How to solve Certificate Error in Fiddler - proxy

When I tried connect to google.com from I got this Certificate Error:
Session #3: The server (152.199.19.161) presented a certificate that did not validate, because it was issued to a different host.
SANs: *.vo.msecnd.net, *.adn.azureedge.net, *.ads2.msads.net, *.aspnetcdn.com, *.azurecomcdn.net, *.azureedge.net, *.azureedge-test.net, *.cdn.skype.com, *.cdn.skype.net, *.cmsresources.windowsphone.com, *.cmsresources.windowsphone-int.com, *.dev.skype.com, *.fms.azureedge.net, *.microsoft-sbs-domains.com, *.secure.skypeassets.com, *.secure.skypeassets.net, *.wac.azureedge.net, *.wpc.azureedge.net, *.ec.azureedge.net, *.wpc.ec.azureedge.net, *.wac.ec.azureedge.net, *.adn.ec.azureedge.net, *.fms.ec.azureedge.net, ajax.microsoft.com, cdnads.msads.net, cdn-resources.windowsphone.com, cdn-resources-beta.windowsphone.com, ecnads1.msn.com, iecvlist.microsoft.com, images-cms-pn.windowsphone-int.com, images-cms-tst.windowsphone-int.com, lumiahelptipscdn.microsoft.com, lumiahelptipscdnqa.microsoft.com, lumiahelptipsmscdn.microsoft.com, lumiahelptipsmscdnqa.microsoft.com, montage.msn.com, mscrl.microsoft.com, r20swj13mr.microsoft.com, *.streaming.mediaservices.windows.net, *.origin.mediaservices.windows.net, download.sysinternals.com, amp.azure.net, rt.ms-studiosmedia.com, gtm.ms-studiosmedia.com, *.aisvc.visualstudio.com, *.cdn.powerbi.com, dist.asp.net, embed.powerbi.com, msitembed.powerbi.com, dxtembed.powerbi.com, *.cdn.powerappscdn.net, downloads.subscriptionsint.tfsallin.net, download.my.visualstudio.com, cdn.vsassets.io, cdnppe.vsassets.io, stream.microsoft.com, datafactory.azure.com, *.cortanaanalytics.com, do.skype.com, software-download.office.microsoft.com, software-download.microsoft.com, prss.centralvalidation.com, *.gallerycdn.vsassets.io, *.gallerycdnppe.vsassets.io, global.asazure.windows.net, download.learningdownloadcenter.microsoft.com, www.videobreakdown.com, www.breakdown.me, *.gallerycdntest.vsassets.io, agavecdn.o365weve-dev.com, agavecdn.o365weve-ppe.com, agavecdn.o365weve.com, download.visualstudio.com, *.Applicationinsights.net, *.Applicationinsights.io, *.Applicationinsights.microsoft.com, *.sfbassets.com, *.sfbassets.net, download.mono-project.com, *.streaming.media-test.windows-int.net, *.origin.mediaservices.windows-int.net, *.mp.microsoft.com, download.visualstudio.microsoft.com, software-download.coem.microsoft.com, cdn.wallet.microsoft-ppe.com, cdn.wallet.microsoft.com, vi.microsoft.com, *.nuget.org, *.nugettest.org, cdn.botframework.com, *.streaming.media.azure.net, *.streaming.media.azure-test.net, natick.research.microsoft.com, quotecenter.microsoft.com, quotecenter-ppe.microsoft.com, cdn.cloudappsecurity.com, *.yammer.com, *.videoindexer.ai, .api.videoindexer.ai SUBJECT: CN=.vo.msecnd.net
I don't know why because I added Trust Root Certificate.

