I am trying to get Google Home / API.ai communicating with a simple Java server REST API coded with RESTlet
I have set up a self-signed developer certificate as the webhook communication requires using HTTPS
When the webhook tries to communicate with my server I am seeing an error which says SSHHandshakeException no cipher suites in common.
I have tried adding parameters to the Series and added the enabledCipherSuites parameter with a few cipher IDs I found online but I am unsure what cipher suites API.ai supports.
Is there a way to accept any requests ciphers so I get the communication between API.ai and my webhook working?
I found out from Google that you HAVE to used a SSL certificate from a trusted certificate authority and NOT a self-signed certificate, maybe one day API.AI will update their documentation to mention this
Related
Before starting this project, I have never directly worked with API requests. I have learned a lot and I am able to successfully get valid responses from the FedEx and USPS tracking APIs. However, I am unable to get anything besides a 403 Forbidden error when trying to get a response from UPS.
I have been in contact with their tech support and they verified I am using the correct endpoints and credentials, so they said it must be a security issue. I needed an up to date certificate and they gave me a list of supported security ciphers.
TLS 1.2
1. ECDHE-RSA-AES256-GCM-SHA384
2. ECDHE-RSA-AES128-GCM-SHA256
3. ECDHE-RSA-AES256-CBC-SHA384
4. ECDHE-RSA-AES256-CBC-SHA
TLS 1.3
1. TLS_AES_256_GCM_SHA384
2. TLS_CHACHA20_POLY1305_SHA256
3. TLS_AES_128_GCM_SHA256
4. TLS_AES_128_CCM_8_SHA256
5. TLS_AES_128_CCM_SHA256
I followed a guide online to create and sign a server certificate for my localhost. However, I have no idea what to do with the ciphers. When I check the security tab in DevTools, I can see that the cipher used for localhost is AES_256_GCM Protcol TLS 1.3 with Key exchange group X25519.
Is there any way I can configure my XAMPP Apache server to have these ciphers only?
UPS Tech support said I should check with my company's IT team or Network Admin but we don't really have one besides me. Any help would be appreciated and I would be happy to share my code for the API call.
I was trying to get myself familiarised with basic concepts of https when I came across its encryption, which in a nutshell functions as follows,
Now I have seen QA engineers in my company use this tool called burp-suite to intercept request.
What I am confused about is even though the data flows through an encrypted channel, how can any interception tool like burp-suite manage to intercept the request.
Just to try it out I tried to intercept facebook request in burp-suite,
Here you can clearly see the test email test#gmail.com I used in the intercepted request.
Why is this data not encrypted according to https standards?
Or if it is then how do burp-suite manage to decrypt it?
Thank you.
Meta: this isn't really a development or programming question or problem, although Burp is sometimes used for research or debugging.
If you LOOK AT THE DOCUMENTATION on Using Burp Proxy
Burp CA certificate - Since Burp breaks TLS connections between your browser and servers, your browser will by default show a warning message if you visit an HTTPS site via Burp Proxy. This is because the browser does not recognize Burp's TLS certificate, and infers that your traffic may be being intercepted by a third-party attacker. To use Burp effectively with TLS connections, you really need to install Burp's Certificate Authority master certificate in your browser, so that it trusts the certificates generated by Burp.
and following the link provided right there
By default, when you browse an HTTPS website via Burp, the Proxy generates a TLS certificate for each host, signed by its own Certificate Authority (CA) certificate. ...
Using its own generated cert (and matching key, although the webpage doesn't talk about that because it isn't visible to people) instead of the cert from the real site allows Burp to 'terminate' the TLS session from the client, decrypting and examining the data, and then forwarding that data over a different TLS session to the real site, and vice versa on the response (unless configured to do something different like modify the data).
... This CA certificate is generated the first time Burp is run, and stored locally. To use Burp Proxy most effectively with HTTPS websites, you will need to install Burp's CA certificate as a trusted root in your browser.
This is followed by a warning about the risks, and a link to instructions to do so.
Having its own CA cert trusted in the browser means that the generated cert is accepted by the browser and everything looks mostly normal to the browser user (or other client).
I have used an external api which can be accessible via https (sha1 ssl), And now the external api system upgraded to sha2. While I am hitting the api, i am getting below exception.
Connecting to test.demo.com|10.200.100.101|:8443... connected.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Unable to establish `SSL connection`.
Update:
Comments from external api team (earlier we used SSL protocol and now TLS (TLSv1.2) is benign used in new setup (SSL was expired protocol)).
Based on description above (without actual code snippet) you need to check if you client application has appropriate protocol specified (if they changed it on server to TLS v1.2, you need to change it in your client as well). Great link regarding different TLS versions.
Is there a way in browser or through some tool to see what SSL certificate (client authentication) was sent to server in request?
I'd start with something like Burp Suite (Free Edition). It's a darn good proxy for... lots of things.
If your server negotiates the client certificate during the initial handshake (without renegotiation), you should be able to see it using Wireshark: you should see a Certificate message coming from the client (not the one coming from the server), after a Certificate Request message sent by the server.
If renegotiation is used, this is more complicated.
SSL MITM tools (like Fiddler) won't be of any help, since they perform their own handshakes. Such tools can be configured to fool the client into believing they are the real server, by having the client trust their fake server certificate (a trust setting the user can generally set on the client). However, this doesn't work on when using a client certificate, unless the tool performing the handshake (the SSL MITM tool in this case) was handling the client certificate itself. Otherwise the verification message at the end (which the server uses to verify that the client has the private key for the client certificate) would fail. Some of these tools can indeed be configured with a client certificate, but you need to set them up with the corresponding private key: in this case you would know which client certificate was used.
Another way to check would be to check what the browser itself does. How to do it may depend on the browser. Environment variables like SSLDEBUG might be of interest when using Firefox.
I had installed SSL certs one one of my cloud server by following this:
http://www.rackspace.com/knowledge_center/article/installing-an-ssl-certificate-on-apache
I am running jetpack plugin on my wordpress blog. The jetpack plugin is not getting connected to wordpress. I have talked with the Jetpack support guys and they say this:
Support Reply
"The problem is that OpenSSL doesn't recognize your certificate's Certificate Authority's certificate. The that URL works in browsers is because most modern browsers allow for certificate discovery by reading the "Authority Information Access" metadata from the certificate, which contains a URL from which the browser can download the CA's certificate. OpenSSL does not.
The best solution is if you can configure your webserver to supply the entire SSL certificate chain, rather than just your own certificate. That's what we do on WordPress.com. Sending the entire chain will also make your sites more compatible with older (and I believe some mobile) browsers."
Can any one describe me how can I install or provide entire certificate chain???
Thanks
These pages might help with setting up a CA and then creating a certificate: https://help.ubuntu.com/community/OpenSSL#SSL_Certificates
https://help.ubuntu.com/12.04/serverguide/certificates-and-security.html