Here is my problem.
I have multiple domains hosted on one apache webserver. (Virtual Hosts)
Two of them (a.com and b.com) use ssl certificates.
I configured both with these commands:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ABC.crt
SSLCertificateKeyFile /etc/apache2/ssl/ABC.key
SSLCertificateChainFile /etc/apache2/ssl/ABC.chain.crt
SSLProtocol all -SSLv2
When i try to connect via browser (chrome, Firefox, IE) it works fine and i get the right certificate.
But on android i got an exception: No peer certificate
Then i tried to test it with this command:
openssl s_client -connect b.com:443
It returns me the certificate of the a.com.
Any suggestions what I've done wrong that i get the wrong certificate with openssl and android?
There are probably multiple hosts on the same IP address and you need to use Server Name Indication (SNI) to access this site. To you SNI with openssl s_client use the -servername option, e.g. openssl s_client -connect b.com:443 -servername a.com. As for android: according to https://developer.android.com/training/articles/security-ssl.html SNI is supported since 2.3 for HttpsURLConnection but not for Apache HTTP Client.
Related
For several OSX versions, I've been using these tutorials to set up a local development environment, including SSL.
I've also always been able to create dynamic virtual hosts based on the folder structure like this:
# Auto-VirtualHosts with .dev
<VirtualHost *:8080>
ServerName dev
ServerAlias *.dev
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
<VirtualHost *:8443>
ServerName dev
ServerAlias *.dev
Include "/Users/username/Sites/ssl/ssl-shared-cert.inc"
CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
ErrorLog "/Users/username/Sites/logs/dev-error_log"
VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
The included SSL file there is like this:
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "/usr/local/etc/httpd/server.crt"
SSLCertificateKeyFile "/usr/local/etc/httpd/server.key"
And to generate that certificate I run this code:
$ cd /usr/local/etc/httpd
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt
This has always worked okay for me, locally. I can run curl successfully, and especially in WordPress development I can run cron tasks that presumably use curl.
Upon upgrading to High Sierra, I get the following error in WordPress:
There was a problem spawning a call to the WP-Cron system on your site. This means WP-Cron events on your site may not work. The problem was:
cURL error 60: SSL certificate problem: self signed certificate
And on the command line, when I run curl to a local HTTPS URL, I get this error:
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I've tried reinstalling all the items from the initial tutorial, but so far nothing has helped. I've also tried installing curl from the Homebrew version instead of the built in, but this didn't seem to have any effect. Is there something known about High Sierra that would make it more picky about this? If so, is there anything I can do to bypass this for local development?
You have to add your self-signed certificate to the curl CA certificate store.
First you have to generate the ca bundle by running the perl script stored in:
/usr/local/Cellar/curl/7.56.1/libexec/mk-ca-bundle.pl
Edit the generated file:
/usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
and add your self-signed certificate using the same syntax.
You can obtain the certificate with:
openssl s_client -showcerts -connect my.server.com:443
Copy everything from :
-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----
including the BEGIN and ENDlines.
Create then a file ~/.curlrc containing:
cacert /usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt
I have learnt about SSL and SSL certificates used on client and server side. I pretty much understand how things work and have generated server and client certificates and keys. I have studied how can I use my own CA with https in Android.
I want to setup a server where I can put the server certificate and then access it from my android device to make an emulation of what I have learnt so far.
Is there any server available where I just need to put cert and key and it will start working? I have gone through wamp and apache configuration stuff but unfortunately I am unable to make it work properly.
If you're using OpenSSL it includes a very simple server named s_server which is very useful for this kind of experimentation. Here's an example that might get you started
$ openssl s_server -key test.key -cert test.crt -accept 8443 -WWW
This will serve up files in the current working directory from https://localhost:8443/
The manpage for s_server should give you all the info you need. I think you'll want the -CApath or -CAfile options if you're also experimenting with client certs.
I am trying to run a calendar server (Caldavd). I ran into trouble when I enabled SSL. I get the error:
"Unable to Connect Securely
Firefox cannot guarantee the safety of your data on localhost:8443 because it uses SSLv3, a broken security protocol."
