My domain is: http://dev.www.triunfamos.com
I use Advanced Rest Client ( https://install.advancedrestclient.com/install ) and try to call to mentioned domain
It produced this output:
The requested URL can't be reached
The service might be temporarily down or it may have moved permanently to a new web address.
140278599439040:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO sslv3 alert handshake failure:../../vendor/node/deps/openssl/openssl/ssl/s23_clnt.c:802:
If I use this website: https://apitester.com/ to call to my URL it works fine
But with this one it fails too: https://client.restlet.com/ throwing the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
My web server is nginx 1.10.3 ubuntu 16 and certbot is 0.26.1
What is the problem which dont able to use Advanced Rest Client or any others? Thanks.
The problem can be solved by the official forum: https://community.letsencrypt.org/t/cannot-use-advanced-rest-client-with-letsencrypt-websites-because-throws-sslv3-alert-handshake-failure/88104
Resume:
ARC not use TLS 1.2 and for nginx 1.10.x the ssl_ecdh_curve sentence must be removed (if I use ARC) from nginx configuration.
For nginx 1.11 the ssl_ecdh_curve must set auto
In sites which has nginx 1.10 but is working ARC is due to are using cloudflare SSL
It is adviced to install TLS 1.3 for nginx 1.11
Related
as the title says I'm facing the error:
WebSocket connection failure. Due to security constraints in your web
browser, the reason for the failure is not available to this Neo4j
Driver…
My neo4j DB is running on a Ubuntu Linux machine:
Unbungu 20.04.04 LTS, Release 20.04
Neo4j Community Edition, Version 4.4.8
I can connect to the db via:
http://localhost:7474/browser/
but not under
https://localhost:7473/browser/ or bolt+s://localhost:7687
I already tried multiple "solutions" but none of them work.
Here is what I changed in my config.
dbms.default_listen_address=0.0.0.0
dbms.connectors.default_list_address=0.0.0.0
dbms.connector.bolt.enabled=true
dbms.connector.bolt.address=0.0.0.0:7687
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=0.0.0.0:7473
I also generated SSL certificates:
Bolt SSL configuration
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.base_directory=certificates/bolt
dbms.ssl.policy.bolt.private_key=private.key
dbms.ssl.policy.bolt.public_certificate=public.crt
dbms.ssl.policy.bolt.client_auth=NONE
Https SSL configuration
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.base_directory=certificates/https
dbms.ssl.policy.https.private_key=private.key
dbms.ssl.policy.https.public_certificate=public.crt
dbms.ssl.policy.https.client_auth=NONE
Any ideas?
*Edit: Typo
Good afternoon, dear community!
I ask for help from those who had the relevant experience.
I am making an API request to https://ssl.croinform.ru:450. For example, an authentication request: curl -k POST https://ssl.croinform.ru:450/api.test?Type=Login&Login=testUser&Password=testPassword but I get the error. The error text differs depending on the environment where I am running the curl command.
On windows I experiment in git bash (curl version 7.77.0) and Cygwin64 (curl version 7.78.0), get the same error: curl: (35) error: 14094410: SSL routines: ssl3_read_bytes: sslv3 alert handshake failure.
В CentOS7 (curl version 7.78.0): curl: (6) Could not resolve host: POST
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
The service provides certificates that need to be installed on your OS: cacer.p7b, ssl.croinform.cer. As recommended in the service documentation, on windows I installed them in Trusted Root Certification Authorities. There is no support recommendation for CentOS7, but I put the certificates at / etc / pki / ca-trust / source / anchors / and ran the update-ca-trust enable and update-ca-trust extract commands. These actions do not solve the problem.
Please tell me what I am doing wrong.
Thanks in advance!
your error shows the protocol to use is SSL version 3 and the handshake is failing to agree to use this protocol to communicate with SSL.
plus this may be unsupported now, the latest TLS versions are TLS 1.1 and 1.2
you could try a different protocol version for example,
curl --tlsv1.2
To use tls 1.2 but have a look at the documentation for other protocols also.
