I am trying to implement ActiveMQ ssl connection with server authentication.
When I try to connect I get :
Server Certificate name doesn't not match the uri host name value
According to ActiveMQ documentation :
You should note that in order to validate that the certificate that the broker sends is the one we want we must validate the "Common Name (CN)" field from the certificate against the host-name in the URI. If you have trouble connecting to the broker one of the first things to check it if your host-name matches the broker certificate common name.
My problem is that my server can have multiple names which are specified in the SubjectAlternativeName.
Can i change the ActiveMQ server certificate validation to ignore the CN? or to serarch also in the SubjectAlternativeName section?
Related
I have some confusion on the SSL Certificate Validation in a Client - Server model.
This is what happens as all of you know
Client (C), Server(S), PublicKey(PB), PrivateKey(PK), ServerSSLCert(SR)
CABundle(Root + Intermediate) - (CAB)
AS you know client always attaches CAB file when connecting/communicating with server. no server cars are attached.(correct me if I am wrong)
This is what the flow
Client Sends Hello with all needed Details to Server
Server Validates the needed things and Sends the Cert to Client
==> So confusion here is ... What is the certificate that server send - is that a Root/Intermediate/Server Cert it exchanges with client ?
==> Will the Client Validate the ServerName (hostname -f) with what is in the Certificates CN/Subject ??
==> Assume the Servername has ALIAS/CNAME (ABCD.dmn.com (real hostname is server.dmn.com))
Since the Client has ABCD.dmn and Subject in Server cert will be different will that validate at network level to certify both are same IP and move further (or) the names are different thus client unable to validate and fails ?
Can some one please explain.
I am rather confused by the purpose of the trustore file in a tomcat server.
I.e use of the truststoreFile parameter when setting up a TLS enabled connector.
According to the tomcat docs:
truststoreFile
The trust store file to use to validate client certificates. The
default is the value of the javax.net.ssl.trustStore system property.
If neither this attribute nor the default system property is set, no
trust store will be configured.
To me this is telling me that for an inbound connection to my tomcat server, this is where I would store certificates that a client would present. (e.g. a users browser)
Would I really put in 3rd party CA certificates here or other 3rd party server certificates, if my tomcat server wants to make an outbound connection to a TLS enabled server (e.g. an LDAPS server)
As per my understanding the place to do this is the cacerts file.
Is my understanding of the truststore wrong?
Yes, you are right, it is quite confusing.
If you need to make an outbound connection a 3rd party, you need to add the certificates to cacerts.
There is a very popular "signing, validation, etc." service for government-owned companies here in Spain, #firma, that just changed its wildcard server certificate and we had to add it to cacerts.
My web server's FQDN is foo.bar.com
It is aliased and most commonly accessed at baz.bar.com
I had a SSL certificate generated by our netsec guys and I installed it to the server and enabled the site. Now I am receiving Error code: SSL_ERROR_BAD_CERT_DOMAIN because the certificate is only for foo.bar.com, not baz.bar.com
How can I get this resolved?
The hostname in the URL you use to access a site must match a subject of the certificate. This means if you want to access the site as bot baz.bar.com and foo.bar.com you either need a certificate which contains both or need two certificates and serve the certificate based on the request name. In the last case the client must support SNI if both names point to the same IP address.
I have a IIS 7 server hosting a few different sites. Recently I purchased and installed a SSL certificate to one of the site. Both http and https binding are setup with host header xxx.com and www.xxx.com.
But now i discover that other site with no SSL is loading the certificate and show the untrusted cert error when accessing through https.
Can i know how I can stop other non SSL site from loading the certificate?
Thank you.
I assume that
you are using the server on a single IP address
provide service for multiple names on this single IP address
have configured SSL for some of the names but not for others
This means, that
The server is listening on this specific IP address for SSL connections.
The server can only decide after receiving the initial SSL request from the client (ClientHello) which certificate it should use. The Client hash to use SNI (server name indication) to tell the server which hostname it expects. Most newer clients support this but for example IE8/XP does not.
Since the server has to listen for SSL connections on this IP address it can happen, that it receives a SSL request for a hostname, where it has not certificate configured. In this cases a server could do the following:
Use some other certificate it has configured. This is what your server is doing. This results in an error on the client about an invalid certificate since the name in the certificate does not match the expected name.
Simply close the connection or issue some SSL error. This would result in an SSL handshake error on the client which browsers usually display in a way so that end users are not able to understand what's going on. For the browser the situation is simply a server error and the server is not able to give the browser more detailed information (this is not part of the SSL protocol).
If you don't like any of these two problems you must serve the non-SSL hosts from a different IP address than the SSL hosts, so that the server will not even listen on the SSL port for connections for the non-SSL hosts.
I hope this explanation helps with your problem. If you have now specific questions about the configuration of the server to achieve the outlined solution you should ask them at serverfault.com instead.
I have a requirement to host address-bound or domain-bound certificates in either DNS CERT records or LDAP servers that are discoverable by other parties.
I tried to search on internet about them but didn't got much information.
So basically I need some link or some little explanation about address-bound or domain-bound certificates.
Thanks.
X.509 certificates when used for authentication of servers during SSL/TLS handshake include the server's host name or IP address in Subject.CommonName field and/or in the corresponding field SubjectAlternativeName extension. This information restricts the use of the certificate to certain host and also identifies the host. When the client connects to host A using IP address 1 and receives the certificate issued for host B and/or IP address 2, this is an evidence of either misconfigured server or fake server or stolen certificate. In these cases security of the communication can not be guaranteed.
What you are asking for are not standard terms, that's why you can't find information about them. The certificate can have both host name (or several) and IP address (or several) in it, so the certificate can't be called strictly "something-bound".