React-native websocket TLS Connection - ssl

I am trying to use websocket to connect to a TLS server using react-native. Below is my code (running on windows + android ):
var ws = new WebSocket('wss://hub.fingi-staging.com:20020',{
rejectUnauthorized: false
});
ws.onopen = () => {
// connection opened
ws.send('something'); // send a message
};
ws.onmessage = (e) => {
// a message was received
console.log('message : ' + e.data);
};
ws.onerror = (e) => {
// an error occurred
console.log('error:'+e.message);
};
ws.onclose = (e) => {
// connection closed
console.log('close:'+e.code, e.reason);
};
However, it fails with : error:java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. This is because the server uses a self signed certificate.
Is there any way to fix this?

Replying a bit late, but hopefully this can point other people in the right direction.
I believe the error you are getting suggests you are missing the certificate chain file, which is used to verify if the CA used to sign your server's certificate is valid, i.e if the chain of trust is valid.
This, however, usually fails (is troublesome, at least) if you are working with self signed certificates. You can take a look here if you need some help generating some self-signed certificates and the appropriate certificate chain. Also, see if you need to specify the trusted CA's by having the client use that file as a parameter when connecting.
I have been struggling with setting up a secure websocket server using a self sign certificate (for development purposes, in production a proper certificate/CA must be used) but haven't had much success and reverted back to using non-TLS websocket server.

If anyone else happens to be struggling with implementing secure websocket connections in React-Native, here is what I found tonight: React-Native wants to use port 443 when working with secure websocket connections.
Let's take the original poster above's code. He has:
var ws = new WebSocket('wss://hub.fingi-staging.com:20020',{
rejectUnauthorized: false
});
What I've found that works for me is:
var ws = new WebSocket('wss://hub.fingi-staging.com');
And then on your WebSocket server, make sure you are serving everything up on port 443, and not port 20020 (or whatever port you happened to be using previously). For example, my Python websocket server was previously using port 8765. However, in React-Native you need to be using port 443 for secure websocket connections or things simply aren't going to work.

Related

How to connect to RabbitMQ server with TLS without certificate in Node

I need help connecting to RabbitMQ with TLS using Node.
The client gave us credentials for connecting to their RabbitMQ server.
They say we don’t need any certificates for TLS connection, and I’m using NodeJS.
We’re getting this error.
OperationalError: certificate has expired
We’re trying to use this Node client library https://github.com/amqp-node/amqplib and in their SSL guide(https://amqp-node.github.io/amqplib/ssl.html) it’s written
If you're not going to use a client certificate, you need only to make sure you will trust the server certificate:
var opts = {
ca: [fs.readFileSync('cacert.pem')]
};
this is our current code
const conn = await connect({
hostname: process.env.RABBITMQ_HOST,
port: Number(process.env.RABBITMQ_PORT),
username: process.env.RABBITMQ_USER,
password: process.env.RABBITMQ_PASSWORD,
vhost: process.env.RABBITMQ_VHOST,
protocol: 'amqps',
}

How to create a self-signed cert for a local hosted wss:// server

I am attempting to create a windows service that opens a secure web socket and listens for connections on a certain port (wss://localhost:1234). The sample code includes referencing a certificate for the server to use:
var serverCertificate = new X509Certificate2(certificatePath, "mypassword");
This works fine.
The issue happens when the a client attempts to connected:
using (SslStream n = new SslStream(client.TcpClientInstance.GetStream()))
{
n.AuthenticateAsServer(serverCertificate, clientCertificateRequired: false, enabledSslProtocols: System.Security.Authentication.SslProtocols.Tls12, checkCertificateRevocation: false);
This line errors out with a generic "A call to SSPI failed, see inner exception", "InnerException = {"An unknown error occurred while processing the certificate"}":
This occurs with a self-signed cert registered in the Trusted Root Certificate Authorities.
Interestingly enough if I use the generic localhost cert generated by Visual Studio it works.
Any thoughts welcome.
TIA
Might solve your issue.
Create a sub-domain like sub-domain.domain.com ( using your actual domain )
With an A record to 127.0.0.1
Request a SSL certificate for sub-domain.domain.com
When you open a connection to sub-domain.domain.com it will be valid and should resolve to 127.0.0.1 which is where your "server" is listening.