If this is a test you can allow insecure connections with the curl -k parameter
since update to 6.1 (not absolutly sure its since then), I am not able to connect to Update Center through our proxy, because the authentication will not be done by SonarQube! If I open the backend and go to Administration->System->Update Center I can see in the log file the following exception (very short version):
2016.12.15 11:54:11 ERROR web[][o.s.s.p.UpdateCenterClient] Fail to connect to update center
org.sonar.api.utils.SonarException: Fail to download: https://update.sonarsource.org/update-center.properties (HTTP proxy: MY-PROXY-IP:8080)
(...)
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 authenticationrequired"
It works some days ago! I tested the proxy configuration. On the same machine, Jenkins is using the same proxy settings without any problems!
In the file /opt/sonar/conf/sonar.properties I configured the following:
#--------------------------------------------------------------------------------------------------
# UPDATE CENTER
# Update Center requires an internet connection to request http://update.sonarsource.org
# It is enabled by default.
#sonar.updatecenter.activate=true
# HTTP proxy (default none)
http.proxyHost=MY-PROXY-IP
http.proxyPort=8080
# HTTPS proxy (defaults are values of http.proxyHost and http.proxyPort)
#https.proxyHost=
#https.proxyPort=
# NT domain name if NTLM proxy is used
#http.auth.ntlm.domain=
# SOCKS proxy (default none)
#socksProxyHost=
#socksProxyPort=
# Proxy authentication (used for HTTP, HTTPS and SOCKS proxies)
http.proxyUser=MY-PROXY-USER
http.proxyPassword=MY-PROXY-PASSWORD
For me it looks like the authentication will not be done. I am not able to look into the proxy server´s log file.
I had similar problem. In my case it caused by JDK scheduled change. Disable Basic authentication for HTTPS tunneling of 8u111 Update Release.
I can workaround to append a property in /opt/sonar/conf/sonar.properties as follows.
sonar.web.javaAdditionalOpts=-Djdk.http.auth.tunneling.disabledSchemes=""
Firefox v39 will no longer connect to my web application over HTTPS. I'm using Spring Boot with embedded Tomcat and I've made sure I'm using the latest version of Boot (v1.2.5). Firefox shows the following error message:
Secure Connection Failed
An error occurred during a connection to [website]. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
I understand this is to protect against a known vulnerability called Logjam. A solution for Tomcat is provided at weakdh.org.
Spring Boot passes SSL configuration to Tomcat via application.properties and as such I have added server.ssl.ciphers to my application.properties as follows:
server.port=443
server.ssl.key-store=/home/ec2-user/boot.p12
server.ssl.key-store-password=...
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=...
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
After restarting boot, I notice the following in my log file:
WARN 2674 [main] --- o.a.t.util.net.jsse.JSSESocketFactory : None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ...
Additionally, connecting using Firefox fails with the following message:
Secure Connection Failed
The connection to [website] was interrupted while the page was loading.
And I see the following in my log file:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Unfortunately I'm no encryption expert. Can anyone suggest how to fix this? Do I need to recreate my HTTPS certificate?
The solution was to upgrade server Java on the server from 1.7 to 1.8.
sudo yum remove java-1.7.0-openjdk
sudo yum install java-1.8.0
After this was complete, no other configuration was necessary. Not even modyfing Tomcat as per the advice at weakdh.org.
When try to connect to update sites under help->Install New Software I get:
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have tried to import the certificate into the truststore as well as set it in the sts.ini file but to no avail.
Any help greatly appreciated!
I encountered a similar issue while trying to add templates to STS (3.6.2). The issue was my organization's usage of an SSL inspection tool that presents its certificate instead of the real one (GitHub.com).
The solution was to export the SSL inspection's certificate (using IE for example) and add it to the cacerts file. Use this article for the procedure.
Then update the sts.ini file and add the following lines:
-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\cacerts
-Djava.net.ssl.trustStorePassword=changeit
Finally - restart STS.