I have websocket endpoint wss://http-testnet.hecochain.com/ to connect to,
but I cannot get its certificate to use within code.
While to certificate for HTTP URL you can just use browser (See 1) and 2) below),
there is no way for WS as it is not displayed in browser
Links
https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file, e.g.
openssl s_client -connect google.com:443 -showcerts
https://medium.com/#menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
Well, because wss actually works over htttps port 443, so certificate is the same for wss:
openssl s_client -connect http-testnet.hecochain.com:443 -showcerts
openssl s_client -connect ws-testnet.hecochain.com:443 -showcerts
Related
In Burp Suite, from Project Options -> SSL we can import PKCS#12 files with password for specific hostnames.
I tried manually using commands below to export block and key files and then pass them to my http client in golang using tls.LoadX509KeyPair(). But upon sending any requests, I receive remote error: tls: handshake failure.
These are the commands I used:
openssl pkcs12 -in cert.p12 -clcerts -nokeys -out usercert.pem
openssl pkcs12 -in cert.p12 -nocerts -out userkey.pem -nodes
What am I missing?
If using a self-signed certificate specify InsecureSkipVerify: true in your tls configuration. Pulled from the documentation:
// InsecureSkipVerify controls whether a client verifies the
// server's certificate chain and host name.
// If InsecureSkipVerify is true, TLS accepts any certificate
// presented by the server and any host name in that certificate.
// In this mode, TLS is susceptible to man-in-the-middle attacks.
// This should be used only for testing.```
Otherwise, add your certificate to the Certificates list in your tls configuration.
Starting with an empty directory:
Generate CAroot private key
$ openssl genrsa -aes256 -out dcsAzureVPN.key 2048
Generate a CARoot certificate
$ openssl req -x509 -sha256 -new -key dcsAzureVPN.key -out dcsAzureVPN.cer -days 1825 -subj /CN="dcsAzureVPN"`
Successfully copied dcsAzureVPN.cer to VPN gateway and saved (see attached screenshot)
Generate Certificate Request (CSR)
$ openssl genrsa -out dcsAzureClientCert.key 2048
$ openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"`
Generate signed Client Certificate from CSR
$ openssl x509 -req -sha256 -in tjaClientCert.req -out dcsAzureClientCert.cer -CAkey dcsAzureVPN.key -CA dcsAzureVPN.cer -days 1825 -CAcreateserial -CAserial serial
Signature ok
subject=/CN=dcsAzureVPN
Pack key and certificate in .pfx format
$ openssl pkcs12 -export -out dcsAzureVPNClient.pfx -inkey dcsAzureClientCert.key -in dcsAzureClientCert.cer -certfile dcsAzureVPN.cer
Copy client cert to my Keychain
Make dcsAzure VPN a trusted cert.
Select dcsAzureVPN as the client certificate for my VPN connection
Try to connect. Connection fails with an error: User Authentication failed
What am I doing wrong?
I finally found the problem. It turns out the Local ID has to match the client certificate subject, not the name of your client certificate file.
You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure. You could use these steps to configure the native VPN client on Mac for certificate authentication.
Moreover, you could refer to this to troubleshoot Point-to-Site VPN connections from Mac OS X VPN clients.
Additionally, no matter what client OS you want to connect from, you must always have a client certificate. You can generate a client certificate from either a root certificate that was generated using an Enterprise CA solution or a self-signed root certificate. See the PowerShell, MakeCert, or Linux instructions for steps to generate a client certificate.
Please let me know if this works.
Whoever stumbles up on this solution: It is working if you change the Client certificate's subj from dcsAzureVPN to (for example) dcsAzureVPNSubj and use it in the connection tab for Local ID.
So instead of this:
openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPN"
Use this:
openssl req -new -out tjaClientCert.req -key dcsAzureClientCert.key -subj /CN="dcsAzureVPNSubj"
and use the dcsAzureVPNSubj for Local id on the MacOS VPN connection tab.