SAP HANA XSA Node.js Express HTTPS (SHINE)

I try to understand, how the HTTPS connection works for the SAP-Shine sample.
https://github.com/SAP-samples/hana-shine-xsa/blob/master/core-node/server.js
For me it looks so different to the standard express logic, where we create a HTTPS server, like this sample:
var key = fs.readFileSync(__dirname + '/../certs/selfsigned.key');
var cert = fs.readFileSync(__dirname + '/../certs/selfsigned.crt');
var options = {
key: key,
cert: cert
};
var server = https.createServer(options, app);
In opposite of this known sample above, SHINE is using the following procedure:
https.globalAgent.options.ca = xsenv.loadCertificates();
The npm xsenv-documentation says, that
"this code loads the trusted CA certificates so they are used for all subsequent outgoing HTTPS connections:"
Does it really mean, that we have only after putting the CA certificate to the globalAgent a running outgoing HTTPS connection?
Really, if I would know, I would like to check it for myself. But I only found hints for checking https connection for incoming requests, and rather not for outgoing connections.
Sorry, if my question sounds stupid, but I try to understand!
Please, let me know if I missed something in the configuration for a properly working outgoing HTTPS connection.

activemq-cpp c++ client how to use ssl url to connect server

I am currently using the activemq-cpp c++ client to connect to the backend server. When using the TCP protocol, it is possible to communicate. I am using the example above at https://activemq.apache.org/components/cms/example. But now I need to use the SSL protocol. My code is as follows:
brokerURI ="failover:(ssl://xxxx:61617)";
auto connectionFactory = new ActiveMQConnectionFactory(brokerURI);
connectionFactory->setUsername(username);
connectionFactory->setPassword(password);
connection = connectionFactory->createConnection();
connection->start();
I got stuck in the start function and didn't throw any exceptions. I don't know why. Could give me a simple c++ ssl code connection demo for me to learn? Thank you.
The [example][1] documents the SSL configuration that you need to do, which is to tell the library where the key store, and trust store (and password) live.
// SSL:
// =========================
// To use SSL you need to specify the location of the trusted Root CA or the
// certificate for the broker you want to connect to. Using the Root CA allows
// you to use failover with multiple servers all using certificates signed by
// the trusted root. If using client authentication you also need to specify
// the location of the client Certificate.
//
// System::setProperty( "decaf.net.ssl.keyStore", "<path>/client.pem" );
// System::setProperty( "decaf.net.ssl.keyStorePassword", "password" );
// System::setProperty( "decaf.net.ssl.trustStore", "<path>/rootCA.pem" );
//
// The you just specify the ssl transport in the URI, for example:
//
// ssl://localhost:61617
//

How to get Remote server untrusted SSL certificate using Apache HTTP Client API

I have a remote server which may or may not be running using a valid SSL cert (using self-signed SSL cert).
We are making connection to remote server, which may fail if remote server is using self-signed SSL cert. So, we want to be able to download/view the remote server cert if our SSL handshake fails.
If I use Apache HTTP Client then I couldn't find a method which could allow me to view remote server certificate (you can do it with HttpsURLConnection but we are trying to avoid using it see this example).
I also looked into Spring RestTemplate, and it didn't provide any option either - I searched on Google and didn't find anything around Spring or Apache HTTP Client.
This should give you pretty much a complete control over the process of trust verification.
SSLContext sslContext = SSLContextBuilder.create()
.loadTrustMaterial((chain, authType) -> {
for (X509Certificate cert: chain) {
System.out.println(cert.getSubjectDN());
}
// Let the standard trust managers decide
// whether or not the cert chain is trusted
return false;
})
.build();
CloseableHttpClient client = HttpClientBuilder.create()
.setSSLContext(sslContext)
.build();