I am trying to establish secure connection between Openfire and smack client and get the error
org.jivesoftware.smack.SmackException$SecurityRequiredByClientException:
SSL/TLS required by client but not supported by server
I am using Openfire 4.0.1 and have enabled 5223. Using Smack on client side and connection configuration is as follows:
configBuilder.setSecurityMode(ConnectionConfiguration.SecurityMode.required);
configBuilder.setServiceName(service_name);
configBuilder.setHost(server);
configBuilder.setPort(5223);
setHttpsClient(); // Sets a SSL context
configBuilder.setCustomSSLContext(mSSLContext);
configBuilder.setSocketFactory(mSSLContext.getSocketFactory());
connection = new XMPPTCPConnection( configBuilder.build( ) );
connection.connect();
After initial exchange server sends
<stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism>
<mechanism>SCRAM-SHA-1</mechanism><mechanism>CRAM-MD5</mechanism>
<mechanism>DIGEST-MD5</mechanism></mechanisms><compression
xmlns="http://jabber.org/features/compress"><method>zlib</method>
</compression><auth xmlns="http://jabber.org/features/iq-auth"/><register
xmlns="http://jabber.org/features/iq-register"/></stream:features>
which does not contain starttls.
Related
I am using ASP.Net Core (Grpc.Net) for creating a HTTPS gRPC server hosted in Kestrel. The communication between C# Client to the server (HTTPS) works fine with out adding any certificate.
It looks like they are using the default certificates for communication.
Now I have a C++ gRPC Client in Windows 10 and I'm trying to connect to the same server from a client, the endpoint is https://localhost:50051.
This is my Kestrel configuration #server.
webBuilder.ConfigureKestrel(serverOptions =>
{
serverOptions.Listen(IPAddress.Any, 50051, listenOptions =>
{
listenOptions.Protocols = Microsoft.AspNetCore.Server.Kestrel.Core.HttpProtocols.Http2;
listenOptions.UseHttps();
});
}).UseStartup<Startup>();
As you could see I am not using certificates in the server (wanted to use default certificates) the same way I used C# gRPC Client.
i.e. connection to server works using C# Client
var channel = GrpcChannel.ForAddress("https://localhost:50051");
ecgDataClient = new Data.DataClient(channel);
But with C++ gRPC Client Client I am unable to connect (tried both InSecure & SslCredentials):
auto channel_creds = grpc::SslCredentials(grpc::SslCredentialsOptions());
DataGrpcClient grpcClient( grpc::CreateChannel("localhost:50051", channel_creds));
With grpc::SslCredentials(grpc::SslCredentialsOptions()) I get this error:
E0709 19:46:20.488000000 6724 ssl_utils.cc:570] load_file: {"created":"#1625840180.488000000","description":"Failed to load file","file":"D:\DEV\vcpkg\buildtrees\grpc\src\17cc203898-db2679e7f2.clean\src\core\lib\iomgr\load_file.cc","file_line":72,"filename":"/usr/share/grpc/roots.pem","referenced_errors":[{"created":"#1625840180.488000000","description":"No such file or directory","errno":2,"file":"D:\DEV\vcpkg\buildtrees\grpc\src\17cc203898-db2679e7f2.clean\src\core\lib\iomgr\load_file.cc","file_line":45,"os_error":"No such file or directory","syscall":"fopen"}]}
E0709 19:46:20.509000000 6724 ssl_security_connector.cc:413] Could not get default pem root certs.
E0709 19:46:20.512000000 6724 secure_channel_create.cc:108] Failed to create secure subchannel for secure name 'localhost:50051'
E0709 19:46:20.517000000 6724 secure_channel_create.cc:50] Failed to create channel args during subchannel creation.
E0709 19:46:20.521000000 6724 ssl_security_connector.cc:413] Could not get default pem root certs.
E0709 19:46:20.525000000 6724 secure_channel_create.cc:108] Failed to create secure subchannel for secure name 'localhost:50051'
E0709 19:46:20.529000000 6724 secure_channel_create.cc:50] Failed to create channel args during subchannel creation.
It looks like unable to find the default certificates.
I am running my C++ gRPC Client in Windows 10, should I need to do anything so that the client picks the default certificates?
