I'm receiving the following SSL error on my rake rspec unit tests when I try to connect to the vault on my docker container using HTTPS:
OpenSSL::SSL::SSLError:
SSL_connect returned=1 errno=0 state=error: wrong version number
We're using docker to load a local instance of a hashicorp vault
Here's the command I run to generate the TLS Certificates
RUN openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -subj "$SUBJ" -out /vault/certificates/tls/vault.crt \
-keyout /vault/certificates/tls/vault.key
When I log into the docker container and run openssl version I get:
/ # openssl version
OpenSSL 1.1.1k 25 Mar 2021
When I try to connect to the docker container from my local prompt, I get:
$ openssl s_client -connect 'localhost:8200'
CONNECTED(000001F0)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1620224762
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
26612:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:827:
When I run this command in my local irb I get:
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
=> {:min_version=>769, :verify_mode=>1, :verify_hostname=>true, :options=>2147614804}
irb(main):003:0>
This is my vault configurations:
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "/vault/certificates/tls/vault.crt"
tls_key_file = "/vault/certificates/tls/vault.key"
}
Also, i noticed in the docker logs we have two listeners now:
Listener 1: tcp (addr: "0.0.0.0:1234", cluster address: "0.0.0.0:1235", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Listener 2: tcp (addr: "[::]:8200", cluster address: "[::]:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
And my docker vault server startup command is:
vault server -config=/vault/config -dev-root-token-id=myroot -dev-listen-address=0.0.0.0:1234 -dev &
And i noticed in the logs its still seeing an http connection...
Error writing data to pki/root/generate/internal: Put https://127.0.0.1:1234/v1/pki/root/generate/internal: http: server gave HTTP response to HTTPS client
Error writing data to pki/config/urls: Put https://127.0.0.1:1234/v1/pki/config/urls: http: server gave HTTP response to HTTPS client
Error writing data to pki/roles/localhost: Put https://127.0.0.1:1234/v1/pki/roles/localhost: http: server gave HTTP response to HTTPS client
Error writing data to pki/issue/localhost: Put https://127.0.0.1:1234/v1/pki/issue/localhost: http: server gave HTTP response to HTTPS client
I'm kind of lost right now on how to handle this.
Related
I'm trying to set up SSL certs for my laravel API so it can connect to my front end project. I'm hosting my server on aws EC2 so Ive been trying to use cloudfront and acm. I get a 502 error when trying to access my api routes using my DNS. In the error code cloud front sends a link and it tells me to use an open ssl command to determine if cloudfront can establish a connection. the command is
openssl s_client –connect domainname:443 –servername domainname
Once I add that with my domain name I get this response.
CONNECTED(00000003)
140306801927832:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 326 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1536682031
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Im not really sure where to go from here because this is my first time trying to set up ssl.
I'm trying to run MQTT broker (Mosquitto) with TLS support, I followed http://rockingdlabs.dunmire.org/exercises-experiments/ssl-client-certs-to-secure-mqtt to generate certificates and configuration. If I run
sudo /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf -d -v
It throws error in /var/log/mosquitto/mosquitto.log
mosquitto version 1.4.8 (build date Fri, 19 Feb 2016 12:03:16 +0100) starting
Config loaded from /etc/mosquitto/mosquitto.conf.
Opening ipv4 listen socket on port 8883.
Opening ipv6 listen socket on port 8883.
Error: Unable to load server key file "/etc/mosquitto/certs/mqtt_server.key". Check keyfile.
Here is my configuration in conf.d/mymqtt.conf
# MQTT over TLS/SSL
listener 8883
cafile /etc/mosquitto/ca_certificates/mqtt_ca.crt
certfile /etc/mosquitto/certs/mqtt_server.crt
keyfile /etc/mosquitto/certs/mqtt_server.key
require_certificate true
tls_version tlsv1.2
user mosquitto
And these certificate and key files are present in proper location
And here is the content of default mosquitto.conf
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
log_dest file /var/log/mosquitto/mosquitto.log
include_dir /etc/mosquitto/conf.d
I ran into the same issue once and it was because the key was password protected. I changed the file settings so that the key file was readable only by a specific set of users and removed the password.
For posterity:
You get this error if the key doesn't match the certificate also. So remember to check that:
openssl rsa -noout -in -key.pem -modulus | openssl md5
should match
openssl x509 -noout -in cert.pem -modulus | openssl md5
I spent hours trying to fix this until I realised I'd mixed up the keys.
This ruby code is supposed to connect to a secure channel:
connection = Net::HTTP.new "localhost", 8081
connection.use_ssl = true
connection.ssl_version = :TLSv1_2
# ...
connection.post path, data, h
I am having the following error:
usr/local/rvm/rubies/ruby-2.2.0/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Client does have support for TLSv1.2, it looks:
ruby -ropenssl -e 'puts OpenSSL::SSL::SSLContext::METHODS' | grep 1_2
TLSv1_2
TLSv1_2_server
TLSv1_2_client
Also the server has support to TLSv1.2
openssl s_client -connect localhost:8081 | grep Protocol
Protocol : TLSv1.2
Why is Net::HTTP trying to connect using state state=SSLv3?
I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there.
I'm developing a ecommerce site using ShareTribe.I'm trying to implement Paypal as payment gateway.So I'm using Activemerchant.
Everything works fine on development machine but when I deploy my rails app to production It throws
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)
I'm initializing my Activemerchant as
config.after_initialize do
ActiveMerchant::Billing::Base.mode = :test
paypal_options = {
login: "bla bla",
password: "bla bla",
signature: "bla bla",
appid: "APP-80W284485P519543T"
}
::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)
end
Added HTTPS and Disabled SSLV3
After lots of googling I found that
SSLv3 was proven to be insecure with the POODLE vulnerability. You
should make sure that your system has the latest version of OpenSSL so
that you can use TLSv1.2.
So I disabled SSLV3 as shown below
openssl s_client -connect kickmarket.eu:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...........................................
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2038 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0
Session-ID-ctx:
Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
..................................
Start Time: 1446132175
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
But after restarting nginx I got the same problem.Is there Any way to fix this issue.
Any suggestion will be appreciated.
This is most likely due to the upgrade to SHA256 certification. Please review the following documentation:
https://devblog.paypal.com/paypal-ssl-certificate-changes/
The primary cause for this is the rvm installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one.
What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so:
rvm install 2.2.0 --disable-binary
You can read detailed explanation https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html
i am writing a ruby script to send email using 'mail' gem.
and my smtp settings on my local machine:
mailer_options:
address: smtp.gmail.com
port: 587
domain: gmail.com
user_name: example#gmail.com
password: example_password
authentication: :login
enable_starttls_auto: true
ssl: true
when i try to send the email with the above smtp settings i get the following exception:---
/opt/rbenv/versions/2.0.0-p247/lib/ruby/2.0.0/net/smtp.rb:585:in 'connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (OpenSSL::SSL::SSLError)
i tried installing ssl certificate by command
openssl s_client -connect gmail.com:443
but it does not help, thanks for any comments and answer.
Port 587 starts out plain text, and then "upgrades" to ssl via starttls if you want smtp from the start to use ssl, then you need to use port 465.
so either of these should fix your issue.
Remove enable_starttls_auto and set the port to 465
or
Remove ssl: true and rely on starttls to upgrade your connection to ssl