I am trying to implement the Apache authentication through PKI digital certificates stored on token / smart card.
I'm using XAMPP 5.6.8.0-VC11 on a Windows 7 computer.
Following what I found searching the internet, I uncommented the following settings httpd-ssl.conf file in the Apache configuration:
SSLVerifyClient require
SSLVerifyDepth 10
From there, access to https: // localhost, the browser (IE 11, Chrome 43 and FF 38) display the digital certificate of the screen (use an e-CPF in standard ICP-Brazil, stored in token) and requests the password.
After entering the password and press ENTER, the behavior in browsers is as follows:
In IE, I is shown a page with the message "This page can not be displayed".
In FF, is loading the page indefinitely.
In Chrome, you see the message "Authentication based on certificate failed" ERR_BAD_SSL_CLIENT_AUTH_CERT and clicking on "details" appears:
"This server requires a certificate for authentication and did not accept the one sent by the browser. Your certificate may have expired or the server does not trust the issuer. Try again with a different certificate, if you have one, or you must obtain a certificate valid from somewhere else. "
Already tested several additional settings I found on the internet, but nothing works.
I have also changed the Windows Internet options regarding SSL and TSL, also successful.
I would like to figure out how to implement authentication with digital certificates for a more secure login system that esté in development.
Has anyone experienced this or know how to solve the issue?
Related
Im coding for SNOM handsets
Basically I do a $post to a hashed URL as below
$post("https://8a4a1db6256ec8e310193a166d6d1f84#192.168.1.110/command.htm?number=01233456789")
Returns
net::ERR_CERT_INVALID
If I call HTTP the phone dials fine, BUT if run from app then the windows throws the security issue as AJAX call has to be secure. Tags are set to off, client is set and defined, works if I post an HTTP request .
I have created my own DER cert as well and uploaded that to the phone and I tried to register this certificate with the browser but no avail.
I have in chrome dropped down the cert and clicked it to ALWAYS TRUST but it keeps falling back to INVALID
There are several certificats on the phone just cant get a browser to trust them ?
Any advice or point of where to read up on how to register the server cert with my users browsers ?
Ok so anyone working their way through this issue there's a few steps you need to take
1 - set http client username and passwords
2 - in the phone interface ensure connection types are set to hhtp AND https
3 - set hidden tags to false
4 - set authentication scheme to DIGEST then MD5 the password int eh post
5 - Download ca.cert from http://downloads.snom.net/documentation/ca.crt
6 - install the cert on your local computer THEN set the cert to ALWAYS TRUSTED
7 - figure out a way around CORS...
Can anyone shet some light on how I can debug the matching of certificates configured in Postman?
Problem:
I’m trying to connect to a REST service using a SSL client certificate. I configured it in the settings tab the same way as in set-and-view-ssl-certificates-with-postman
When checking the console I don’t see the certificate being sent and get failure:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:1494:SSL alert number 40
Context:
Postman v 6.4.2 running on windows 10
(for security reasons some information below replaced by dummy info)
Using the same certificate/key/password I can setup a connection using openssl. (checked for validity of certificates, TSL v1.1 and v1.2 supported, no SNI issues)
The server certificate is signed by a trusted CA (I tested with both --SSL certificate verification-- on and off )
In the Postman console I dont see the certifciate being sent.
---- [console output] ----
GET https://somehost:443/somepath?someparameter=9076443&somedate=2017-02-17T00:00:00.000
Error: write EPROTO 101057795:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:1494:SSL alert number 40 101057795:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:659:
Request Headers:
appid:“42”
cache-control:“no-cache”
ipaddress:“192.68.1.1”
postman-token:“some-token”
role:“Applicatie”
userid:“6x9”
---- [end console output] ----
image of certificate configuration
I matched, matched and rematched the hostname
A search on the interweb did not learn me anything I did not try yet…
Questions
Is there any debug option that will show the way the certificates are matched
is there any way I can force postman to pick a configured certificate
any other ideas on how to proceed on this problem
any help appreciated
Additional info
Monitoring with wireshark shows no certificate is sent.
(Postman console did not show a certificate being sent. I assume from examples that it will log which certificates it will/does send for a given request)
snippet wireshark output
Postman app in chrome
it does work from chrome, using the chrome keystore
Using the pk12 form of the same key (original postman request uses the .cer form) imported into the chrome keystore, the requests work.
Chrome app will not do
Obvious question is: “why not keep using the chrome app”
because its depricated and we use the newer 6.x test functions not supported in version 5.x
Question posted on Postman help forum with no answer about a week ago:
OP on postman helpforum
Additional additional info
It works on newman
I had same issue when I typed path to CRT and KEY files instead of using file dialog.
Just click Choose File button instead of pasting file path when adding certificate.
If you can download postman app then there is an option under preference/certificate and under there is an option 'Client Certificate'.
You need to provide both .cert and .key file into respective section, provide host name and key password if any. Click "save". next time you send a request matching hostname , postman app will send the certificate along with the way. You can validate in console output.
I am using Runscope only for a short time now however it seems pretty straight forward. I have had no problem with other APIs, however for this current one I am having problems.
The error I am getting is the following:
Error contacting host SSL: certificate is valid for *.hostgator.com,
hostgator.com, not NflArrest.com To turn off SSL verification for
this test, change your test's behavior settings, see
https://www.runscope.com/docs/api-testing/behaviors for more details
From the documentation I read here:
SSL Certificate Verification
By default, Runscope will only relay responses if the SSL certificate from the upstream API provider is valid and trusted. To bypass this protection (for instance if you're using a self-signed certificate) on a per-bucket basis, select Bucket Settings in the left sidebar and deselect the option to 'Verify SSL Certificates'.
I have done that so to my knowledge it should work. However I still get the same error. The API documentation I am using can be found here.
Test's don't use the bucket setting, that's just for Gateway URLs/Traffic Inspector. To disable SSL verification in your test, expand the "Environment" section at the top of the test editor, select "Behaviors" and untoggle it there.
When I was working on facebook.com to recorded the login process using jmeter, then I came across the following error message. what should we do in such condition in order to surpass this step and directly gets login into the facebook application using the proxy server setting for the recording purpose.
The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issue)
As per Recording HTTPS Traffic with JMeter's Proxy Server I believe that it'll be quite enough to clear your browser history.
I want to create a helpdesk project following this great tutorial : http://blog.jetbrains.com/youtrack/2014/02/using-youtrack-as-a-help-desk/
I want to set the parameters of my mailbox using a Gmail adress but I don't know how to obtain a SSL key from Gmail.
Without it, I have "Connection timed out" error. I know where to add the SSL key in Youtrack, but I need a file (JKS or PKCS12 format).
My settings:
Protocol:IMAPS
Host:imap.gmail.com
Port:993
Login:mylogin
Password:mypassword
Select SSL key: nothing
Connection timeout:60
Socket timeout:60
Please help :)
Here how to obtain Gmail trusted root keys (from Google PKI FAQ):
Google may decide to have its intermediate signed by another root at any point in time, so you should have an update mechanism in place for the trusted roots you ship with your product. If you are developing code intended to connect to a Google property, we recommend you include a wide set of trustworthy roots. We made an example available as a PEM file here.
PEM file provided can be manually converted to PKCS12 with, for instance, OpenSSL tool.
I suspect, however, that installing a cert won't solve the issue. "Select SSL key" likely stands for client (i.e. YouTrack) certificate, which is not required by Gmail. Please check the following:
If IMAP is enabled in your GMail account
this recipe to make sure Gmail is not blocking new client application explicitly