Related

Enabling SSL but still collection shard base_url showing http communication

I am new in SOLR 8.11.2 and trying to enable SSL and authentication but when I follow the manual all start working but communication between nodes and shard is still in HTTP.
https://127.0.0.1:8981/solr/admin/collections?action=CLUSTERSTATUS&indent=on
{ "responseHeader":{ "status":0, "QTime":4}, "cluster":{ "collections":{ ".system":{ "pullReplicas":"0", "replicationFactor":"2", "shards":{"shard1":{ "range":"80000000-7fffffff", "state":"active", "replicas":{ "core_node3":{ "core":".system_shard1_replica_n1", "base_url":"http://solr3:8984/solr", "node_name":"solr3:8984_solr", "state":"active", "type":"NRT", "force_set_state":"false", "leader":"true"}, "core_node4":{ "core":".system_shard1_replica_n2", "base_url":"http://solr1:8984/solr", "node_name":"solr1:8984_solr", "state":"active", "type":"NRT", "force_set_state":"false"}}}}, "router":{"name":"compositeId"}, "maxShardsPerNode":"1", "autoAddReplicas":"false", "nrtReplicas":"2", "tlogReplicas":"0", "znodeVersion":6, "configName":".system"}}, "properties":{"urlScheme":"https"}, "live_nodes":["solr2:8984_solr", "solr1:8984_solr", "solr3:8984_solr"]}}
my environment settings:
SOLR_SSL_ENABLED: 'true'
SOLR_SSL_KEY_STORE: /etc/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD: $SOLR_SECRET
SOLR_SSL_TRUST_STORE: /etc/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD: $SOLR_SECRET # Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH: 'false' # Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH: 'false' # Define Key Store type if necessary
SOLR_SSL_KEY_STORE_TYPE: JKS
SOLR_SSL_TRUST_STORE_TYPE: JKS SOLR_SSL_CHECK_PEER_NAME: 'false'
Do i miss anything?

AES GCM decrypt Firefox error only: "DOMException: The operation failed for an operation-specific reason", Chromium OK though

I followed former answers from Webcrypto AES-CBC Decrypt: Operation Error - The operation failed for an operation-specific reason and JavaScript AES encryption and decryption (Advanced Encryption Standard)
and used:
iv = crypto.getRandomValues(new Uint8Array(16))
key = window.crypto.subtle.generateKey(
{
name: "AES-GCM",
length: 256,
},
false,
["encrypt", "decrypt"]
)
to generate the key
and
Uint8ArrayEncrypted = window.crypto.subtle.encrypt(
{name: "aes-gcm", iv: iv, tagLength: 128},
key,
Uint8ArrayVar)
to encrypt and
Uint8ArrayDecrypted = window.crypto.subtle.decrypt(
{name: "aes-gcm", iv: iv, tagLength: 128},
key,
Uint8ArrayEncrypted)
to decrypt
On Chromium 83 (Ubuntu) and Firefox 88, I successfully generate the key, the iv and encrypt.
And on Chromium, it simply also decrypts without problem.Uint8ArrayDecrypted is correct ArrayBuffer.
But FF throws the error "The operation failed for an operation-specific reason" and stop there. No Uint8ArrayDecrypted returned.
I didn't use tag, like in WebCrypto API: DOMException: The provided data is too small
Reading https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt,
I don't see it uses tag.
Does Firefox need something else specific?
Why the error message is so "generic"? Which operation or specific reason?
With an error so generic, I don't know where to look.

