In OpenShift Origin 3.6, with advanced installation method, I configured custom TLS certificate for the web console and for the router.
For the web console, the parameters I used in the Ansible inventory are:
openshift_master_named_certificates=[{"certfile": "/root/star.paas.certs/star.paas.local.cert.pem", "keyfile": "/root/star.paas.certs/star.paas.local.key.pem", "names": ["master.paas.local"], "cafile": "/root/star.paas.certs/ca-chain.cert.pem"}]
openshift_master_overwrite_named_certificates=true
And for the router, the parameters are:
openshift_hosted_router_certificate={"certfile": "/root/star.paas.certs/star.paas.local.cert.pem", "keyfile": "/root/star.paas.certs/star.paas.local.key.pem", "cafile": "/root/star.paas.certs/ca-chain.cert.pem"}
On the TLS certificate side, a custom Certificate Authority has been created and saved to file ca-chain.cert.pem. And a custom Certificate based on this CA has been generated (star.paas.local.key.pem and star.paas.local.cert.pem).
As you may have noticed, I use the same certificate chain for the OpenShift web console (served in my case at master.paas.local:8443) and for the embedded router (for apps routed as https://*.paas.local).
Then, when I want to access the web console, the prerequisite is to import the root CA into my browser.
The point is: when I use Chromium and go to master.paas.local:8443, the connection is considered unsecured (NET::ERR_CERT_AUTHORITY_INVALID). And when I ask for more information, I notice that the certificate hierarchy is incomplete:
Certificate details in Chromium
Interestingly, this does not happen in Firefox, which is the only browser known to me that behaves the expected way:
Certificate details in Firefox
On the opposite, all the TLS-secured public routes served by OpenShift for my apps are considered secured by all the browsers I tested, with the very same certificate chain as the one I use for the web console.
Is there a working way to make openshift(-ansible) take my custom CA into account when serving the web console in all modern browsers?
It seems to me that OpenShift web console does not send root/intermediate CA during TLS handshake.
The ansible playbook appears to support providing a cafile for named_certificates, and places the files. However the running system doesn't support the cafile key, so it is ignored. If you provide the certfile as a full bundle (bundle+cert) then it should start working.
I submitted a PR to the playbook to handle this task.
Related
I was trying to get myself familiarised with basic concepts of https when I came across its encryption, which in a nutshell functions as follows,
Now I have seen QA engineers in my company use this tool called burp-suite to intercept request.
What I am confused about is even though the data flows through an encrypted channel, how can any interception tool like burp-suite manage to intercept the request.
Just to try it out I tried to intercept facebook request in burp-suite,
Here you can clearly see the test email test#gmail.com I used in the intercepted request.
Why is this data not encrypted according to https standards?
Or if it is then how do burp-suite manage to decrypt it?
Thank you.
Meta: this isn't really a development or programming question or problem, although Burp is sometimes used for research or debugging.
If you LOOK AT THE DOCUMENTATION on Using Burp Proxy
Burp CA certificate - Since Burp breaks TLS connections between your browser and servers, your browser will by default show a warning message if you visit an HTTPS site via Burp Proxy. This is because the browser does not recognize Burp's TLS certificate, and infers that your traffic may be being intercepted by a third-party attacker. To use Burp effectively with TLS connections, you really need to install Burp's Certificate Authority master certificate in your browser, so that it trusts the certificates generated by Burp.
and following the link provided right there
By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate. ...
Using its own generated cert (and matching key, although the webpage doesn't talk about that because it isn't visible to people) instead of the cert from the real site allows Burp to 'terminate' the TLS session from the client, decrypting and examining the data, and then forwarding that data over a different TLS session to the real site, and vice versa on the response (unless configured to do something different like modify the data).
... This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.
This is followed by a warning about the risks, and a link to instructions to do so.
Having its own CA cert trusted in the browser means that the generated cert is accepted by the browser and everything looks mostly normal to the browser user (or other client).
I'm trying to setup a development environment on my machine for an ASP.NET MVC project where client certificates are requested when trying to reach certain controllers.
