lua nginx ssl certificate setup - ssl

I use resty.http module. But the data is used. For usual http or https without verification all works.
local http = require("resty.http").new()
local res, err = http:request_uri(url, {
method = method,
headers = headers,
body = body,
ssl_verify = false
})
But if I do not use ssl_verify it wouldn't work with the error:
lua ssl certificate verify error: (20: unable to get local issuer
certificate),
I found using Google that lua_ssl_trusted_certificate can help. But I don't know how it can help. I have tested such command: lua_ssl_trusted_certificate /etc/ssl/certs/GlobalSign_Root_CA.pem; but it did not help to me.
How to verify https in a proper way?

In your nginx.conf you need to configure
lua_ssl_verify_depth 2;
lua_ssl_trusted_certificate /pathto-ca-certs.pem;
In my case my server calls out to only one external HTTPS endpoint. So I exported the certificate with the full chain (via borwser ceritificate export in Firefox) and imported into a PEM file. This is the .pem file that I supplied above.
I use lua-resty-http to make the calls to https and it works fine. You can use tools like wireshark/fiddler to monitor the outgoing connections to see if the requests are being made the way you want.

Related

SAP HANA XSA Node.js Express HTTPS (SHINE)

I try to understand, how the HTTPS connection works for the SAP-Shine sample.
https://github.com/SAP-samples/hana-shine-xsa/blob/master/core-node/server.js
For me it looks so different to the standard express logic, where we create a HTTPS server, like this sample:
var key = fs.readFileSync(__dirname + '/../certs/selfsigned.key');
var cert = fs.readFileSync(__dirname + '/../certs/selfsigned.crt');
var options = {
key: key,
cert: cert
};
var server = https.createServer(options, app);
In opposite of this known sample above, SHINE is using the following procedure:
https.globalAgent.options.ca = xsenv.loadCertificates();
The npm xsenv-documentation says, that
"this code loads the trusted CA certificates so they are used for all subsequent outgoing HTTPS connections:"
Does it really mean, that we have only after putting the CA certificate to the globalAgent a running outgoing HTTPS connection?
Really, if I would know, I would like to check it for myself. But I only found hints for checking https connection for incoming requests, and rather not for outgoing connections.
Sorry, if my question sounds stupid, but I try to understand!
Please, let me know if I missed something in the configuration for a properly working outgoing HTTPS connection.

Disable SSL Certificate verification in Python Google Sheet quickstart

I was going through a Google tutorial to connect Google Sheets with python here. I am running this piece of code behind a corporate proxy, therefore the certificates received are already replaced by the proxy server.
I have created token.pickle file on a non-proxy machine and transferred it here. I get certificate verification failure at this line of the code given in the guide:
service = build('sheets', 'v4', credentials=creds)
The error that comes up is:
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1076)
I dig out into the build method here. Upon searching through the source codes, I found out that creds and http object as parameters to this method are mutually exclusive, I.e. when I pass creds object, I can't pass a http object to this function.
If I could pass a httplib2.http object, I would have set it to disable SSL verification. But now with this wrapper around, I cannot find any way out to specify this.
I tried the following two hacks also:
Creating a unverified context:
ssl._create_default_https_context = ssl._create_unverified_context
Setting PYTHONHTTPSVERIFY=0 as a env variable
But none of them works.
I have my corporate proxy certificate installed in my ca-bundle, and the .cer file too.

How do I have Apache2 httpd use the ubuntu's CA cert for outbound SSL connections from Apache?