I am running on Ubuntu 12.04, have created a self signed certificate, using openssl 1.0.2 (the latest, as far as I can tell), and have added the line
SSLProtocol All -SSLv2 -SSLv3
to my site configuration file.
I am a newbie to Apache, not a sysadmin. I understand why Firefox wants to disable SSLv3 but I don't know what else I need to do.
Verify that you have all the weak ciphers disabled. Since the server is internal use OpenSSL.
openssl s_client -connect localhost:8443 -cipher 'ALL:!RC4' -no_ssl2 -no_tls1_1 -no_tls1_2
If the connection is successful then you know the configurations worked.
How to disable weak ciphers in Apache: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
I'm having two coldfusion applications which runs on Apache web server
https://site1.com
https://site2.com
Both having its own SSL certificate and are configured in httpd-ssl.conf file with Name based virtual host for each site.
When I'm doing a HTTPS call from Site1.com to Site2.com,
httpService = new http();
httpService.setMethod("get");
httpService.setUrl("https://site2.com/comp.cfc?method=amethod&ID=12");
result = httpService.send().getPrefix();
it gives the following error
I/O Exception: hostname in certificate didn't match: <site2.com> != <site1.com>
Actually it should use site2's SSL certificate. But not sure why it is using Site1's SSL certificate and giving the error.
This looks like a Server Name Indication (SNI) issue. SNI is a TLS extension allowing to host several HTTPS servers on the same server.
You can confirm this issue using:
echo "" | openssl s_client -connect site2.com:443 | openssl x509 -noout -subject
If you see something like CN=site1.com try this:
echo "" | openssl s_client -connect site2.com:443 -servername site2.com | openssl x509 -noout -subject
if you get CN=site2.com, this is a SNI issue.
You can look at this bug, more specifically this comment:
The SNI support has been added in ColdFusion 11. The change required for supporting this is quite big and therefore it can't be backported to ColdFusion 10.
Other workarounds could be to host your 2 HTTPS sites on 2 separate servers, to set up a unique SSL certificate valid for both names (using X509 SubjectAltName extension) or to disable certificate CN validation (if possible).
You need to import the SSL certificate into ColdFusion/Java keystore. If this doesn't help, add -Djavax.net.debug=all in jvm.config for ColdFusion. This would require a CF service restart. Then try the SSL call.
Working with a standard MediaTemple server setup with an installed GeoTrust domain certificate I am getting different responses from openssl and web requests.
Visiting the site from a site checker site I get a good response and see my domain certificate and the full Geotrust certificate chain.
When using
openssl s_client -connect subdomain.domain.com:443 -showcerts -ssl3
from my local machine I see
Server certificate
subject=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels
Panel/CN=Parallels Panel/emailAddress=info#parallels.com
issuer=/C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels
Panel/emailAddress=info#parallels.com
and Verify return code: 18 (self signed certificate)
openssl version -d = OPENSSLDIR: "/etc/pki/tls"
It's a Centos 6.x box.
The apache httpd.conf file points to a certificate and CA list in a completely different location: /usr/local/psa/var/certificates/ which would seem fine to me.
Where is the openssl s_client finding the Parallels certificate? It is not located in /etc/pki/tls. Is there a way to configure the box so that the openssl requests and apache use the same server certificate?
Thanks in advance!
openssl s_client gets the certificate from the server during the SSL handshake. OPENSSLDIR is only the place where any (optional) configurations for the openssl tool gets stored.
Note that you might get a different certificate with openssl than you have configured on your server because you need to use SNI (Server Name Indication) like the browser do. This feature is used if you have multiple certificates behind the same IP. To use this feature with openssl add the -servername hostname parameter and provide the name you expect. You must also remove the -ssl3 option since this restricts the connection to SSL 3.0 which is not only insecure but also does not support SNI.
Turns out that on MediaTemple servers they maintain certs in two locations. The apache server has a location for the CA file in its conf files that is different from where openssl maintains its CA files.
You can find the apache location in the conf files and the openssl location with
openssl version -d
Within MediaTemple's web administration pages you can use plesk to install the domain cert into the openssl location as the "server's" cert. The apache server should already have the cert and CA files in the right location. The MediaTemple custom apache configuration overrides the standard apache setup which sets apache's cert locations to be the same as openssl's.