Thanks
Basanth
ActiveMQ, as per line 151 in AmqpWireFormat, refuses connections with a AMQP protocol version other than 1.0.0.
AMQP .NET Lite, as per line 411 in Connection, sends 0.1.0.0. At the same time it claims to do Full control of AMQP 1.0 protocol behavior.
Obviously ActiveMQ refuses connections from AMQP .NET Lite with "Connection attempt from non AMQP v1.0 client. AMQP,0,1,0,0".
The client does:
Address address = new Address("amqp://localhost:5672");
Connection connection = new Connection(address);
Session session = new Session(connection);
And ActiveMQ logs:
2017-03-28 09:11:28,403 | DEBUG | Transport Connection to: tcp://0:0:0:0:0:0:0:1:54352 failed: org.apache.activemq.transport.amqp.AmqpProtocolException: Connection from client using unsupported AMQP attempted | org.apache.activemq.broker.TransportConnection.Transport | ActiveMQ Transport: tcp:///0:0:0:0:0:0:0:1:54352#5672
org.apache.activemq.transport.amqp.AmqpProtocolException: Connection from client using unsupported AMQP attempted
at org.apache.activemq.transport.amqp.protocol.AmqpConnection.onAMQPData(AmqpConnection.java:339)[activemq-amqp-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.amqp.AmqpProtocolDiscriminator.onAMQPData(AmqpProtocolDiscriminator.java:96)[activemq-amqp-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.amqp.AmqpTransportFilter.onCommand(AmqpTransportFilter.java:107)[activemq-amqp-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)[activemq-client-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)[activemq-client-5.14.4.jar:5.14.4]
at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.14.4.jar:5.14.4]
at java.lang.Thread.run(Thread.java:745)[:1.8.0_112]
On the command line it says:
WARN | Connection attempt from non AMQP v1.0 client. AMQP,0,1,0,0
ActiveMQ then aborts the connection.
The ActiveMQ configuration includes:
<transportConnectors>
<transportConnector name="amqp" uri="amqp://0.0.0.0:5672" />
</transportConnectors>
This all looks to me like ActiveMQ expects version 1.0.0.0 and amqpnetlite sends 0.1.0.0.
Where to, from here?
By default ActiveMQ requires authentication. try
string queueName = "q1";
Connection connection = new Connection(new Address("amqp://user:pwd#localhost:5672"));
Session session = new Session(connection);
SenderLink sender = new SenderLink(session, "sender", queueName);
Message message = new Message("Hello World");
sender.Send(message);
connection.Close();
The user name and password should be in users.properties config file. Also it is recommended to use async API to avoid blocking I/O calls.
Both ActiveMQ and AMQP .NET Lite support the ISO/IEC Standard 1.0 version of AMQP. The protocol header "AMQP0100" indicates version 1.0 of the protocol. AMQP .NET Lite is known to work with ActiveMQ so I suspect you have some other configuration issue.
My assumption is that you haven't turned off the broker's enforcement of requiring the client to connect via a SASL handshake either via SASL anonymous or SASL plain depending on whether you've configured a real authentication plugin or not. I would bet that if you configured the broker by adding the options wireFormat.allowNonSaslConnections=true that it would probably work.
From the information you've provided the .NET client is not using SASL so the broker is rejecting it. The SASL header would be "AMQP3100"
I have successfully setup sipml5 using a standard non secure ws:// to an asterisk 13 server, can make and receive calls using demo at https://www.doubango.org/sipml5/call.htm. However, I am having problem with wss or secure socket connection.
I got this error (chrome):
WebSocket connection to 'wss://myserver.com:8089/ws' failed: Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR
My settings
WebSocket Server URL -> wss://myserver.com:8089/ws
SIP outbound Proxy URL -> udp://myserver.com:5060
Finally I solved this problem by adding following line to http.conf
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=/path-to/cert.pem
tlsprivatekey=/path-to/privkey.pem
I use WebSphereMQ v7.1 and HermesJMS v1.14 SoapUI.
I set up everything to connect this apps without SSL and they work fine.
The problem is, when I try to connect with SSL. I set below params:
SSLCipherSuite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
channel, hostName, port, queueManager,
transportType: 1
and in hermes.bat I added trustStore and keystore.
