I am trying to monitor a https URL using VirtualUser Generator, I have the pfx certificate of the user which is used to login as a user on the portal. I used the Openssl utility with Loadrunner to convert the same to PEM and used web_set_certificate_ex on my script but still I see the script demands user certificate for the user. Please help...
I am trying to monitor
I don't know exactly what you mean by trying to "monitor" the URL using vugen but the latter part of your question sounds like you're trying to record a script and play it back. Since this is generally the function of vugen I'll answer this question. I'm also going to assume you're recording in the web/http protocol and not something like truClient.
Here's the thing - vugen will generally take care of the certificate exchange for you. The primary exception to this is mobile testing. I also actually made the same mistake I think you're making when I first started perf testing. I spent quite a bit of time futzing with certificates, but that is generally unnecessary.
You should make an attempt to record a very simple script, like login, and play it back. If it works, you're set. If you happen to be testing a middleware application you should consider recording in clear text and adding an 's' to your http:// URI.
Very simple advice, but if I understand the nature of your inquiry, it should work.
Try recording without certificate and see weather you can see the request bodies, if not, then you can think of placing client certificates also make sure you are using the right socket, SSL version and cipers to record the application.
Related
I'm have compatibility issues with WebRTC implementation and our Oracle (AcmePacket) SBC. I think I could work around the issue that they confirmed and will fix somewhere next year, by using a certificate that is signed by a CA for DTLS.
I have been looking around but couldn't find any reference: would it be possible to load my own RTCCertificate from a file?
I know that from a security perspective this is a bad idea, but it's for a proof-of-concept application, and by the time we would use this in production, the bug on the Oracle SBC would be fixed OR we can run rtpengine inbetween which would handle the self-signed random certificate correctly.
I don't believe this is possible (in the browser). RTCPeerConnection does allow you to pass a certificate, but can only be generated using generateCertificate
Running a bridge I think is your only option in this case unfortunately.
My website get traffic drop recently. I found that my user cannot access my website when their computer in wrong set of time. However, they can open other website as usual.
The error said "NET::ERR_CERT_DATE_INVALID" in google chrome and "Warning: Potential Security Risk Ahead" in firefox. So, I assumed that the problem is the SSL. Previously I use free ssl from Cloudflare, thinked that its because its free then the error appeared, I the purchased for Dedicated SSL form Cloudflare. But, I keep get the same Error.
Is there is a solution for this situastion?
Changing the user computer time its not my solution here, because other website working just fine.
Thank You
I found that my user cannot access my website when their computer in wrong set of time.
The expiration of the certificate is checked against the local time of the system. If the local time is wrong the check might fail even if the certificate is not really expired yet.
If it fails depends on how wrong the local time is compared to the expiration time in the certificate, i.e. it might be so wrong that some certificates look expired while others are not yet expired. Some sites use more short-lived certificates and thus are more likely to run into this kind of problems. For example Let's Encrypt certificates are only valid for 3 month, while other CA issue certificates for a year or even longer. And of course sites which only use HTTP instead of HTTPS don't have this problem since no certificates are involved in the first place.
Changing the user computer time its not my solution here, because other website working just fine.
There is nothing you can do against this from the server side. And while some other sites work just fine for the moment it is very likely that there are some sites apart from yours which will not work too. So the problem is not restricted to your site only.
One of my clients just received the software ordered from his chosen developers, asked me to look at it and prepare the hosting procedures.
It's an Java (jar) app, so far so good ... but I saw something suspect, every 60 minutes or so the software connects to a remote host :443 port using SSL and transferring ~ 3-10 MB of encrypted data (as POST) then closes the connection, this is very strange. Tried to wireshark it but everything is encrypted and I have no clue about what kind of data is transferred, I know only the destination hostname. The hosted data within the app will be highly sensitive (insurance-broker) and if my client decides to go with it - this is a serious issue for his business and also for his clients, I've asked the developer company about this and they said that no one added something like this even if I provided them the proff (pcap).
I can block it within firewall, but if they added something like this it could exist another hosts ready to receive the encrypted data.
The only way I can figure it out is to somehow decrypt the SSL traffic in order to read RAW data and give my client all the needed informations in order to talk with the developer company to sort it out, how can I do that ? With some sort of ssl-proxy or whatever ... tried to google it but didn't find any kind of relevant tutorials.
I have access to the physical machine which is running the Java application, I can see every single bit of the traffic but ... encrypted.
If I was in your place instead of trying to decrypt ssl connection would have tried following steps:
1)Since you are aware of the host to which it is making a post request , find out more about that service so as to learn what it does ? May be try contacting that site saying that we need to consume your service what should I send my in post request ;)
2)Second way around would be if you can decompile the jar file and find line in the source code which makes that request and then you could go back to the developer asking as why this has been written. To find the source code which is making the call what you could do is block the host access on your firewall.
The code would fail and mostly probably he would have logged the exception in his log files. Find the stack trace and you will know the line of code that is
making that request.
Hope this helps.
I have an application on a Glassfish server instance. I need to do a two way authentication with certificates. I have a closed group of users, so installing the self signed certificate is not a problem.
The question is, how do you go about doing this entire process? I am using the java based Keystore Explorer instead of the command line tool keytool.
Before shooting me down, could you please give me a chance to explain my situation better, I know right now the question is a bit hazy, but as the comments come in, I will be able to clarify a bit better!
If you refer to mutual authentication, please read the following Oracle resource first.
http://docs.oracle.com/javaee/6/tutorial/doc/glien.html#bnbyi
If you still have problems, please provide more details and where you are stuck.
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.