.
EDIT:
So a big part of my problem I assume is that I have zero experience from working with SSL stuff. So this is probably where I fail. I have read through both http://www.libtorrent.org/manual-ref.html#ssl-torrents and http://blog.libtorrent.org/2012/01/bittorrent-over-ssl/
and I am not sure I fully understand it.
I will try to explain how I have interpreted it and you guys can explain why I am wrong :) .
My interpretation:
The publisher of the torrent will include a x509 certificate signed with the publishers private key.
When a peer receives this torrent it will use the publishers public key (installed at an earlier time) to verify it's authenticity.
If everything is OK, the peer will generate a Certificate Signing Request and sign it with the peers private key and then send it to the publisher who signs it and returns a certificate. This is then the certificate that the peer will present to other peers.
Is this correct?