SonarQube: weak ephemeral Diffie-Hellman key issue with SSL - ssl

How do we by pass this issue with SonarQube server v5.1 and firefox? Chrome & IE are working fine but firefox is not allowing to access the server in https mode. I looked at https://weakdh.org/sysadmin.html but I am not sure what server SonarQube uses and how to implement fix for this problem. Any help is appreciated. Thanks.

When a user wants to enable (or restrict) access to a SonarQube instance over HTTPS, the recommended way is to put it behind another WebServer she configures at will.
So, the way to go here, is to add an Apache, Nginx or whatever in front of the SQ instance and configure it according to the recommendations in the link you provided and generate a "safe" server certificate.

I fixed it by setting the following property in sonar.properties file.
sonar.web.https.ciphers=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

Related

how to turn off ssl check in Authlib

I'm using authlib in my project. I have a local IDP setup using http atm.
For testing, this code is blocking me because my dev environment is http.
https://github.com/lepture/authlib/blob/master/authlib/client/oauth2.py#L155
I can carry on by commenting out the line. But, i think having a way to turn of https check is neater.
So, dose anyway know a way to turn off https check in Authlib ?
It can be solved by setting an environment:
AUTHLIB_INSECURE_TRANSPORT=true
This is not documented on client sections, it is documented on the server parts like https://docs.authlib.org/en/latest/flask/oauth2.html

How to make Firefox natively supporting SSL proxy

I'm currently setting up an PROXY SSL Infrastructure based on Squid Proxy and Firefox Browser, things that I can't change (not dependinig on me).
After several test i'm wondering those questions:
- Apparently, FF can't natively process SSL crypting; we can only specify in settings the way by which will through the flow already encrypted. Am I true or not? Is there any way to make FF crypt the flow in SSL?
- consequently, I had to use a proxy.pac file, based on a HTTP apache server (using TCP/80), in which in specified "return HTTPS $IP:$port". It seems to work, but honnestly I don't really understand why, in comparison with my 1st statement... Could you explain it to me
- Of course all certificate has been generated and correcly set into the browser
Thanks for you help
Kondor76

Apache Archiva 2.1.1 Upgrade: Proxy does not work

we try to upgrade from archvia 1.3.6 to 2.1.1 but suddenly the remote repositories (including proxy connectors) stopped working. The remote repository view shows error marks in the column "Remote check" but no error message is shown.
Is there a possibility to find out what is going on?
We are using a proxy, we tried with proxy activated, deactivated. I even installed archiva locally on my machine with a fresh database, but still no success.
(how does this remote check even work when the proxy is activated/deactivated in the proxy connectors?)
Eclipse (with newest m2e) says Missing artifact junit:junit:jar:3.8.9. It goes so fast, that i don't think archiva is trying to reach the central-Repository.
The logs on archiva-side are empty.
Does anybody have some hints or the same problem? I think i will try it at home tonight, to see if it is a network issue.
Thanks in advance for any tips!
Update
It really seems that the proxy connector does not work since the internal Repository is empty. http://localhost:8080/archiva/repository/internal/ only shows .indexer
Update 2
The proxy configuration seems bugged in Archiva 2.1.1. I can see the same behaviour as here: Mailing List
A JIRA task for this would be nice.
Does anybody know a workaround to set the proxy for a proxy connector? Or is there a possibility to set a global proxy via a settings file?
Update 3
Rellay seems like a bug in archiva. I sent a mail to the mailing lists. Hopefully this is getting fixed soon because this is a blocker for every user with a proxy.
I won't delete this question for documentation if someone has the same problem. The issue can be found in JIRA here
I also had this problem and the simple solution was to change the proxy protocol from "http" to "https".
I also had the same problem. On first glance the solution given by Christian Quast seemed to work, but it didn't solve the problem. I eventually used a work around by using JVM proxy settings:
-Dhttp.proxyHost=[your_proxy_address]
-Dhttp.proxyPort=[your_proxy_port]
-Dhttp.proxyUser=[your_proxy_user_name]
-Dhttp.proxyPassword=[your_proxy_user_password]
-Dhttp.nonProxyHosts=localhost|127.0.0.1|::0|[any_other_hosts_not_to_use_proxy]
Update
I know it may sound weird but, using the settings above, the error/warning icon on "Remote Check" may still appear. If you add the "network proxy" (mine is using https protocol) to your remote repository (the error/warning icon is still there) but editing the remote repository again and removing it's "network proxy" will show the OK/sun icon.
In my case <networkProxy> under conf\settings.xml gets updated correctly including the port information (probably because my port is not a default 8080) but remote repository connection is still failing.
Also, changing proxy protocol to https did not help.
I know the proxy is right because I use the same for maven .m2\settings.xml
Fortunately I am only evaluating open source repo management tools. Started with Archiva as it is by Apache and we use Maven in our project. Would have moved ahead if this critical issue had a fix or work around. Guess I will have to take a shot at Nexus.
Exactly same problem here. I can't vote on your BUG report because I have no jira account.
As far as I figured out there seems to be a problem with the configuration file ~/.m2/archiva.xml. The Proxy is set without port information.
Hopefully this bug will be fixed as soon as possible.
Extending João Ferreira's reply, to access repositories with https URLs (such as Maven Central), you will also need:
-Dhttps.proxyHost=[your_proxy_host]
-Dhttps.proxyPort=[your_proxy_port]

