I'm loading a Pyjks PrivateKeyEntry object into PEM and then trying to load the pem-encoded string into a Pkey object. As you might have guessed, I'm trying to export PrivateKeyEntry along with it's cert chain into a file. We have an UI that is able to import certs and p12 containers into java keystores and I'm trying to make them downloadable too.
pkey_pem = pkey_as_pem(keystore_entry)
load_privatekey(crypto.FILETYPE_PEM, pkey_pem)
However, the error I'm getting from OpenSSL.crypto library is useless to say the least:
OpenSSL.crypto.Error: [('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error'), ('rsa routines', 'old_rsa_priv_decode', 'RSA lib'), ('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error'), ('PEM routines', 'PEM_read_bio_PrivateKey', 'ASN1 lib')]
Pyjks also shows this being done the same way: https://github.com/kurtbrose/pyjks/blob/master/tools/readks.py
I'm able to export a certificate like this just fine.
EDIT: Also tried with load_privatekey(crypto.FILETYPE_ASN1, pkey_pem._pkey), results in similar cryptic error message:
{Error}[('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_template_noexp_d2i', 'nested asn1 error'), ('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error'), ('rsa routines', 'old_rsa_priv_decode', 'RSA lib'), ('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error')]
Found a bug (actually oversight sounds better) from my own code which actually messed up the pkey during import to jks already, which is why it failed in OpenSSL.
Related
Environment: Fabric 2.4.2 Ubuntu20.0.4 go19.5
I've just make a directory in the work directory of minifab, and add my main.go with go.mod go.sum copied from the other chaincode sample. Then I install the code with the command "minifab ccup -n contract -l go -v 1.0 ", finally, it reports to me these error
# Run the chaincode install script on cli container ***********
non-zero return code
Error: failed to normalize chaincode path: 'go list' failed with: can't load package: package simple:
main.go:13:1: illegal UTF-8 encoding
main.go:13:2: illegal UTF-8 encoding
main.go:13:5: illegal UTF-8 encoding
main.go:13:6: illegal UTF-8 encoding
main.go:13:7: illegal UTF-8 encoding
main.go:13:8: illegal UTF-8 encoding
main.go:13:9: illegal UTF-8 encoding
main.go:13:10: illegal UTF-8 encoding
main.go:13:11: illegal UTF-8 encoding
main.go:13:12: illegal UTF-8 encoding
main.go:16:25: illegal UTF-8 encoding
main.go:16:26: illegal UTF-8 encoding
main.go:16:27: illegal UTF-8 encoding
main.go:16:28: illegal UTF-8 encoding
main.go:16:29: illegal UTF-8 encoding
main.go:16:33: illegal UTF-8 encoding
main.go:16:34: illegal UTF-8 encoding: exit status 1
Error: failed to read chaincode package at 'contract_go_1.0.tar.gz': open contract_go_1.0.tar.gz: no such file or directory
# STATS *******************************************************
minifab: ok=31 failed=1
How can I exactly install my chaincode? What happened to it?
I have solved the problem.
Because I have used the winscp as a tool to copy main.go go.mod go.sum into the directory, so the encode of the code has changed. As a result, the go cannot be complied.
I just touch the main.go in Xshell linking to my server, then I successs!
minifab: ok=107 failed=0
I am writing a simple SSL client for pentester lab bootcamp module 4. I enabled SSL for the virtualhost and enabled the module. The SSL client is written in Ruby and when running the script I get the following error:
Traceback (most recent call last):
6: from 4-http_ssl.rb:8:in <main>
5: from /usr/lib/ruby/2.5.0/net/http.rb:1458:in request
4: from /usr/lib/ruby/2.5.0/net/http.rb:909:in start
3: from /usr/lib/ruby/2.5.0/net/http.rb:920:in do_start
2: from /usr/lib/ruby/2.5.0/net/http.rb:985:in connect
1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in ssl_socket_connect
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in connect_nonblock: SSL_connect returned=1 errno=0
state=error: wrong version number (OpenSSL::SSL::SSLError)
Here is my script
require "net/https"
require "uri"
http = Net::HTTP.new("vulnerable", 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
response = http.request(Net::HTTP::Get.new("/"))
response.code
response.body
response.status
Can someone throw me a line here? I've checked the example and the server files but can't find the error. This seems like shouldn't be much trouble. Am I missing some configuration steps?
