I read that ejabberd recommends to use STARTTLS negotiation for secure connection between communicating entities. When I install ejabberd, by default it comes with a TLS certificate.
Then, why do I need to buy a certificate to install? what is the purpose of buying a new certificate from Certificate Authoririty since we have a default certificate?
When I deploy ejabberd on the machine, how the default certificate will be used for my domain? How the default certificate will be verified by client?
You can use ejabberd with SSL / STARTTLS with the provided TLS certificate. However, that certificate is only a self-signed certificate. It means that:
You will still be able to encrypt the traffic between the client and the server.
You client will not be able to check that the server is the domain it pretends to be. To be able to know that the certificate can be trusted the client need to refer to a trust authority in some way.
In the second case, it means that if an intermediate network device (i.e Wifi access point) tries to impersonate your server, it can present any self-signed certificate to the user, pretending to be your domain.
So, you can definitely use self-signed certificate to encrypt traffic, but to protect your users against man-in-the-middle type of attacks, you need to find a way to let the client now it can trust the certificate.
This can be done either by buying a certificate from a trusted authority (that will certify your certificate domain) or by making the client support a list of well defined certificates. This is called certificates pinning, however it requires to build the list of acceptable certificates into your client, which may not be possible.
It may be fine in your case, so buying a certificate is not mandatory.
However, not use the default ejabberd self-signed certificate, even if you plan using a self-signed certificate. The certificate provided with ejabberd will not match your own domain. You should at least generate your own self signed certificate that match your actual XMPP domain: How to create a self-signed certificate with openssl?
The client will verify whether the certificate is issued for the domain name of the Jabber ID (JID), the part behind the '#'. (There are other options, but they are incompatible with the policies enforced by the browser vendors against CAs and therefore not practical.)
Unless you already have a business relationship to a certificate authority (CA), I would recommend anyone to use Let's Encrypt and stay away from self-signed certificates.
Some instructions to automate this and be nice to the Let's Encrypt servers can be found here and the linked wiki pages.
Summary (assuming you are running Ubuntu 16.04 LTS, want to run it on the domain example.org and only use the certificate for ejabberd):
Create /usr/local/sbin/auto-renew-letsencrypt with the following content:
#!/bin/bash
# Renew all Let's Encrypt certificates which are due for renewal
t=`mktemp`
# Try to be quiet unless an error is returned
letsencrypt renew > $t || cat $t
# Hooks are not yet supported by `letsencrypt` shipping with Ubuntu 16.04 LTE
# Crudely emulate --renew-hook; breaks if diagnostic messages change
if grep -q "The following certs have been renewed" $t; then
cat /etc/letsencrypt/live/example.org/{privkey,fullchain}.pem > /etc/ejabberd/ejabberd.pem
service ejabberd reload
fi
rm $t
Run the following commands to create and activate the certificate and the automatic renewal
apt install letsencrypt
letsencrypt certonly --standalone --domain example.org
cat /etc/letsencrypt/live/example.org/{privkey,fullchain}.pem > /etc/ejabberd/ejabberd.pem
chown ejabberd:ejabberd /etc/ejabberd/ejabberd.pem
chmod 640 /etc/ejabberd/ejabberd.pem
chmod 755 /usr/local/sbin/auto-renew-letsencrypt
echo $(($RANDOM % 60)) $((RANDOM % 6)) "* * * root /usr/local/sbin/auto-renew-letsencrypt" > /etc/cron.d/auto-renew-letsencrypt
Related
I have a business process which send messages to SAP via soap endpoint exposed by them.
I am using WCF-BasicHttp Send Adapter(In-Process).
As you can see below, earlier the url was http, now they have moved their system to cloud so now they have https endpoints.
I wanted to test this change from http->https, so I have modified the url to https, fill in the credentials for basic auth. it working fine in Test system without SSL Certificate, I need to make sure it wont cause any issue after moving to production system.
My Question is,
1/ Will it work in Production system too as its in TEST without SSL Certificate ?
2/ or Do I need to apply SSL for WCF-BasicHttp Adapter, if yes How can I do that ??
If you are moving to https URL, Certificate is must for SSL/TLS handshake. Many times, Certificate used by specific endpoint is signed by a third party Trusted Root CA e.g. Trustwave, DigiCert etc and these Root CA certs are already trusted on most of the systems. It’s possible in your test system, your endpoint certificate Root CA is already trusted and that’s why you did’t need to install the certificate. In order to check this, you can do following:
Browse your https service url in browser in chrome/IE
Look for Security/Lock sign to find it’s cert. Clicking the lock sign will open certificate.
Check the certificate root by going to Certification Path. You should see a chain of certificates in path. A cert can be by signed by just root CA Or by Intermediary CA first and then root CA. e.g.
—- Trustwave Root
—- Trustwave Intermediary
—- service cert
Or
—- Some Root
—- service cert
Check if Root CA is in your Trusted Root store of system. And Intermediary Cert (if applicable) is in Intermediary Cert Store. You can check this by opening certificate mmc snap-in using mmc command in Windows->Run and adding Certificates snap in of local computer.
If Root CA Cert and Intermediary Certs are not in your system store. SSL/TLS handshake will not complete successfully and BizTalk send port will not work.
If these are installed, you should be good. Otherwise install these certificates in local computer stores.
Another way to verify if endpoint certificate is trusted on a BizTalk system is to login with service account under which your send host is running and then browse the URL in IE. If you don’t get any Cert error, and URL opens such as wsdl URL, then you are good. If you get a cert error, this means end point certificate is not trusted and you need to install the certs as described above.
