the situation is that I am creating a user certificate for FreeIPA using standard certificate creation profiles. But every time I see the message "Client name mismatch" when I try to log in as a domain user using a certificate. This message, as I understand it, is sent by kerberos, but it is absolutely not clear what he does not like about my certificate.
At the same time, I can safely log in as a user and get a Kerberos ticket by logging in without a certificate.
This is what the command returns to me if I try to get a Kerberos ticket by certificate:
KRB5_TRACE=/dev/stdout kinit -X X509_user_identity=FILE:/root/arantin.pem,/root/arantin.key arantin
[9541] 1649160627.927861: Getting initial credentials for arantin#FREE.IPA
[9541] 1649160627.928000: Sending request (167 bytes) to FREE.IPA
[9541] 1649160627.928150: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.928265: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160627.930303: Received answer (292 bytes) from stream 192.168.3.3:88
[9541] 1649160627.930330: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160627.930421: Response was from master KDC
[9541] 1649160627.930477: Received error from KDC: -1765328359/Additional pre-authentication required
[9541] 1649160627.930505: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
[9541] 1649160627.930528: Selected etype info: etype aes256-cts, salt "9X\Clzp2xtK\fDk_", params ""
[9541] 1649160627.930547: Received cookie: MIT
[9541] 1649160627.930717: Preauth module pkinit (147) (info) returned: 0/Success
[9541] 1649160627.930893: PKINIT client computed kdc-req-body checksum 9/AC06024CC2069A9C1060B15A3403C8E8BD6447CC
[9541] 1649160627.930912: PKINIT client making DH request
[9541] 1649160628.173868: Preauth module pkinit (16) (real) returned: 0/Success
[9541] 1649160628.173901: Produced preauth for next request: 133, 16
[9541] 1649160628.173930: Sending request (2844 bytes) to FREE.IPA
[9541] 1649160628.174001: Initiating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.174096: Sending TCP request to stream 192.168.3.3:88
[9541] 1649160628.176732: Received answer (161 bytes) from stream 192.168.3.3:88
[9541] 1649160628.176758: Terminating TCP connection to stream 192.168.3.3:88
[9541] 1649160628.176814: Response was from master KDC
[9541] 1649160628.176851: Received error from KDC: -1765328309/Client name mismatch
kinit: Client name mismatch while getting initial credentials
I need to understand how to configure certificate issuance profiles on FreeIPA so that they work and receive a kerberos ticket.
I'll answer myself. The problem was that it was necessary to add the following lines to the kdm and krb5 configs - to the realms and libdefaults blocks, respectively
pkinit_eku_checking = none
pkinit_allow_upn = true.
You will also need to create a new profile. Instructions from FreeIPA
https://www.freeipa.org/page/V4/Certificate_Profiles
Certificate example
profileId=KDCs_PKINIT_Certs
classId=caEnrollImpl
desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
visible=false
enable=true
enableBy=ipara
auth.instance_id=raCertAuth
name=IPA-RA Agent-Authenticated Server Certificate Enrollment
input.list=i1,i2
input.i1.class_id=certReqInputImpl
input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12,13
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
policyset.serverCertSet.1.constraint.params.accept=true
policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
policyset.serverCertSet.1.default.name=Subject Name Default
policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$,O=FREE.IPA
policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
policyset.serverCertSet.2.constraint.name=Validity Constraint
policyset.serverCertSet.2.constraint.params.range=740
policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
policyset.serverCertSet.2.constraint.params.notAfterCheck=false
policyset.serverCertSet.2.default.class_id=validityDefaultImpl
policyset.serverCertSet.2.default.name=Validity Default
policyset.serverCertSet.2.default.params.range=731
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
policyset.serverCertSet.3.constraint.params.keyType=RSA
policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
policyset.serverCertSet.4.constraint.name=No Constraint
policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
policyset.serverCertSet.4.default.name=Authority Key Identifier Default
policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
policyset.serverCertSet.5.constraint.name=No Constraint
policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
policyset.serverCertSet.5.default.name=AIA Extension Default
policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.free.ipa/ca/ocsp
policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.2.3.5,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
policyset.serverCertSet.9.constraint.name=No Constraint
policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
policyset.serverCertSet.9.default.params.crlDistPointsNum=1
policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.free.ipa/ipa/crl/MasterCRL.bin
policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
policyset.serverCertSet.10.constraint.name=No Constraint
policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
policyset.serverCertSet.10.default.params.critical=false
policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
policyset.serverCertSet.11.constraint.name=No Constraint
policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
policyset.serverCertSet.11.default.name=User Supplied Extension Default
policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl
policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name
policyset.serverCertSet.13.constraint.class_id=noConstraintImpl
policyset.serverCertSet.13.constraint.name=No Constraint
policyset.serverCertSet.13.default.class_id=subjectAltNameExtDefaultImpl
policyset.serverCertSet.13.default.name=Subject Alt Name Constraint
policyset.serverCertSet.13.default.params.subjAltNameExtCritical=false
policyset.serverCertSet.13.default.params.subjAltExtType_0=RFC822Name
policyset.serverCertSet.13.default.params.subjAltExtPattern_0=$request.req_subject_name.cn$#FREE.IPA
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_0=true
policyset.serverCertSet.13.default.params.subjAltExtType_1=OtherName
policyset.serverCertSet.13.default.params.subjAltExtPattern_1=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_subject_name.cn$#FREE.IPA
policyset.serverCertSet.13.default.params.subjAltExtGNEnable_1=true
policyset.serverCertSet.13.default.params.subjAltNameNumGNs=2
#FreeIPA - replace it with your domain part
Related
I have Keycloak running in a Kubernetes cluster. Authentication works but I need to set up e-mail to be able to send e-mails for verification and password reset.
I have SendGrid set up as an SMTP Relay. These settings (host, port and api key) work when I send mail using the SendGrid java client. However, when pressing Test connection in KeyCloak I get:
[Error] Failed to load resource: the server responded with a status of 500 ()
[Debug] Remove message (services.js, line 14)
[Debug] Added message (services.js, line 15)
[Error] Can't find variable: error
https://<domain>/auth/resources/ong8v/admin/keycloak/js/controllers/realm.js:76 – "Possibly unhandled rejection: {}"
[Debug] Remove message (services.js, line 14)
There isn't much to go on here. I have an e-mail address set up for the currently logged in user. I've also tried resetting the password in case the Test connection functionality was broken but that didn't work either.
The Realm Settings settings user for email are as such:
host: smtp.sendgrid.net
port: 587
from: test#<domain>
Enable StartTLS: true
Username: "apikey"
Password: <api key>
Any idea what can be wrong? Or how to find out? For instance, maybe I can get a more meaningful error message somehow.
Edit:
I got the server logs.
Failed to send email: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: smtp.sendgrid.net, 587; timeout 10000;
nested exception is: java.net.SocketTimeoutException: connect timed out
Edit 2:
I've tried sending mail using Telnet using the exact same settings and that works. So apparently it's something with Keycloak or its underlying Java libraries that's causing issues sending e-mail.
Turns out that Keycloak works and that emails were blocked by the hosting provider.
I use this example of Flutter data channel to connect my Android app to my CoTURN server on my local network. The CoTURN logs show that the Android app connects successfully to the CoTURN server but doesn't show any username. I would like to make sure that no access is possible to my CoTURN server while not using long term credentials.
