I want to install SSL(Comodo wildcard certificate, ex: "*.test.com")
in Vapor Web framework, the "servers.json" I got is:
{
"default": {
"port": "$PORT:443",
"host": "api.test.com",
"securityLayer": "tls",
"tls": {
"certificates": "chain",
"certificateFile": "/path/ssl-bundle.crt",
"chainFile": "/path/ssl-bundle.crt",
"privateKeyFile": "/path/key.pem",
"signature": "signedFile",
"caCertificateFile": "/path/AddTrustExternalCARoot.crt"
}
}
}
I already make sure that "public/private" key matches already using openssl command. And about the certificateFile part like "ssl-bundle.crt", I also tried "*.test.com.crt" with the "key.pem" as well(still pass the validation using openssl, the only difference is one is test.com's certificate, the other is bundle certificate, combined by correct orders already.). Besides, all certs and key's format are correct as well. And I also make sure the cert/key files location is correct so that the Vapor can find these files. But I still can't launch the server correctly, and always display the error.
I try to locate the exact location in xcode, but I can only see it fails in this method: "tls_accept_fds()", which is in tls_server.c of CLibreSSL library.
Also, I saw the error message the xcode displayed to me:
After use debug mode to trace, I can only know that it seems the program throws the error in "SSL_set_rfd()" or "SSL_set_rfd()", but I don't know exactly. The xcode only shows this to me, and I can't find any other error messages in the debug console. As result, so far I can only make sure that the error should be in this block:
int
tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
{
struct tls *conn_ctx = NULL;
// I pass this block
if ((ctx->flags & TLS_SERVER) == 0) {
tls_set_errorx(ctx, "not a server context");
goto err;
}
// I pass this block
if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
tls_set_errorx(ctx, "connection context failure");
goto err;
}
// I pass this block
if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
tls_set_errorx(ctx, "ssl failure");
goto err;
}
// I pass this block
if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
tls_set_errorx(ctx, "ssl application data failure");
goto err;
}
// The error occurs here, in SSL_set_rfd or SSL_set_wfd, it will then go to err part: "*cctx = NULL;", not even go into the if block.
if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
tls_set_errorx(ctx, "ssl file descriptor failure");
goto err;
}
*cctx = conn_ctx;
return (0);
err:
tls_free(conn_ctx);
*cctx = NULL;
return (-1);
}
So, the above is all the info I got right now, and I can't find the solution on the internet for several days already...
Could anyone give me any hint about how to install SSL in Vapor web framework? I can correctly install the SSL in Apache, Nginx, Tomcat, etc already. But never success in Vapor, it seems like C library issue, but I don't know the real reason why it fails, thank you very much for any possible help.
The bug has been found and fixed here: https://github.com/vapor/tls/pull/27
Related
I am using scp2 to copy a file to targetPath. config contains host, username, privateKey, path and port.
const client = require('scp2');
export function scpAsync(config, targetPath) {
return new Promise((resolve, reject) => {
client.scp(config, targetPath, err => {
if (!err){
resolve();
} else {
const errorMessage = err;
reject(errorMessage);
}
});
});
}
When doing so I am getting the error:
Error: Timed out while waiting for handshake
I tried to pass also
promptForPass: false
but it did not change anything. Besides that I used debug mode which told me that I am connected to the server and I put a higher setTimeout but then the error is just coming later. I was checking the documentation of scp2 and their GitHub. I use the function like explained there (https://www.npmjs.com/package/scp2) and regarding the error they could fix it with an higher setTimeout (https://github.com/spmjs/node-scp2/issues/107). I tried with a local ftp server, ngrok and ftp on ec2 instance. All with the same problem.
I would be happy to get help. I asked this question also on superuser but did not get an answer:
https://superuser.com/questions/1576964/error-timed-out-while-waiting-for-handshake
I am using strong-soap (but with node-soap is the same result) node module to connect with soap services.
In the first step I am creating the client and trying to connect one method in this case "doLogin" method.