Some references:
View Certificate
Working with Certificates
When using the rabbitmq_auth_backend_ldap, if we use ssl, is it necessary to mention SSL options to make sure we are talking to the right server, using options such as :
{ssl_options, [ {server_name_indication, "abc.com"},
{verify, verify_peer},
{depth, 5}]},
Note that I am not interested in doing client certificate authentication to the Ldap server, but only to verify whether I am actually talking to the right server, which cannot be ensured unless I verify the SN or similar from the certificate. Browsers kind of do that automatically, but how does RabbitMQ do this.
If the SSL certificate presented by the server is signed by a trusted root such as GoDaddy or such, should I still mention the certificates that I am trusting.
I verify the SN or similar from the certificate. Browsers kind of do
that automatically, but how does RabbitMQ do this.
Here is the answer to your question.
Every TLS-enabled tool and TLS implementation, including Erlang/OTP and RabbitMQ, has a way of marking a set of certificates as trusted. On Linux and other UNIX-like systems this is usually a directory administered by superusers. CA certificates in that directory will be considered trusted, and so are the certificates issued by them (such as those presented by clients). Locations of the trusted certificate directory will vary between distributions, operating systems and releases
More Info here
If you would like to have your own custom trust store. You can consider below stuff.
https://rabbitmq.docs.pivotal.io/37/rabbit-web-docs/ssl.html#keys-and-certs
https://github.com/rabbitmq/rabbitmq-trust-store
So without the below configurations, at a minimum, I feel that the SSL security is not complete for a LDAP setup.
In case of LDAP, the connection is made from the RMQ server(via erlang client) to the LDAP server, so at that point of time the SSL certificates are presented by the LDAP server.
RMQ server(client) -> LDAP server(server)
and Unless the following options are specified, the certificate is not validated.
{servers, ["abc.com"]},
{timeout, 10000},
{use_ssl, true},
{ssl_options, [ {cacertfile, "/etc/ssl/certs/ca-certificates.crt"},
{server_name_indication, "abc.com"},
{verify, verify_peer},
{depth, 5}]},
{port, 636}
verify: verify_peer
indicates that we prefer the certificate chain to be verified
will be verified that the certificate chain terminates from one of the trusted certificates mentioned in cacertfile.
cacertfile
will point to the certificates to trust.
It can be pointed to a file which contains a list of trusted
certificates in ---Begin Certificate--- ---End Certificate-- format
If the LDAP servers certificates are signed by trusted root
certifcates we can point this variable to
/etc/ssl/certs/ca-certificates.crt.
If the server certificates are self signed then point to a file
containing appropriate certificates.
server_name_indication:abc.com
this enforces that this is just not some server we are talking to but
only abc.com
will verify that the server certificates SN has abc.com.
depth:
this indicates the number of certificates in the certificate chain
that we will traverse before it needs to terminate into one of the
trusted certificates we have.
keep this a bigger number than the no of certs in your servers cert chain
This is without any client cert authentication between the LDAP server and the RMQ server.
I have multiple Intel NUCs out in the field that I use for displaying digital signage. Out of the thousands I have in the field, a couple complain with this error:
SSL certificate problem: self signed certificate in certificate chain. More details here: http://curl.haxx.se/docs/sslcerts.html, curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
I've confirmed that the cert is not expired, and the domain name matches
These units are running on Debian 7
Could the network they are on cause this issue with some sort of firewall setting?
When you visit the website what certificate is shown in the web browser? In your curl bundle is that the same certificate which is supposed to be used for SSL encryption? I'd guess no. CA will sign your cert.pem so that web browsers will show your green lock thereby authenticating your website. You most likely have an issue on the back end with the configuration of your curl bundle. You need to make sure that your server is using the CA cert not a self signed certificate like ssl-cert-snakeoil.pem for example.
Essentially your website should be using a static IPv4 address. As far as a network firewall stopping an SSL handshake from happening that may be possible, I have seen it happen on specific ports for example port 22 for ssh connections may be blocked at the network gateway for inbound traffic on a client side computer attempting a connection to a server. The SYN/ACK https://tools.ietf.org/rfc/rfc793.txt TCP handshake may time out in that type of network fire wall situation. However since you are getting an explicit response from your server about a self signed cert a firewall issue does not seem to be the problem.
The docker cli tool provides two options for tls auth: --tls and --tlsverify.
What's the difference between these two options?
I've set up my remote docker daemon to use some TLS certs I've made using openssl. I'm able to connect to the daemon using the --tls flag but not using the --tlsverify
If you "made" the certificates yourself (i.e., self-signed), it's unlikely that the certificates can be verified. Using the --tls option simply instructs Docker to use the certificates as-is without verifying the certificate with root authorities. --tlsverify requires that the certificate can be verified with a root authority before it is used.
See https://docs.docker.com/engine/security/https/ for more details, specifically (emphasis mine):
If you need Docker to be reachable via the network in a safe manner, you can enable TLS by specifying the tlsverify flag and pointing Docker’s tlscacert flag to a trusted CA certificate.
In the daemon mode, it will only allow connections from clients authenticated by a certificate signed by that CA. In the client mode, it will only connect to servers with a certificate signed by that CA.
In other words, the behavior you're experiencing is less of a Docker problem and more of a certificate problem.
I created self signed certificate and is being used in my express project. The problem is when I do
curl https://<domain>
doesn't and only works with -k option, it doesn't use the certificate to encrypt its content. I don't see how that is effective since that is similar to http itself.
Also from what I understand in CA signing request is that browsers like chrome they are preinstalled with the information trusted CAs in the web such as Verisign. So how does curl work in this way, does it also know before hand like in chrome regarding who are the trusted CAs?
Also in my project the app communicates with the ec2 machine does it need client side certificate for https ?
Yes, curl has a pointer to a list of trusted Certificate Authority keys. You can override it with the --capath flag.