Cannot connect to RabbitMq Broker using pkcs12 file

I posted a previous question last week here.
On the machine I was using, I was able to get this up and running correctly. Now, doing the setup on another machine, I've gotten past everything, however, when connecting to the RabbitMq broker using a .NET client application, it fails on the pkcs12 file, saying it's badly formatted.
I've regenerated this file a few times now, making sure I was using the client and server .pem files, respectively, still to no avail.
In the troubleshooting link here all tests pass completely.
Environment:
Erlang 19.1
RabbitMq 3.6.6
Windows Server 2012 R2
My RabbitMq config file:
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"C:\\rabbitcerts\\testca\\cacert.pem"},
{certfile,"C:\\rabbitcerts\\server\\cert.pem"},
{keyfile,"C:\\rabbitcerts\\server\\key.pem"},
{depth, 2},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
Running this command:
openssl s_client -connect mitvs-atm01:5671 -tls1 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
Results in success:
CONNECTED(00000130)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = mitvs-atm01, O = server
verify return:1
---
Certificate chain
0 s:/CN=mitvs-atm01/O=server
i:/CN=MyTestCA
1 s:/CN=MyTestCA
i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xNzAxMjUwMjIxMTZaFw0xODAxMjUwMjIxMTZaMCcxFDASBgNVBAMM
C21pdHZzLWF0bTAxMQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC7bqHNpdY1OUstv1EU361/tvsCZigsBy9+xAAkzmEVbUrl
ISOdyvA+oC5oKx2e7otENEAZ6I7D6AqhUsWltqCD5cE8pFipE1VDYchPMSLYH+xT
dYbuGBrEbMw4FYsgpL9WGHFQKkeoNDyJR9McUSmtBi5uQcxmIt+RFs2O6qxwS8pG
32VFwZEncxD4SfPF05pGBaAtV0IHGcw+mRlqHBEwK2qFr1b2FQacCGyv+JFea6ok
TFjKYByZrQCT3l3mlbmZjt+qFNMg4BhA4TWx8zhO5XzG3tiV86G+x8RJUllisKkK
A+dcaMpZ7wr3sz8WrP++UtE1rjDzX6Va3kP6O2YdAgMBAAGjLzAtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
CwUAA4IBAQBlfQcXWrd+7f9DVx2BIyVcGHouWDFirwSU5IvvgIYyZFbivgosW9Wd
E7fueBUTkZihWG2KxXesVPIlaNy3851KV+r0/zZ+Frp7VX4FEcP900t+Bgy/w3fZ
9YHiZhGHQriA8YmQOkg/YweHU1GsT8APk3JbuqtyI+RRn5iltbDNGF2ch6me/w9E
0Jv0UJvQVuPqSr0mONCyM6JeDLAkaOHTkNEy++uEar/DWQB6D2hJGj7DxavcA/bL
GPbP0LDU3Vv6pn7i7WNHeye2E2Vq2WEAaacYjiluBpCEnvlCFZXX96jbmnzScJZ2
ZlIo27YDOfze6nuNQ1aqGT1wccIoVnhZ
-----END CERTIFICATE-----
subject=/CN=mitvs-atm01/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
Client Certificate Types: RSA sign
---
SSL handshake has read 1672 bytes and written 2269 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: BD57EFDA3213AA48076CDB95E4EB60A79224B604F3C491CD0BB3D15700A3AC50
Session-ID-ctx:
Master-Key: 08F6E2B22EC7EB1FCBAB99A730F6301732FA56CB83F4E9DB4546DC27591E271A
67C115510EBECFBFDA1BCFE47DF49627
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1485370174
Timeout : 7200 (sec)
Verify return code: 0 (ok)
After successful connection, I created the keycert.p12 files in each the client and server directories based on the appropriate .pem files.
My client code:
_busControl = Bus.Factory.CreateUsingRabbitMq(x =>
{
var host = x.Host(new Uri(_rabbitHost), h =>
{
h.Username(UserName);
h.Password(Password);
h.UseSsl(s =>
{
s.ServerName = SslHostName;
s.CertificatePath = #"client\keycert.p12";
s.CertificatePassphrase = SslPassphrase;
s.Protocol = SslProtocols.Tls;
});
});
x.ReceiveEndpoint(host, _imageExamEndpoint,
e => { e.Consumer<UploadImageExamRequestConsumer>(); });
x.ReceiveEndpoint(host, _worklistEndpoint,
e => { e.Consumer<WorklistRequestConsumer>(); });
});
This works fine on the other machine, but on the new machine that we setup, we get the following error:
RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted
--- End of inner exception stack trace ---
at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
--- End of inner exception stack trace ---
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
at RabbitMQ.Client.ConnectionFactory.CreateConnection(IList`1 hostnames, String clientProvidedName)
at MassTransit.RabbitMqTransport.Integration.RabbitMqConnectionCache.SendUsingNewConnection(IPipe`1 connectionPipe, ConnectionScope scope, CancellationToken cancellationToken)
Connect failed: admin#mitvs-atm01:5671/

Looking between my working version and my non-working version, the only thing that was different was my version of Erlang.
I upgraded my Windows Server 2012 R2 from Erlang 19.1 to Erlang 19.2 and it successfully started and listened securely.