OpenAM Configuration

I have been trying to configure OpenAM in my laptop to no success.
Here's what I have done.
Deployed the war file on tomcat server(successfully running at localhost)
Installed OpenDJ successfully.( Server up and running)
Followed the tutorial give on ForgeRock but I am stuck up here:
It is giving two kinds of errors, either says server cannot be contacted or says that cannot recognize root suffix.
Here is what I am getting!
During initial configuration you should not use external data store, just use embedded one and configure external one later on.
Can not be contacted seems more like a resolver issue ...
Another note as this is the data store you may not use suffix 'dc=openam,dc=forgerock,dc=wipro' .... you are not Forgerock ;-)
Well it could be many things:
Incorrect host provided
Incorrect port provided
Firewall issues
other networking issues
You should check whether you can access the directory from the box (where the container actually runs):
telnet L-0156009091.wipro.com 50389

Pushing my Mercurial Repository through HTTP with Apache and Windows

So I have managed it. I can clone mercurial-repositories remotely using HTTP to my Windows Server 2003 machine and the ipaddress from that machine. Although I did deactivate IIS6 and am using Apache 2.2.x now. But not all works right now...darn! Here's the thing:
Cloning goes smooth! But when I want to push my changes to the original repository I get the message "cannot lock static http-repository". On the internet I get to read several explanations that Mercurial wasn't designed to push over HTTP connections. Still, on the Mercurial website there's something about configuring an hgrc file.
There's also the possibilty to configure Apache to host via HTTPS (or SSL). For this you have to load the module enabling OpenSSL and generating keys.
Configuring the hgrc file
Just add "push_ssl = false" under the [web] line. But where to put this file when pushing your changes back?! Because I placed it in the root of the server, in the ".hg" directory, nothing works.
Using SSL/HTTPS with Apache
When I try to access 'https://myipaddress' it fails, displaying a dutch message which would mean something like "server taking too long to respond". Trying to push also gives me a dutch error message which means about the same. It can not connect to my server via https although I followed the steps exactly at this blog.
I don't care which of the above solutions will work for me. Turns out none of them work so far. So please, can anyone help me with one of the solutions above? Pick the easiest! Help will be greatly appreciated, not only from me.
Summary
-Windows Server 2003
-Apache 2.2 with OpenSSL
-Mercurial 1.8.2
-I can clone, but not push!
Thank you!
Maarten Baar(s)
It seems like you might have apache configured incorrectly for getting it to do what you want. Based on your question it sounds like you have a path (maybe the root of the server) pointing to the repository you want to serve.
Mercurial comes with a script for this exact purpose, in the latest version it is hgweb.cgi. There are reasonably good instructions for setting it up on the mercurial site. It should allow both cloning and pushing. You will need the push_ssl=false if you will not be configuring https and also an allow_push line which will let certain users, or all (*) push to the repository. But all that should be part of the setup docs.