I've enabled SSL on the project through project properties on VS Studio, I've also imported IISExpress self-signed certificate into trusted CAs in my browser and the client certificate into personal certificates in the browser.
Now, when I try to reach the controller where the certificate is requested, my browser opens a list to select the appropiate certificate, but the certificate matching the IISExpress one doesn't appears in the list, although it's on the certification store on the browser.
Any idea about what to do next?
Recently, my Test Worklight server has been configured and secured via https protocol and SSL setup (CA certificate is added).
However, my mobile app cannot connect to the WL server now and get an error. Before, it can connect to the WL server normally with http protocol.
I did some tests (exmaples for Auto Provisioning and Custom Provisioning - module_25_0_CustomDeviceProvisioningCustomProvAppAndroid) based on the Device_Provisioning_concepts.pdf document, but they didn't work on Test env.
I think it should be that some settings were not configured successfully, so that WL server didn't issue the certificate to the mobile app. I am not sure.
Any idea?
Information:
WL servsion: 5.0.6.1, Enterprise Version;
Not install the App center mobile application firstly, just install MyApp via the web url of App Center;
Hybrid application
[ERROR] [https://serverhost:9443/demo/apps/services/api/AuthDemo/iphone/query] Host is not responsive.
As Anton said, the certificate is not being trusted by the mobile device. The reason you get a 'Host is not responsive' error is because the SSL handshake failed because the device did not trust the server's certificate, so an HTTPS connection was never created, and it interprets it as if it did not find the server, because the SSL handshake occurs at a lower level than HTTP, and it cannot distinguish between both cases. If you want to see the SSL errors, you will have to use a program like Wireshark or Charles to look at the network traffic.
If you want to use this untrusted CA certificate, you will have to manually import the CA certificate to the device's trusted certificate store so that the device trusts . This varies from platform to platform. For example, on Android and iOS, you can email the certificate to the device (it has to be in .crt format), and then when you open it, the device will let you import the certificate. After manually trusting the certificate, the application should work.
Try to open Worklight console from you device's browser. Most probably it will notify you about invalid certificate (popup and/or icon in the address bar). In case it does - the certificate you've purchased is not trusted by mobile phones. You should ask CA for a certificate trusted by Apple/Google browser.
I working to develop small HTTPS server that will be included in my android application. And the client will be browser. User can browse to the contain that I have on my HTTPS server. Can someone tell me what kind of setup do I need as far as the certificate and private/public keys are concerned. I am planning to use openssl to create my self-signed certificate.
FYI, I have initial setup done. And since my certificate is self-signed, browser displays warning to accept it on your own risk. So I believe server authentication is working. What do I need for server to authenticate the client ?
Thanks
The problem with hosting an HTTPS webserver on an android device is that the certificates are validated using a domain name. Without a domain name the client browser will display an error unless the server certificate is installed and trusted locally.
The two options are:
Register a domain name, use dynamic dns, and then request an ssl/tls certificate based on that name.
Installing self-signed certificate programmatically
There is an Android library that supports https: http://tjws.sourceforge.net/
I have Azure app containing 4 sites in a single web role (differentiated by host headers). I setup the sites to run over SSL. I issued 2 self signed certificates: 1 as CA installed into Trusted Root CAs store and 1 wildcard SSL certificate (issued using the first one).
The application runs, however I'm getting certificate error 'Mismatched address' in Azure Compute Emulator. I examined the mismatched certificate and found out it is not the one specified in service configuration. I went into IIS management console and checked the bindings - there was no cert set for my sites. So I setup the wildcard certificate manually in the site bindings. But in browser I still have mismatched certificate, still the one for 127.0.0.1 (comming with DevFabric). How can I make the IIS to return the correct certificate configured for the site?
(I have some services in the web sites consumed by Silverlight application and it does not work when there is forced manual confirmation of the certificate by user.)
Thanks!
Are you sure that you really access the service using https://127.0.0.1 and not using https://localhost?