Note this is not a question about having apache accept inbound SSL connections.
I have an apache module that needs to make outbound SSL connections. When it attempts to, it gets this error:
Failed to send events: The OpenSSL library reported an error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1269:
This is indicating the SSL library that apache is using doesn't know about the (valid) certificate of the server that my module is trying to connect to.
The CA cert on my ubuntu system where this is running is fine, knows about this downstream cert, openssl s_client tells me everything is ok.
How do I tell Apache2 to use ubuntu's system CA cert to make outbound connections work?
update - I did an strace -e open httpd -X to see where it was trying to load certificates from. I see apache opening libssl.so, but then I don't see it even trying to open up the usual ssl.cnf or any certificates file.
snipped useless strace output
update2: As to how I'm creating the https request - I'm making the request from inside my custom apache module. My module .so is written in Rust, so the connection code looks basically like:
in mod_mine.so:
use hyper::Client;
use hyper_tls::HttpsConnector;
use tokio_core::reactor::Core;
let mut core = Core::new()?;
let handle = core.handle();
let client = Client::configure()
.connector(HttpsConnector::new(4, &handle)?)
.build(&handle);
//actually a POST, but this gets the same error
let request = client.get("https://saas.mycompany.io".parse()?);
let result = core.run(request)?;
... //process result
I found a solution that works, though I'm not sure it is optimal.
openSSL takes the environment variable SSL_CERT_FILE. I can set this in my apache module source code.
use std::env;
let cert_file = figure_out_cert_path(); //on ubuntu: /etc/ssl/certs/ca-certificates.crt
env::set_var("SSL_CERT_FILE", cert_file);

Emqttd Ssl Configuration

I try to activate ssl of emqttd server. For this, I added following lines to emq.conf under the etc folder.
mqtt.listener.ssl.tls_versions = tlsv1.2,tlsv1.1,tlsv1
mqtt.listener.ssl.handshake_timeout = 15s
mqtt.listener.ssl.keyfile = etc/certs/key.pem
mqtt.listener.ssl.certfile = etc/certs/cert.pem
mqtt.listener.ssl.cacertfile = etc/certs/cacert.pem
mqtt.listener.ssl.verify = verify_peer
All other settings is same to default.
However, I can connect my local mqtt server without doing any ssl configuration like ssl version, certificate, etc. by using mqtt-spy broker. I think i didn' t configure ssl properties of emqttd. How can i solve this problem?
Thanks in advance.
You must check which port you are trying on for SSL.
Secondly you need to place your key.pem and cert.pem at the path mentioned.
It will just work fine if client have the certificate to authenticate the server.

Cannot perform HTTPS local tunnel fith Fiddler2 - Problems with certificates

I am trying to create an HTTPS-tunnel on my machine. My intention is having all requests to https://localhost:8888/<something> (the port where Fiddler is listening to) be directed to https://myserver.net/<something>. I am using the following script as per Fiddler doc:
static function OnBeforeRequest(oSession: Session) {
// <Fiddler 2 preexisting code>
// HTTPS redirect -----------------------
if (oSession.HTTPMethodIs("CONNECT") &&
(oSession.PathAndQuery == "localhost:8888"))
{
oSession.PathAndQuery = "myserver.net:443";
}
if (oSession.HostnameIs("localhost"))
oSession.hostname = "myserver.net";
// --------------------------------------
// <Fiddler 2 preexisting code>
}
Also in Fiddler settings I checked the decryption check and installed certificates as you can see in the image below:
I restart Fiddler, it prompts me to install its fake certificates, I agree. I can see the certificate in my Windows Certificate System Repository when using certmgr. It is a self-signed certificate.
So What I do is opening a browser and type: https://localhost:8888/mypage.html, and what I get is an error. Internet Explorer reports this:
Error: Mismatched Address. The security certificate presented by this
website was issued for a different website's address. This problem
might indicate an attempt to fool you or intercept any data...
When I get certificate info (basically the certificate presented by the contacted host is being rejected, the same certificate can be displayed), I can see that the rejected certificate was issued by Fiddler and the subject is myserver.net.
So the certificate is ok because it is certifying myserver.net, I see that the problem is that probably my browser was expecting a certificate whose subject is localhost. Is it true?
How to handle this situation?
Assumption
I can understand that the problem is a certificate being issued for a website which I did not ask for. So the solution would be using a certificate certifying localhost:8888?
A certificate is valid if it is directly or indirectly (via intermediate certificates) signed by a trusted CA and if the hostname matches the certificate. If the last condition would not be enforced anybody with a valid certificate from a trusted CA could incorporate any other site.
To make use of fiddler and not run into this problem you should configure your browser to use fiddler as a web proxy and then use the real URL inside the browser instead of ip:port of fiddler.