Before sending an email to a google account my script looked up the MX records for google's email servers. The results are:
gmail-smtp-in.l.google.com
alt1.gmail-smtp-in.l.google.com
alt2.gmail-smtp-in.l.google.com
alt3.gmail-smtp-in.l.google.com
alt4.gmail-smtp-in.l.google.com
I then successfully connected to gmail-smtp-in.l.google.com and after EHLO I started a STARTTLS request to switch to SSL. However, I set the script to check and make sure the host(s) listed in the certificate match the domain I was connecting too.
stream_context_set_option($fh, 'ssl', 'CN_match', 'gmail-smtp-in.l.google.com`);
However, this is where things break. I got the following error:
stream_socket_enable_crypto(): Peer certificate CN='mx.google.com' did not match expected CN='gmail-smtp-in.l.google.com'
I checked to find out where nslookup mx.google.com was located and found it doesn't exist.
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find mx.google.com: NXDOMAIN
Why doesn't the SSL certificate match the domains using it? Am I missing something?
The following is the cert my script received from them.
Array
(
[name] => /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
[subject] => Array
(
[C] => US
[ST] => California
[L] => Mountain View
[O] => Google Inc
[CN] => mx.google.com
)
[hash] => fbf7dda6
[issuer] => Array
(
[C] => US
[O] => Google Inc
[CN] => Google Internet Authority
)
[version] => 2
[serialNumber] => 280762463620984597407910
[validFrom] => 120912115656Z
[validTo] => 130607194327Z
[validFrom_time_t] => 1347451016
[validTo_time_t] => 1370634207
[purposes] => Array
(
[1] => Array
(
[0] => 1
[1] =>
[2] => sslclient
)
[2] => Array
(
[0] => 1
[1] =>
[2] => sslserver
)
[3] => Array
(
[0] => 1
[1] =>
[2] => nssslserver
)
[4] => Array
(
[0] =>
[1] =>
[2] => smimesign
)
[5] => Array
(
[0] =>
[1] =>
[2] => smimeencrypt
)
[6] => Array
(
[0] => 1
[1] =>
[2] => crlsign
)
[7] => Array
(
[0] => 1
[1] => 1
[2] => any
)
[8] => Array
(
[0] => 1
[1] =>
[2] => ocsphelper
)
)
[extensions] => Array
(
[extendedKeyUsage] => TLS Web Server Authentication, TLS Web Client Authentication
[subjectKeyIdentifier] => 69:B3:67:5C:04:7F:16:EF:C1:85:FB:E8:2D:E4:FC:21:E9:7D:93:AF
[authorityKeyIdentifier] => keyid:BF:C0:30:EB:F5:43:11:3E:67:BA:9E:91:FB:FC:6A:DA:E3:6B:12:24
[crlDistributionPoints] => URI:http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl
[authorityInfoAccess] => CA Issuers - URI:http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt
[basicConstraints] => CA:FALSE
[subjectAltName] => DNS:mx.google.com
)
)
There are two possible reasons for this.
Firstly SMTP host name matching has traditionally been defined quite vaguely. You can check the historical notes about this in RFC 6125 (a recent RFC about best practicises for host name verification, not yet widely implemented). RFC 3207 (Secure SMTP over Transport Layer Security) doesn't give much details as to where the host name should be in the certificate. RFC 4954 (SMTP Service Extension for Authentication) gives more details and talks about Subject Alternative Names, but it's in the context of SASL. Ambiguous or vague host name matching specifications are often a reason why no correct attempt to match the host name is made at all, unfortunately.
Secondly, SSL/TLS is rarely used between Mail Transfer Agents (MTA). What you're doing by getting the MX DNS record and trying to send an e-mail directly to it is typically done my MTAs, not so much by a Mail Submission Agent.
Typical usage of SSL/TLS for SMTP is between a Mail User Agent (the e-mail client) and a Mail Submission Agent (your ISP's e-mail server, where you have to authenticate).
SSL/TLS between MTAs is hard to set up, because not every server supports it and it's hard to know which MTAs will support it. Some people advocate "optimistic TLS" support, whereby you try to see whether the server you're talking to supports TLS and fall back to plain SMTP if it doesn't. There's unfortunately little to gain by doing so, since you're obviously vulnerable to MITM attacks as soon as you're willing to downgrade anyway.