My code is:
soap.createClient(url, clientOptions, (err, client) => {
var loginApi = { UserName: "xxxx", Password: "xxxxxx" };
var loginUser = {
userName: "comercial#xxxxx.com"
};
client.addSoapHeader(header);
//client.setSecurity(new soap.BasicAuthSecurity(loginApi));
// we now have a soapClient - we also need to make sure there's no `err` here.
client.doLogin(loginUser, (err, result) => {
//'result' is the response body
console.error(err);
console.log("Result: \n" + JSON.stringify(result));
});
But the variable err is returning this error in the console:
{ Error: unable to verify the first certificate
at TLSSocket.<anonymous> (_tls_wrap.js:1105:38)
at emitNone (events.js:106:13)
at TLSSocket.emit (events.js:208:7)
at TLSSocket._finishInit (_tls_wrap.js:639:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:469:38) code:
'UNABLE_TO_VERIFY_LEAF_SIGNATURE' }
and result is undefined.
why is happening this error?
result is undefined by the error?
I have faced same error, unable to verify the first certificate.
This is because of SSL cerficate isnt verified.
Your nodejs script calls your server, it is going to carry out the full TLS check process (as you would hope). This will check the certificates for validity etc.
To work around this issue, you can run the following Steps:
npm config set strict-ssl false
As a best practice, it is wise to set it back to true afterwords so you do not accidentally install an untrusted module that you actually do not trust.
After this,
npm cache clean --force
Add the following environment variable:
NODE_TLS_REJECT_UNAUTHORIZED=0
For Linux:
export NODE_TLS_REJECT_UNAUTHORIZED=0
For Nginx
NODE_TLS_REJECT_UNAUTHORIZED=0
For Window:
this will set for only current command prompt screen,
set NODE_TLS_REJECT_UNAUTHORIZED=0
This has solved issue for me. Please try
Note: Make sure you do not leave this option on in production. Please don't disable TLS checks at all.
FIXED:
I have added correct certificates and rejectUnauthorized: false to create client and added "envelope" directive to the headers and now it is working.
I donĀ“t like the instruction rejectUnauthorized: false by security topics and I would like to know how to remove this in production environment.
Thank you!!
I am trying to write a simple electron app to interface with a REST server. The server doesn't have the appropriate certificates. When I try to make a 'GET' request (using fetch()), I get the following error message:
Failed to load resource: net::ERR_BAD_SSL_CLIENT_AUTH_CERT
Fixing the certs is not currently an option. I tried to use the 'ignore-certificates-error' flag (see below). It seems like it should allow me to skip over this error, but it doesn't.
var electron = require('electron');
var app = electron.app
app.commandLine.appendSwitch('ignore-certificate-errors');
...
The result is the same error.
Questions:
I am correct in assuming this options is supposed to help here?
If so, any ideas what I am doing wrong?
Electron version: 1.2.8
Thanks!
You can update your version of electron and use this callback:
app.on('certificate-error', (event, webContents, link, error, certificate, callback) => {
if ('yourURL/api/'.indexOf(link) !== -1) {
// Verification logic.
event.preventDefault();
callback(true);
} else {
callback(false);
}
});
That you going do the fetch to your api with https.
I'm starting to learn golang and I'm trying to make a simple http client that will get a list of virtual machines from one of our oVirt clusters. The API that I'm trying to access has a self-signed certificate (auto generated during the cluster installation) and golang's http.client encounters a problem when serializing the time from the certificate. Below you can find the code and the output.
package main
import (
"fmt"
"io/ioutil"
"net/http"
"crypto/tls"
)
func do_request(url string) ([]byte, error) {
// ignore self signed certificates
transCfg := &http.Transport{
TLSClientConfig: &tls.Config {
InsecureSkipVerify: true,
},
}
// http client
client := &http.Client{Transport: transCfg}
// request with basic auth
req, _ := http.NewRequest("GET", url, nil)
req.SetBasicAuth("user","pass")
resp, err := client.Do(req)
// error?
if err != nil {
fmt.Printf("Error : %s", err)
return nil, err
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
return []byte(body), nil
}
func main() {
body, _ := do_request("https://ovirt.example.com/")
fmt.Println("response Status:", string(body))
}
and the error when I'm trying to compile:
$ go run http-get.go
Error : Get https://ovirt.example.com/: tls: failed to parse certificate from server: asn1: time did not serialize back to the original value and may be invalid: given "141020123326+0000", but serialized as "141020123326Z"response Status:
Is there any way to ignore this verification? I tried making a request using other programming languages (python, ruby) and skipping insecure certificates seems to be enough.
