node 0.2.6 way:
var credentials = crypto.createCredentials({ "key": SSLKey, "cert": SSLCert, "ca": Ca, "password": SSLKeyPass })
var client = http.createClient(apiPort, host, true, credentials)
node 0.4 way:
var options = {
host: apiHost,
port: apiPort,
method: 'GET',
path: uri,
headers: {host: host},
key:SSLKey,
cert:SSLCert,
ca:Ca,
password:SSLKeyPass
}
var request = https.request(options, function (response) {
As you can see there is a password needed, I don't know where the password is supposed to go in node 0.4.
Where does SSLKeyPass go on node 0.4?
So even in the node 0.2.6 source code, the crypto.js module is not looking for a password property in the object you pass to createCredentials. Here's the createCredentials source from node 0.2.6. In version 0.4.8 there is still no mention of the word password in the crypto.js module. Did your 0.2.6 code really work?
As a general comment, use openssl to decrypt your private key, keep that secured on disk, and have your node code read that file. This seems to be the most commonly used option. The other options being A) have to manually type the passphrase to decrypt your private key whenever you launch your node server (pretty much nobody does this) or B) keep your cleartext passphrase on disk, which is not any different that just keeping the cleartext private key on disk, so AFAIK this is also a very uncommon solution to the problem of private key security.
You can decrypt your private key with the openssl command line like this:
openssl rsa -in your_encrypted_private.ekey -out your_private.key
openssl will prompt your for the passphrase interactively.
For the record, you can provide a passphrase when creating a Credentials object in Node.js. This section of Node.js documentation on the crypto module states that the passphrase option can be provided, for either the private key or PFX file. You do not have to keep your private key in clear text on disk somewhere for Node.
Related
Context
I have a keystore (keystore.jks) that is protected by a password.
I can get jmeter to use keys from that store by providing
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
with the appropriate values as long as the keys themselves are not password protected.
However, my particular keystore contains multiple keys that each require a password to retrieve them.
How I access the key in plain old Java:
String keyStorePath = "/keystore.jks";
char[] keyStorePassword = "keyStorePassword".toCharArray();
String keyAlias = "keyAlias";
char[] keyPassword= "keyPassword".toCharArray();
KeyStore keyStore = KeyStore.getInstance("JKS");
try (InputStream is = this.getClass().getResourceAsStream(keyStorePath )) {
keyStore.load(is, keyStorePassword);
}
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword);
X509Certificate certificate = (X509Certificate) keyStore.getCertificate(keyAlias);
How would I retrieve and use such keys in JMeter?
That is the question.
JMeter's Keystore Configuration does not allow you to specify a key's password.
After looking around I concluded that this is currently (JMeter 5.0) not possible.
Get jmeter to use certificates from a key store by providing these properties at startup:
-Djavax.net.ssl.keyStore
-Djavax.net.ssl.keyStorePassword
The certificates inside the store should have the same password as the store, then they are picked up without problems when you use a Keystore Configuration specifying (a variable that holds) the certificate alias.
Convert key and value(.crt) file into single file and use it in Jmeter
Steps
Open command prompt
Go to the directory where key and values are placed
Run below commands
openssl pkcs12 -export -out jmeterkeystore.p12 -inkey your.private.key -in your.certificate
above command create a .p12 type file
4. Convert .p12 file to jks type, use below command
keytool -importkeystore -srckeystore jmeterkeystore.p12 -srcstoretype pkcs12 -
destkeystore MY_KEYSTORE.jks -deststoretype jks -deststorepass changeit
In jmeter bin folder, open system.properties file and set following properties
javax.net.ssl.keyStoreType=jks
javax.net.ssl.keyStore=C:/Dev/cer/<JKSfilname.jks>
javax.net.ssl.keyStorePassword=
Done you can now run your script
I am doing this:
cert_store = OpenSSL::X509::Store.new
cert_store.set_defaults_path
The documentation for this method is given in OpenSSL::X509::Store.
From where does the certificate store object read the certificates? I perused the source code for the definition of set_default_paths but was not able to find one.
One theory is that the default paths may be the same as the ones given by
$ openssl version -a
But that theory fails even when you try to verify signed certificates against the certificate chain at your system root_ca_path.
I would like to add HTTPS to my local domain, however we can't do this on localhost.
My website goes fine when I run with this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
But I would like to name this website or at least enable HTTPS on it. According to Caddy, you can't do this on localhost, but what if I have a domain name ?
I have tried using my own local address with this Caddyfile
192.168.100.26 {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
All works fine but I still don't have HTTPS...
And when I try to add a random domain name for example
www.mycaddytest.com {
bind {$ADDRESS}
proxy / http://192.168.100.82:9000 {
transparent
}
}
I got the following error
Activating privacy features...2016/08/18 11:53:26 [www.mycaddytest.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up A for www.mycaddytest.com
Error Detail:
Validation for www.mycaddytest.com:80
Resolved to:
Used:
I know this error is dues to an unexisting domain name, but is there a way to deal with ?