Elasticsearch not running with search guard

ES v2.4.1
SG-SSL v2.4.1.16
SG v2.4.1.6
CentOS 7.2
Im able to run Elasticsearch with Search-Guard-SSL. I generated the certs/keys via the example script from Search Guard. Here is the info on the kirk client cert that I generated
> openssl x509 -noout -subject -in kirk-signed.pem -text
subject= /C=US/L=Raleigh/O=client/OU=client/CN=kirk
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=example, O=Example Com Inc., OU=Example Com Inc. Signing CA, CN=Example Com Inc. Signing CA
Validity
Not Before: Oct 6 14:47:01 2016 GMT
Not After : Oct 6 14:47:01 2018 GMT
Subject: C=US, L=Raleigh, O=client, OU=client, CN=kirk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
If I understand correctly, I need to have the following line in my elasticsearch.yml file, correct?
# Enable SSL via Search Guard SSL plugin
# Enable HTTPS
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: pw
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: pw
# Enable SSL between ES nodes
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: pw
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: pw
searchguard.ssl.transport.enforce_hostname_verification: false
# for Search Guard
searchguard.authcz.admin_dn:
- "cn=kirk, ou=client, o=client, l=Raleigh, c=US"
searchguard.cert.oid: '1.2.3.4.5.5'
But when I run sgadmin.sh, it just times out
> /usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -cd /etc/elasticsearch/ -ks kirk-keystore.jks -ts truststore.jks -nhnv -kspass pw -tspass pw
Will connect to localhost:9300 ... done
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
ERR: Timed out while waiting for a green or yellow cluster state.
And I see these in elasticsearch.log
[2016-10-06 15:17:41,354][DEBUG][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] Node started, try to initialize it. Wait for at least yellow cluster state....
[2016-10-06 15:17:41,523][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,667][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,698][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:41,728][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:17:42,099][DEBUG][com.floragunn.searchguard.configuration.SearchGuardIndexSearcherWrapperModule] FLS/DLS not enabled
[2016-10-06 15:18:11,746][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
[2016-10-06 15:18:44,747][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
[2016-10-06 15:19:17,749][WARN ][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Arize] index 'searchguard' not healthy yet, we try again ... (Reason: timeout)
What am I missing?

ruby IMAP STARTTLS means automatically disconnected?

I am trying to write a simple IMAP client, that connects to an IMAP server, which enforces STARTTLS.
When i execute the command STARTTLS, the server connection is dropped. The documentation for STARTTLS on the other hand is a bit thin to know exactly, what the problem is.
The anonymized commands:
1.9.2-p320-railsexpress :001 > require 'net/imap'
=> nil
1.9.2-p320-railsexpress :002 > imap = Net::IMAP.new('SOME_HOST', 143, false)
=> #<Net::IMAP:0x0000000ba43138 #mon_owner=nil, #mon_count=0, #mon_mutex=#<Mutex:0x0000000ba430e8>, #host="SOME_HOST", #port=143, #tag_prefix="RUBY", #tagno=0, #parser=#<Net::IMAP::ResponseParser:0x0000000ba42be8 #str="* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS LOGINDISABLED] Dovecot ready.\r\n", #pos=110, #lex_state=:EXPR_BEG, #token=nil, #flag_symbols={}>, #sock=#<TCPSocket:fd 9>, #usessl=false, #responses={}, #tagged_responses={}, #response_handlers=[], #tagged_response_arrival=#<MonitorMixin::ConditionVariable:0x0000000ba42ad0 #monitor=#<Net::IMAP:0x0000000ba43138 ...>, #cond=#<ConditionVariable:0x0000000ba42aa8 #waiters=[], #waiters_mutex=#<Mutex:0x0000000ba42a58>>>, #continuation_request_arrival=#<MonitorMixin::ConditionVariable:0x0000000ba42a30 #monitor=#<Net::IMAP:0x0000000ba43138 ...>, #cond=#<ConditionVariable:0x0000000ba42a08 #waiters=[], #waiters_mutex=#<Mutex:0x0000000ba429b8>>>, #idle_done_cond=nil, #logout_command_tag=nil, #debug_output_bol=true, #exception=nil, #greeting=#<struct Net::IMAP::UntaggedResponse name="OK", data=#<struct Net::IMAP::ResponseText code=#<struct Net::IMAP::ResponseCode name="CAPABILITY", data="IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS LOGINDISABLED">, text=" Dovecot ready.">, raw_data="* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS LOGINDISABLED] Dovecot ready.\r\n">, #client_thread=#<Thread:0x007f416ed31420 run>, #receiver_thread=#<Thread:0x0000000ba41b58 run>>
1.9.2-p320-railsexpress :004 > imap.starttls
=> #<struct Net::IMAP::TaggedResponse tag="RUBY0001", name="OK", data=#<struct Net::IMAP::ResponseText code=nil, text="Begin TLS negotiation now.">, raw_data="RUBY0001 OK Begin TLS negotiation now.\r\n">
1.9.2-p320-railsexpress :006 > imap.disconnected?
=> true
I get the same behaviour in 2.0.0-p353-railsexpress.
Is this the correct behaviour and if so, how to correctly use ruby with an STARTTLS IMAP server?
thanks and regards!

Both client and server are working correctly up to the point where the client is supposed to start TLS negotiation. After that point the IMAP layer doesn't know what happens. You're going to enable TLS debug logging somewhere or sniff the network packets to make further progress.

Resources