I can't import Fiddler SSL certificate
http://screencloud.net/v/gRly
http://screencloud.net/v/28jk
Related
I have a problem configuring SSL certificates between my client and my Server.
My client, is a frontend application written in Angular, installed on a Web Hosting called V-Hosting which provides cPanel and through which it is possible to install a free Let's Encrypt SSL certificate (with auto renewal certificate).
Therefore, a user's connection to the website is protected by the certificate made available by CPanel - Let's Encrypt.
Instead the Server, a Backend application written in Java, is on a Contabo VPS (Virtual Private Server).
On this virtual server there is Windows OS and I have Jboss installed, where my .ear package is installed.
My problem is that I can't figure out how to configure an SSL certificate so that client and server can communicate over https, as now my domain https://example.com/ can't communicate with my server on JBoss http://IP_SERVER:8080/rest/api as the Server has no certificate.
So, client has a certificate (https) but server not (http) and they can't communicate each other without a certificate on Server.
How can I make the Client and Server communicate in HTTPS?
I tried to install Keystore Explorer on my VPS and generate a keystore to install on jboss but it's not the best solution because then I would have a Let's encrypt certificate on the client and one self signed by me on the server.
I'm creating an app hosted by IIS and I want to have it communicate securely with SoapUi (so IIS is the client is this scenario). I'm using certificates at both ends because I want mutual authentication. When IIS connects to SoapUi, I can see in WireShark that:
The client hello is sent from IIS
Then SoapUi responds with the server hello and continues with the certificate and a certificate request
Then IIS terminats the connection with a TCP [FIN, ACK]
And finally SoapUi sends the Alert(Level: Fatal, Description: Handshake Failure)
In my application log I can see the error Could not establish secure channel for SSL/TLS with authority 'localhost:8443'.
From the logs in my app I can see that my app is apparently loading the certificate as expected. The certificate is loaded from the LocalMachine certificate store and the CA certificate is located in the Trusted Root Certification Authorities. In SoapUi I've added .pfx files for the SoapUi certificate/private key and for the CA certificate/private key. Both the IIS certificate and the SoapUi certificate is signed by the same CA.
Is there anything special I need to configure in IIS to allow an app to connect with mutual certificate authentication.
IIS does not necessarily have access to the private keys in the local machine certificate store. If you have installed the certificate with e.g. an administrator account you will have to give the app pool that runs your application access to the private key of the certificate.
I have created a proxy service in WSO2 ESB 4.9.0 and I am calling a secured https API which is made in Tibco BW6. This API is secured with SSL security.
When I send my message from proxy service to Tibco API, I get SSL hand shake problem.
Also I have imported a client.cer certificate in my jks carbon key store on my WSO2 ESB but still I am unable to send my message on API.
Note: I have no experience about SSL
ERROR IN LOGS: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
You can export the server certificate via the browser. Then import it into
the client-truststore.jks. For trouble shooting you may have to do an SSL debug and my blog post [1] will help you doing this.
You can follow the following steps to import your server certificate into wso2esb client’s keystore as follows:
Go to backend service in your browser, and then click the HTTPS trust
icon on the address bar (e.g., the padlock next to the URL in
Firefox).
View the certificate details (the steps vary by browser) and then
export the trust certificate to the file system.
Use the ESB Management Console or the following command to import
that certificate into the ESB client keystore. keytool -importcert
-file -keystore /repository/resources/security/client-truststore.jks -alias
"your-alias"
Restart the server.
Happy coding!
[1] http://ravindraranwala.blogspot.com/2014/11/ssl-debugging-in-wso2-esb.html
I just setup a load balancer with HAProxy 1.5.2, and the HTTPS frontend work incorrectly.
I use curl to make an request to my server as follow:
curl https://haproxy.example.com
The output as follows:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
The following are the configuration:
frontend https-in
bind *:443 ssl crt /var/crt/mycrt.pem ca-file /var/crt/myca.crt
reqadd X-Forwarded-Proto:\ https
default_backend https-in-443
The /var/crt/myca.crt are the CA bundle file.
Anybody can help on this issue? thanks a lot.
Finally, i fixed this issue
Just added "verify optional" to the end of bind *:443 ssl crt /var/crt/mycrt.pem ca-file /var/crt/myca.txt as follow
Reference: HAProxy: client side ssl certificates
I made HTTP proxy server. But the problem that I can't decrypt SSL traffic.
I found that Fiddler install Trust Root Certificate. I did the same and now I don't have error that certificate untrusted but I got other error: wrong Common Name (CN). How fiddler change the CN of installed trusted certificate?
Will appreciate any answer.
Fiddler acts as an SSL termination proxy.
I.e. the connection goes like this:
Browser ---(SSL handshake)---> Fiddler --- (SSL handshake) ---> Actual Site
So your connection is first time encrypted and sent to Fiddler, where it is first decrypted by Fiddler and then again encrypted to be sent to the actual site that you access.
Additionally when you access a site Fiddler automatically generates a server certificate with a CN that is equal to the host name of the site and this certificate is signed by the CA of fiddler That's why Fiddler needs to install a set of trusted CAs in your browser so that the first SSL handshake can be made against a trusted authority.