Just getting HTTPS on localhost or ip address will be enough
Since Caddy 0.9 we can use the tls self_signed attribute.
Use this Caddyfile
localhost:2020 {
bind {$ADDRESS}
proxy / 192.168.100.82:9000
tls self_signed
}
And try https://localhost:2020
For caddy version 2.4.5, the accepted answer did not work me. What worked is shown below:
localhost:443 {
reverse_proxy 127.0.0.1:8080
tls internal
}
I know that answer is already accepted. But I had the same problem with Caddy v0.10.14 and it's a solution that helped me (but with real SSL certificate instead of self_signed):
Firstly, certificate & key pair must be in this directories: /etc/pki/tls/certs/ for certificate and /etc/pki/tls/private/ for key. So go to one of this directory with cd command
Then, create our own, self-signed certificate for HTTP2.0 testing with a single command, however. Just execute on your commandline to generate a SSL certificate + key pair:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout cert.key -out cert.crt
After that, move files to correct directories (see the first point)
Next, use this Caddyfile and try https://localhost:2020:
localhost:2020 {
bind {$ADDRESS}
root /var/www
gzip
tls your.address#example.com
tls /etc/pki/tls/certs/cert.crt /etc/pki/tls/private/cert.key
}
Also if you are running caddy in a docker container, you may need to import and trust the Root certificate.
docker ps
docker cp container_id:/config/caddy/pki/authorities/local/root.crt ~/Desktop
then the caddyfile, for laravel sail for example, could look something like this:
yourlocaldomain.dev{
tls internal
reverse_proxy laravel.test
}
more may be here https://gilbitron.me/blog/enabling-https-ssl-for-laravel-sail-using-caddy/
A lot of what I've seen around SO and blog posts is that
By default, Net::HTTP does not verify peer SSL certificates
To force Net::HTTP to verify peer, you need to to it too and supply a CA cert file containing trusted authorities
However, I've found that this is not completely necessary. On my Mac, I have the following code
http = Net::HTTP.new('www.google.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.start do
http.request_get('/') do |response|
puts response.body
end
end
This works. But what is Ruby using to verify the peer with? When I look at the output of http.ca_path and http.ca_file they are both blank.
I'm running this code in Ruby 1.9.3p374. Perhaps when Ruby was compiled on my Mac, it pulled in some default location of CA cert chains from openssl or something?
It looks like if no verify callback is set then OpenSSL library default callback is used. See line 217 in the openssl module verify callback wrapper (the ok argument is the result of the default callback).
On OS X, Apple has apparently customized the default callback in their OpenSSL library to hook in to the OS X Keychain facility. The root CA of Google's certificate is Equifax Secure Certificate Authority. If you change the trust setting in Keychain (e.g. using the Keychain Access utility) for this CA then your ruby test behaves accordingly.
I believe the answer to your question is that when peer certificate verification is required but not configured, the ruby shipped with OS X verifies using Keychain.
I'm using the "mavenDeployer" to use ssh/scp during "uploadArchives" task,
with the wagon ssh utilities.
Rather than code a password into the build.gradle, I'd like to rely on proper ssh setup. Specifically, I want to have the user specify their private key, and have that private key loaded in their environment (ssh-agent, ssh-add, etc). The maven repo has a shared userid,
and all real users have their .pub key properly added to the "authorized_keys" file
of shared userid.
Although maven/ant seem to have a "privateKey" attribute, and the Gradle DSL
accepts it, it doesn't seem to have any effect when I set it:
mavenDeployer {
configuration = pr.configurations.publishJars
String keyFile = System.properties["user.mavenKey"]
repository(url: "scp://maven.company.com/path/to/maven") {
logger.info("Using SSH key: ${keyFile}")
authentication(userName: "maven", privateKey: keyFile)
}
If I code in the actual password as per the example in gradle documentation,
it does work, so I know that things are working. Also, changing privateKey
to privatekey (all lower case) causes a property error, so I know the
property exists and is recognized at some level.
And I know the ssh key itself is working:
% ssh -i ~/.ssh/mavenKey maven#maven.company.com ls /
[ no errors, output trimmed ]
But when I run it, I get prompted for shared userid's password:
% gradle uploadArchives
[... stuff ...]
Using SSH key: /homes/klash/.ssh/mavenKey
Password for maven#evomaven.englab.juniper.net:
As you can see, it is NOT prompting for passphrase for the key.
Make sure that your private key doesn't require a pass phrase.
Can you access the remote from command line using ssh maven#evomaven.englab.juniper.net without being prompted for password?
If not use ssh-copy-id to send your public key to the server.