In addition, the MX entry you get may itself have been compromised (at least without DNSSEC).
Overall, this actually makes it quite hard to rely on any form of transport security for e-mail beyond the MUA/MSA connection. This probably explains why there's little emphasis on configuring MX servers properly for SSL/TLS.
Related
I successfully send many emails through Amazon SES... however a handful of them fail due to containing the plus character (plus addressing).
Here's how the emails are sent:
"Key" => "MyKey",
"Secret" => "MySecret",
"Region" => "us-east-1",
"Service" => "email",
"Host" => "email.us-east-1.amazonaws.com",
"Params" => [
"Action" => "SendEmail",
"Destination.ToAddresses.member.1" => "someone+testing#gmail.com",
"Message.Subject.Data" => urlencode("Test Message"),
"Message.Body.Html.Data" => urlencode("<p>Hello, this is a test.</p>"),
"Source" => urlencode("sender#example.com")
The response from Amazon SES is:
InvalidParameterValue
Local address contains control or whitespace
I know I can strip the "+testing" from the address, but don't believe that's the right thing to do. I'm unable to find anything in Amazon's documentation that mentions support for plus addressing or how to escape the plus character.
Has anyone else solved this?
In the AWS addresses with + are possible. The + characters are sth called VERP - Variable Envelope Return Path -> which work exactly as they are supposed to work (https://docs.aws.amazon.com/ses/latest/dg/send-email-concepts-email-format.html)
Are you sure that none of the other part use some strange characters?
You can try changing the encoding to UTF-8: Here is some example for that for SES. https://docs.aws.amazon.com/ses/latest/dg/send-email-raw.html
OKX api_v5
I can get the following via the api - demo and live:
Account information
Coin balance
Market info
Candlestick info
I am trying to place a demo order with api.
Error -- The documentation says it's possible to trade via api
(
[clOrdId] =>
[ordId] =>
[sCode] => 51010
[sMsg] => The current account mode does not support this API interface.
[tag] =>
)
Call
[curl_params] => {"instId":"BTC-USDT-SWAP","sz":2,"side":"buy","px":21396.1,"ordType":"limit","tdMode":"isolated","uly":"BTC-USDT"}
[curl_method] => POST
[curl_url] => https://www.okx.com/api/v5/trade/order
Extra info - Some of the headers
[5] - just to show the raw signed info
[0 - 3] [REMOVED_SIGNED_DETAILS]
[4] => OK-ACCESS-TIMESTAMP: 2022-06-26T01:59:42.614Z
[5] => SIGN: 2022-06-26T01:59:42.614ZPOST/api/v5/trade/order{"instId":"BTC-USDT-SWAP","sz":2,"side":"buy","px":21396.1,"ordType":"limit","tdMode":"isolated","uly":"BTC-USDT"}
[6] => x-simulated-trading: 1
Has anyone been able to do the demo trading with the api?
Does anyone see anything wrong with the request?
Thank you
swatch trade tab, open settings, you can change account mode from simple to single currency margin
I am currently in the process of moving over my locally made laravel application to the web. I am using cpanel for shared hosting. Currently my app used three different databases. The normal MySQL database, a microsoft azure database, and a microsoft sql server database. Currently I am able to connect to 2 of the three databases as I cant connect to the MSSQL database. When I attempt to connect to the database I get the following error:
[ODBC Driver 17 for SQL Server]Login timeout expired (SQL: SELECT * FROM tblGlue)
I know that something is going wrong before it tries to authenticate the user as I can change my username or a password to a non-existent user and I get the same error. When I connected to my azure database I had to use the stored procedure sp_set_firewall_rule to allow the IP of my website to access the databse. Is there something like this that I have to do for MSSQL as that's the only thing I can think of that's different. Here is the configuration for the database.
'sqlsrv' => [
'driver' => 'sqlsrv',
'url' => env('DATABASE_URL'),
'host' => "xxxx",
'port' => "1433",
'database' => "TEAM",
'username' => "xxxx",
'password' => "xxxxx",
'charset' => 'utf8',
'prefix' => '',
'prefix_indexes' => true,
],
Also when I run DB::connection("sqlsrv")->getDatabaseName() I get a good result. However DB::connection("sqlsrv")->getPdo() gives the same error.