As pointed out by Steffen Ullrich, I tried to run
openssl> s_client
and got the following output:
Openssl> s_client -connect vulnerable:443
CONNECTED(00000003)
140093579711616:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
error in s_client
What steps should I follow? I understand the server is not accepting SSL connections because of missing CA certificates, how can I fix this I know I can create a custom CA certificate for my ssl client any leads on this? Thanks in advance
I'm trying to set up email for a Laravel project using SendGrid.
When following their documentation I get an error (https://sendgrid.com/docs/Integrate/Frameworks/laravel.html)
The .env looks like this
MAIL_DRIVER=smtp
MAIL_HOST=smtp.sendgrid.net
MAIL_PORT=587
MAIL_USERNAME=yea****
MAIL_PASSWORD=*********
MAIL_ENCRYPTION=tls
MAIL_FROM_NAME="John Smith"
MAIL_FROM_ADDRESS=from#example.com
The error i get looks like this
ErrorException (E_WARNING)
stream_socket_enable_crypto(): Peer certificate CN=`****.****.***' did not match expected CN=`smtp.sendgrid.net'
/home/myusername/public_html/api/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php
public function startTLS()
{
// STREAM_CRYPTO_METHOD_TLS_CLIENT only allow tls1.0 connections (some php versions)
// To support modern tls we allow explicit tls1.0, tls1.1, tls1.2
// Ssl3 and older are not allowed because they are vulnerable
// #TODO make tls arguments configurable
return stream_socket_enable_crypto($this->stream, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);
}
Arguments
"stream_socket_enable_crypto(): Peer certificate CN=`****.****.***' did not match expected CN=`smtp.sendgrid.net'"
I fixed this error by using the code provided in this answer (https://stackoverflow.com/a/45315825).
I know this is bad practice but i got another error.
Swift_TransportException
Failed to authenticate on SMTP server with username "yea****" using 2 possible authenticators. Authenticator LOGIN returned Swift_TransportException: Expected response code 235 but got code "535", with message "535 Incorrect authentication data " in /home/myusername/public_html/a[i/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/AbstractSmtpTransport.php:456 Stack trace: #0
/home/myusername/public_html/api/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/Esmtp/AuthHandler.php
$message = 'Failed to authenticate on SMTP server with username "'.$this->username.'" using '.$count.' possible authenticators.';
foreach ($errors as $error) {
$message .= ' Authenticator '.$error[0].' returned '.$error[1].'.';
}
throw new Swift_TransportException($message);
}
}
This looks like some kind of authentication error to me, I am using the same credentials i use to login to the SendGrid dashboard.
any ideas on how to fix these problems?
My solution for this case was double-quote the username, password and port number.
Then I got another error, like this:
'''
Connection to tcp://smtp.hostx.com:465 Timed Out
'''
Connection to tcp://smtp.hostx.com:465 Timed Out
and I fix it changing MAIL_ENCRYPTION from tls to ssl:
MAIL_ENCRYPTION=ssl
I hope this helps someone else due to this post is too old.
I have generated a certificate for apache with
openssl ca -config openssl.conf -extensions usr_cert -in reqs/httpd.req -out httpd.pem -startdate 170226000000Z -enddate 180226000000Z -noemailDN
This certificate is accepted by openssl, chrome, git etc. but not by firefox which rejects it with:
xxx uses an invalid security certificate.
The certificate will not be valid until 26.02.2017 01:00.
The current time is 26.02.2017 11:49. Error code: SEC_ERROR_INVALID_TIME
This seems to have something to do with the encoding of the notBefore and notAfter fields (https://bugzilla.mozilla.org/show_bug.cgi?id=1152515) but I've been unable to find any hints to on how to fix this but this really helpful
Re-generate the certificate with valid encodings for time fields
(https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates)
Any advice / hints appreciated!
I'm using ActiveResource to proxy a CRUD endpoint, but getting no cipher match errors when trying to connect. I have tried everything from explicitly setting the SSL version, to upgrading my local openssl client to setting the cipher list directly.
I wish I could provide more information, but I know the exception is raised here and that it throws a SSL_CTX_set_cipher_list: no cipher match error.
Do you know why I'm getting this error and how to fix?
Here is the connection information from Chrome:
Your connection to domain.com is encrypted with 128-bit encryption.
The connection uses TLS 1.0.
The connection is encrypted using AES_128_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism.
The server does not support the TLS renegotiation extension.
Update
I ran the following command in terminal with openSSL to check the connection:
openssl s_client -showcerts -connect stage.example.com:13902
Here was the output:
CONNECTED(00000003)
140735228511072:error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message:s23_clnt.c:762:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Not exactly sure what that means. Chrome can parse the certificate just fine. Is this a bug with OpenSSL?