Thank you!
PS: I know the proper solution is to change the certificate with a valid one, but for the moment I cannot do this.
Unfortunately, you've encountered an error that you cannot get around in Go. This is buried deep in the cypto/x509 and encoding/asn1 packages without a way to ignore. Specifically, asn1.parseUTCTime is expecting the time format to be "0601021504Z0700", but your server is sending "0601021504+0000". Technically, that is a known format but encoding/asn1 does not support it.
There are only 2 solutions that I can come up with that do not require a code change for golang.
1) Edit the encoding/asn1 package in your go src directory and then rebuild all the standard packages with go build -a
2) Create your own customer tls, x509 and asn1 packages to use the format your server is sending.
Hope this helps.
P.S. I've opened an issue with the Go developers to see if it can resolved by them at some later point Issue Link
Possible ASN1 UtcTime Formats.
I'm trying to make spiderable works on my meteor app hosted on modulus with SSL.
I have Meteor 1.0, iron:router 1.0, spiderable and node package of phantomjs
All is working on localhost. But once I deploy on Modulus, first I had the error
spiderable: phantomjs failed: null
Then, I added the following environment variable in the modulus panel:
METEOR_PKG_SPIDERABLE_PHANTOMJS_ARGS = --ssl-protocol=tlsv1 --ignore-ssl-errors=yes --debug=true
This is still not working and the debug is outputting multiple times (like it's looping over an error) the following message in the modulus console:
2014-12-03T17:01:00 [DEBUG] WebPage - evaluateJavaScript "(function() { return (function () {
if (typeof Meteor === 'undefined'
|| Meteor.status === undefined
|| !Meteor.status().connected) {
return false;
}
if (typeof Package === 'undefined'
|| Package.spiderable === undefined
|| Package.spiderable.Spiderable === undefined
|| !Package.spiderable.Spiderable._initialSubscriptionsStarted) {
return false;
}
Tracker.flush();
return DDP._allSubscriptionsReady();
})(); })()"
2014-12-03T17:01:00 [DEBUG] WebPage - evaluateJavaScript result QVariant(bool, false)
If anyone knows how to solve this or succeeded to deploy a meteor project on modulus.io with SSL and spiderable. Let's me know the good way to do it :)
Thank a lot !
I solved my problem as follows:
I installed phantomjs locally and run the test script available at http://www.meteorpedia.com/read/spiderable/
phantomjs phantomtest.js
This gave me more details about the error: Parse Error.
Then, it was a javascript file that once compiled/minified, rendered an error caused by select2. The js library that was using it was flat-ui.js (http://designmodo.github.io/Flat-UI/).
I discover this by testing many deploys on *.meteor.com and by adding/removing .js file.
I edit the flat-ui.js library to avoid Parsing Error.
I redeployed on both modulus.io and *.meteor.com. All was working fine on *.meteor.com but still didn't work on modulus.io. That let me thinking about an SSL error but I only saw "spiderable: phantomjs failed: null" in the modulus.io logs.
I add the following environment variable in the modulus panel:
METEOR_PKG_SPIDERABLE_PHANTOMJS_ARGS = --debug=true
and it appears that it was a "SSL Handshake error":
[DEBUG] Network - Resource request error: 6 ( "SSL handshake failed" )
I add another option to the METEOR_PKG_SPIDERABLE_PHANTOMJS_ARGS environment variable:
METEOR_PKG_SPIDERABLE_PHANTOMJS_ARGS = --ignore-ssl-errors=yes --debug=true
Now everything is working fine on modulus.io.
To sumup:
solve javascript errors
add METEOR_PKG_SPIDERABLE_PHANTOMJS_ARGS = --ignore-ssl-errors=yes
I hope this will help some dudes,