I'm thinking that the server is blocking the IP of my website somehow. Any ideas on how I can fix this. Any help is greatly appreciated!
Avoid to use Select * and return just needed rows. Try increasing the connection timeout value. I recommend using a connection timeout of at least 30 seconds.
Use parameter login_timeout.
'mssql' => [
'driver' => 'sqlsrv',
'host' => 'CDBSQLSERVER',
'database' => 'MyDatabase',
'username' => 'XXXX',
'password' => 'XXXX',
'charset' => 'utf8',
'prefix' => '',
'login_timeout' => YOUR_TIMEOUT
]
Further you can Verify or copy the connection string for your database from the Azure portal.
Use UID in place of username.
Your client can assist in a diagnosis by logging all errors it encounters. You might be able to correlate the log entries with error data that SQL Database logs itself internally.
I'm developing a wordpress plugin, which obtains certain product info from the Lightspeed Retail API. I followed the steps in the documentation here http://developers.lightspeedhq.com/retail/authentication/access-token/
I have the Client ID and Client Secret, but I dont have the Temporary Token, I am stuck at this point, I am sure I'm missing some procedure here, can you help me?
This is the current code I use based on the API documentation:
...
$tokenURL = "https://cloud.lightspeedapp.com/oauth/access_token.php";
$postFields = [
'client_id' => 'XXXXXXXXXXXXX',
'client_secret' => 'XXXXXXXXXXXXX',
'code' => 'Temporary Token',
'grant_type' => 'authorization_code'
];
...
The temporary token is returned if you follow the instructions here.
You need to start using this URL:
https://cloud.lightspeedapp.com/oauth/authorize.php?response_type=code&client_id={client_id}&scope={scope}&state={state}
which will return after your app is accepted with a code/temporary token.
Ok Im having more luck with G'oogle's federated log in, I'm at the point where you get the following params back from Google.
[openid_ns] => http://specs.openid.net/auth/2.0
[openid_mode] => id_res
[openid_op_endpoint] => https://www.google.com/accounts/o8/ud
[openid_response_nonce] => 2010-01-02T14:58:22ZvP-t8tJXqGWaPw
[openid_return_to] => http://localhost/blablabla/index.php?c=google
[openid_assoc_handle] => AOQobUdTUUFVqQ9PeC9r19-rHOlEg_xvFmiIUahkmhNQ7Blrh14w2-eb
[openid_signed] => op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,ns.ext1,ext1.mode,ext1.type.firstname,ext1.value.firstname,ext1.type.email,ext1.value.email,ext1.type.lastname,ext1.value.lastname
[openid_sig] => tUZtUtVcvOfrodpPEx4bItcxVME=
[openid_identity] => https://www.google.com/accounts/o8/id?id=xxxxxxxxxxxxxxxxxx
[openid_claimed_id] => https://www.google.com/accounts/o8/id?id=xxxxxxxxxxxxxxxxxx
[openid_ns_ext1] => http://openid.net/srv/ax/1.0
[openid_ext1_mode] => fetch_response
[openid_ext1_type_firstname] => http://axschema.org/namePerson/first
[openid_ext1_value_firstname] => myName
[openid_ext1_type_email] => http://axschema.org/contact/email
[openid_ext1_value_email] => user#gmail.com
[openid_ext1_type_lastname] => http://axschema.org/namePerson/last
[openid_ext1_value_lastname] => MySurname
The only thing I need to do now is sign it and' If I understand this correctly google is giving me a clue with [openid_signed]
ie: string those params together and then creating the hash out of the concatenated strin the should equal [openid_sig] => tUZtUtVcvOfrodpPEx4bItcxVME=
But Im sure there is more to the signature generating formula - anyone know what it is since I cant find it in Google's documentation anywhere?
You can use JanRain's RPX-Now for the same. It has a much simpler and allows almost all OpenID providers. https://rpxnow.com/
Google Federated Login is, with a few minor changes, OpenID. Rather than looking for docs on Google Federated Login's signature protocol, look for information on what how to generate a signature and how to verify the signature.
Even if you don't want to use the JanRain code, you could still get some answers to these questions by looking at the code. For instance, the verify function on line 1320 of /Auth/OpenID/Server.php seems to be where the code for verifying the signature starts.