In WMQ I have set: TRIPLE_DES_SHA_US on channel. On this page-> http://www-01.ibm.com/support/knowledgecenter/SSFKSJ_7.1.0/com.ibm.mq.doc/ja34740_.htm
I see that I match CipherSpec and CipherSuite correct.
What is wrong?
UPDATE
Below error from Hermes
Caused by: com.ibm.mq.jmqi.JmqiException: CC=2;RC=2397;AMQ9641: Remote CipherSpec error for channel 'channel1'. [3=channel1]
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.analyseErrorSegment
(RemoteConnection.java:4322)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.receiveTSH
(RemoteConnection.java:2902)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.initSess
(RemoteConnection.java:1440)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnection.connect
(RemoteConnection.java:1115)
at com.ibm.mq.jmqi.remote.internal.system.RemoteConnectionPool.getConnection
(RemoteConnectionPool.java:350)
at com.ibm.mq.jmqi.remote.internal.RemoteFAP.jmqiConnect(RemoteFAP.java:1599)
On this page -> http://www-01.ibm.com/support/docview.wss?uid=swg21614686 I find that solution for this problem is:
Ensure that there is a cipher suite set on the client matching the
cipher spec on the queue manager's server connection channel.
but as I mentioned earlier I matched CipherSpec and CipherSuite correct.
Are using an Oracle JRE/JDK? I had the same issue and wrote about it here: http://www.capitalware.com/rl_blog/?p=3074
The simplest solution is to use IBM's JRE/JDK.
I am developing a reverse proxy using http core nio 4.3.3 and need to connect to a Secure/HTTPS endpoint via the proxy. I took the reverse proxy(Asynchronous HTTP reverse proxy)[1] and added SSL support as shown below.
SSLContext clientSSLContext =
SSLUtil.createClientSSLContext(TRUST_STORE_LOCATION,
TRUST_STORE_PASSWORD);
final IOEventDispatch connectingEventDispatch =
new DefaultHttpClientIODispatch(
clientHandler,
clientSSLContext,
ConnectionConfig.DEFAULT);
...
connectingIOReactor.execute(connectingEventDispatch);
When I send the request, I am getting this error,
java.io.IOException: SSL not supported
The Stack trace is given below.
[client<-proxy] 00000001 java.io.IOException: SSL not supported
java.io.IOException: SSL not supported
at org.apache.http.impl.nio.pool.BasicNIOConnFactory.create(BasicNIOConnFactory.java:159)
at org.apache.http.impl.nio.pool.BasicNIOConnFactory.create(BasicNIOConnFactory.java:1)
at org.apache.http.nio.pool.AbstractNIOConnPool.requestCompleted(AbstractNIOConnPool.java:484)
at org.apache.http.nio.pool.AbstractNIOConnPool$InternalSessionRequestCallback.completed(AbstractNIOConnPool.java:770)
at org.apache.http.impl.nio.reactor.SessionRequestImpl.completed(SessionRequestImpl.java:127)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processNewChannels(AbstractIOReactor.java:423)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:288)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
at java.lang.Thread.run(Thread.java:662)
I enabled SSL debug logs as well, but still could not figure out the issue.
Then I debugged this and found out that the proxy received the request from the client and drops due to an exception inside the handle method of HttpAsyncRequestConsumer. The exception is java.io.IOException: SSL not supported
Also note that the SSLContext was working fine with a reverse proxy written using the netty transport.
Any help would be appreciated.
[1] https://hc.apache.org/httpcomponents-core-ga/examples.html
Regards,
Ravindra.
When using a connection pool on the client side to manage outgoing connections one needs to ensure that the connection factory used by the pool to create new connection objects is SSL capable. Please make sure that the connection pool is properly configured.
Thanks a lot for the advice. That solved the issue.
clientSSLContext =
SSLUtil.createClientSSLContext(TRUST_STORE_LOCATION,
TRUST_STORE_PASSWORD);
BasicNIOConnFactory connectionFactory =
new BasicNIOConnFactory(
clientSSLContext,
null,
ConnectionConfig.DEFAULT);
proxyConnPool = new ProxyConnPool(connectingIOReactor, connectionFactory, 5000)