I am using Spring Boot generated with JHipster. I generated keystore using Java's keytool app. My .yml file looks like :
server:
port: 9090
ssl:
enabled: true
key-store: myKeystore.p12
key-store-password: ******
key-store-provider: SunJSSE
key-store-type: PKCS12
key-alias: tomcat
protocol: TLS
When I set enabled to false, server works on HTTP protocol, when I enable it getting no response from server for any endpoint using HTTP or HTTPS protocol.
It's because you used a certificate that is not trusted by a CA.
If you test with postman or any request simulator it will return 0Bytes.
If you test with a browser it will tell you that you must trust manually the certificate.
Related
I have a Mosca MQTT broker running on a node instance and I would like to encrypt all the incoming communications with SSL/TLS (MQTTs protocol) but without the client having to link any certificate to the connexion (I guess it has to do with self-signed certificates) just as https works. I want all my clients to connect just with credentials specifying the MQTTs protocol and the communication can be encrypted. I was using Amazon MQ just before and that's how it works so I want the same.
I can't figure how to configure properly Mosca to do so, I don't know what kind of certificate I must use.
I added the secure field in the configuration as shown here
For the certificate I tried to create a self signed certificate as shown here
I also tried with certbot certificates (Let's Encrypt) registered for my domain name : mq.xxx.com .
I'm running everything on a ec2 (ubuntu 18) and my network and firewall are open for 1883 and 8883. My key and cert are at the root of my project where the deamon is running with good rights and ownership. I know my instance access them correctly.
new mosca.Server({
port: 1883,
secure: {
keyPath: "./privkey.pem",
certPath: "./cert.pem"
},
backend: {
type: 'redis',
redis: require('redis'),
host: "localhost",
port: 6379,
db: 0,
return_buffers: true,
},
persistence: {
factory: mosca.persistence.Redis
}
});
My server is running and working with simple mqtt on port 1883 but when I try to connect with ssl/tls with a client on port 8883 specifying that the server uses self-signed certificates (I tried with MQTT.fx) it fails saying : "unable to find valid certification path to requested target".
I can't make my head around this issue, I think somehow the client cannot "accept" or "verify" the certificate provided. Maybe I'm providing the wrong key or certificate to Mosca but there is only one of each resulting openssl or certbot. Maybe I created wrong but I follow many tutorials on the very same subject such as this one
What kind of certificate do I need to do ?
Is there something more to do with them ?
Thank you.
If you are using a self created certificate then the client will need a copy of certificate that signed the broker's certificate. This certificate will be added to the list of trusted sources so it can prove the broker is who it claims to be.
If you do not want to / can not distribute a certificate then you will need to use a certificate for your broker that is issued by CA (Certificate Authority) whoes signing certificate you already have (bundled into the OS/client that you are using).
The Lets Encrypt signing certificates should be bundled into most OSes by now but they are also cross signed by IdenTrust again who's certs should be bundled with most OSes. If you are having problems with the Lets Encrypt certs then I suggest you ask a new question with the exact details of how you configured mosca with those certs and more details of how you are configuring MQTT.fx and the errors you receive.
I try to enable ssl for Saltstack master and minion by following https://docs.saltstack.com/en/latest/ref/configuration/master.html#ssl But I am not sure how to verify it is using SSL.
I added this in master configuration:
ssl:
keyfile: /etc/salt/ssl/master/key.pem
certfile: /etc/salt/ssl/master/cert.pem
ssl_version: PROTOCOL_TLSv1_2
I added similar settings in minion. However, when I use openssl to test the port:
openssl s_client -connect <master ip>:4505 -debug and I get SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. It seems the SSL is not enabled at all. How to verify if the SSL is enabled? The master and minion communication seems fine. I just to need to verify it is using SSL. I am on Centos 7 with python 2.7. Do I need to install any additional packages?
You also need to add
transport: tcp
Then you will at least get some SSL related error in /var/log/salt/master or /var/log/salt/minion
You can use tcpdump to capture some traffic and analyze it in wireshark to verify if the connection is ssl encrypted.
I am setting up the tomcat server which communicate with external system through SOAP web services(I am using the external system stubs and apache Axis2 library for that).
The external system is secured with ssl client/server authentication. The system provides me keystore file in .pfx format which contains two certificates.
Things I have tried:
I have extract those two certificates and added in my keystore. I added below entry in my tomcat/bin/catalina.bat file
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStore=/pathtomykeystore/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit
With above configuration my request fails with No X.509 client certificate HTTP header found in request.
I have enable ssl logs then I found that serverHelloDone is printed and after that it says
"No suitable client certificate could be found - continuing without
client authentication"
The same thing I have tried from SOAPUI Tool where I directly configure .pfx file as keystore and it is working fine there
The diff between Tomcat and SOPAUI logs is
SOAPUI can successfully competing Client authentication where tomcat is not.
also below lines are missing from tomcat ssl logs
keystore is:
keystoreType is: jks
keystore provider is
Update1:
I remove the keystore configuration from SOAPUI->project view-> WS Security Configuration -> keystore (This is working configuration) and added above mentioned JAVA_OPTS entries in soapui.bat file and now SOAPUI also giving a same error.
Anyone helps arround how soap ui pick and send the certificates from keystore configured in project view->keystore
I am running an old version of jetty that allows SSL TLS v1.0 and v1.1. I want to disable anything other than TLS 1.2 as there are security vulnerabilities with the other implementations.
Currently clients connect to the jetty server using SSL, without any jks file for java clients or any certs or pk12 equivalent for c#/.net clients.
My understanding of jks is that the client and server needs it, which isn't a vulnerability in itself as the alias and servers should not be available in the jks file.
So my question is when I enforce stricter security protocol TLS 1.2 do i need to provide the clients with jks/pk12 or whatever the windows equivalent is? If i dont change the code to allow trustAll etc?
Client(is a request running within jetty server 9.4) server and request code:
System.setProperty("javax.net.ssl.trustStore", "filename");
System.setProperty("java.net.ssl.trustStorePassword", "xyx")
ServletContextHandler context =
ServletContextHandler(ServletContextHandler.SESSIONS);
...
server.setPort(8080);
server.start();
//Then call is via apache server code
CLoseableHttpClient httpClient = HttpClients.createMinimal();
HttpGet httpGet = new HttpGet("https://server:8080/getLogisticsData");
...
httpClient.execute(httpGet), response -> {
//format response
}));
I've recently created a PKCS keystore using LetsEncrypt and I configured my production profile for JHipster to run Tomcat on 8443 using the new keystore. I can get the application to run if I call "ciwiseaccounting.com:8443" but when the page arrives Chrome shows the "!" meaning the page is not secure. This is odd because I didn't see the SSL challenge occur. If I call "https://ciwiseaccounting.com:8443" this does not work. Does anyone know what I'm doing wrong? IPTables is wide open for now and I can nmap the 8443 listener. Here's my server config snippet:
server:
port: 8443
server.ssl.key-store:
/etc/letsencrypt/live/ciwiseaccounting.com/keystore.p12
server.ssl.key-store-password: password
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
You are using the server key twice in your configuration (line 1, then again on lines 3-6). This means the properties aren't parsed into the correct variables, resulting in regular http instead of https.
Try with the below config:
server:
port: 8443
ssl:
key-store: /etc/letsencrypt/live/ciwiseaccounting.com/keystore.p12
key-store-password: password
keyStoreType: PKCS12
keyAlias: tomcat