Worked on the following machine:
20.5.0 Darwin Kernel Version 20.5.0: root:«gibberish»/RELEASE_ARM64_T8101 arm64
Big Sur version: 11.4
Using openssl s_client on the command line I am able to establish a comection to a POP3 server which requires STARTTLS.
openssl s_client -connect pop3.example.com:110 -starttls pop3
How can I accomplish the same (especially the -starttls pop part) utilizing Ruby's OpenSSL library:
tcp_socket = TCPSocket.new host, port
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, ssl_context
ssl_client.connect
The POP3 specification states that you need to send STLS in order to initiate the TLS handshake. Therefore you should send STLS on the unencrypted socket first, and after that you should be able to call connect on the OpenSSL layer, which will then perform the actual handshake.
If you call connect before sending STLS, the server won't know what is going on, and will interpret it as garbage input.
Working example:
tcp = TCPSocket.new(host, port)
puts tcp.gets
tcp.puts 'STLS'
puts tcp.gets
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp, ssl_context)
ssl_client.connect
puts ssl_client.state
ssl_client.puts "NOOP"
puts ssl_client.gets
Output:
+OK POP3 ready <2067986403.1526483285#....>
+OK
SSLOK
+OK
I am trying to use cURL and get the following error on every https request I make. The error is always the same. HTTP requests work flawlessly. The verbose output is quite useless.
bash:$ curl https://google.com -vv
* Adding handle: conn: 0x7fe09b803a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fe09b803a00) send_pipe: 1, recv_pipe: 0
* About to connect() to google.com port 443 (#0)
* Trying 74.125.226.129...
* Connected to google.com (74.125.226.129) port 443 (#0)
* Unknown SSL protocol error in connection to google.com:-9805
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to google.com:-9805
bash:$ curl https://google.com -V
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IPv6 Largefile NTLM NTLM_WB SSL libz
bash:$ openssl s_client -connect google.com:443 < /dev/null
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
24255:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182:
The results are the same on two different networks, so it does not appear to be network-specific. Attempting to connect using openssl s_client fails similarly so it is not library-dependent either (curl on the Mac uses SecureTransport). The debug output of s_client shows that the SSL handshake proceeds normally to the point where the client sends ChangeCipherSpec and the Finished messages but does not receive ChangeCipherSpec back from the server.
I have tried running these commands on a Debian VM on my Mac, and everything there runs correctly. In addition, using curl to connect to a local OpenSSL server (openssl s_server with a self-signed certificate) also works correctly.
I have looked through other answers on this forum and other places on the internet, but haven't found an answer. Most people's issues involve particular servers and the configuration of SSL on these servers. Mine however is problematic anytime HTTPS is used (with any website).
It was suggested that the issue might be in the certificate store. But if I understand it correctly, if the issue was with the certificate store, it would cause certificates to be rejected by all apps. However, all my browsers (chrome, safari, firefox) negotiate SSL with no problems. There is nothing suspicious in the environment variables for GUI applications or the shell.
Can someone please suggest what I should be looking into to solve the problem? Can it be that something is not properly configured? What should I be looking for?
I want to configure openssl client-server to support TLS extensions specifically server name indication (SNI).
I have build the latest openssl 1.0.0e on ubuntu linux without giving any additional config parameter.
./config
make
make install
Not sure if I need to give any additional config parameters while building for this version.
Now I have set up server and connecting to it through openssl client using the standard command line tool provided by openssl, viz s_client and s_server.
My question is: how do I specify the host name to be sent as extension in s_client? Does openssl have the provision to specify server name using some parameter in commandline?
Thanks!
This has been lying dormant for some time. Since I figured this out long back, it would be logical to write the answer and put a closure to this.
The command-line option servername is available to specify SNI.
openssl s_client -connect myweb.address.com:443 -servername myweb.address.com
The above command will trigger TLS client with the given server name present in SNI extension of client hello.
For using s_server you can use the command:
openssl s_server -accept 443 -cert normal_cert.pem -key normal_key.ky -servername xyz.com -cert2 sni_cert.pem -key2 sni_key.ky
Here whenever the client will request the server without servername extension the server will reply with normal_cert and if there is servername extension is client hello then server will reply with the sni_cert.
For using s_client with SNI you can use the command:
openssl s_client -servername xyz.com -connect ip:port
The relevant commandline options are:
starttls prot: use the STARTTLS command before starting TLS for those protocols that support it, where 'prot' defines which one to assume. Currently only "smtp", "pop3", "imap", "ftp" and "xmpp" are supported.
servername host: Set TLS extension servername