The version of my CoTURN server is 4.5.1.1-1.1 on Debian Linux Stable (10 Buster). The lt-cred-mech is already set in the CoTURN server configuration while no-auth is not set (it is commented). I am using verbose to check the logs. I have a user created in my MySQL database for long term credentials. It is verified using this command on the secured port:
turnutils_uclient -p 5349 -u myuser -w mypassword 192.168.188.28
It leads to the following in the coturn logs:
1992: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:58256
1992: session 002000000000000002: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
1992: IPv4. Local relay addr: 192.168.188.28:64632
1992: IPv4. Local reserved relay addr: 192.168.188.28:64633
1992: session 002000000000000002: new, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
1992: session 002000000000000002: refreshed, realm=<myrealm>, username=<myuser>, lifetime=777
1992: session 002000000000000002: realm <myrealm> user <myuser>: incoming packet REFRESH processed, success
...
2007: session 003000000000000003: delete: realm=<myrealm>, username=<myuser>
2007: session 003000000000000003: peer 0.0.0.0:3481 deleted
2008: session 001000000000000008: usage: realm=<myrealm>, username=<myuser>, rp=13, rb=1360, sp=8, sb=768
2008: session 001000000000000008: closed (2nd stage), user <myuser> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.28:48266, reason: allocation timeout
2008: session 001000000000000008: delete: realm=<myrealm>, username=<myuser>
2008: session 001000000000000008: peer 0.0.0.0:3481 deleted
If I try the same command with an intentionally invalid user, I get the expected following results in the server logs:
2227: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.28:40431
2227: session 002000000000000003: realm <myrealm> user <>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
2227: session 002000000000000003: realm <myrealm> user <myuserfaulty>: incoming packet message processed, error 401: Unauthorized
2227: check_stun_auth: Cannot find credentials of user <myuserfaulty>
...
So, this means that the credentials are indeed checked by the CoTURN server.
However, when I add credentials to the Flutter app as follows, I get server logs that don't seem to show any user. Worst, if the user is intentionally faulty, it changes nothing. Here is the portion of code adapted:
...
Map<String, dynamic> configuration = {
"iceServers": [
{"url": "stun:192.168.188.28:5349"},
{"username": "myuserfaulty"},
{"credential": "mypassword"},
]
};
...
Note that I guessed the username and credential entries in the configuration from the following files:
https://github.com/cloudwebrtc/flutter-webrtc/blob/master/ios/Classes/FlutterWebRTCPlugin.m
https://github.com/cloudwebrtc/flutter-webrtc/blob/master/android/src/main/java/com/cloudwebrtc/webrtc/FlutterWebRTCPlugin.java
Here are the CoTURN logs while using intentionally wrong credentials from Flutter:
2945: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
2945: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2955: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2965: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2975: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2985: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
2995: session 002000000000000004: realm <myrealm> user <>: incoming packet BINDING processed, success
3005: session 002000000000000004: usage: realm=<myrealm>, username=<>, rp=6, rb=120, sp=6, sb=528
3005: session 002000000000000004: closed (2nd stage), user <> realm <myrealm> origin <>, local 192.168.188.28:5349, remote 192.168.188.31:58350, reason: allocation watchdog determined stale session state
3005: handle_udp_packet: New UDP endpoint: local addr 192.168.188.28:5349, remote addr 192.168.188.31:58350
3005: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
3015: session 002000000000000005: realm <myrealm> user <>: incoming packet BINDING processed, success
...
So, I have the following questions:
How can I make sure that my CoTURN server cannot be used without authorized long term credentials?
How come the Flutter app is not subject to the same credentials validation as the turnutils_uclient?
Did I guess correctly the way to specify the credentials in the Flutter app with the addition of the username and credential entries in the configuration?
With this configuration (lt-cred-mech), the TURN server cannot be used without authorized long term credentials. However, the STUN server never requires authentication.
The turnutils_uclient command requires authentication because it calls the TURN server. To make a STUN server test call, the turnutils_stunclient command can be used and no credentials can be given to it.
The format for long term authentication on TURN server in Flutter is described in a comment in this file:
https://github.com/cloudwebrtc/flutter-webrtc-demo/blob/master/lib/src/call_sample/signaling.dart
...
{
'url': 'turn:123.45.67.89:3478',
'username': 'change_to_real_user',
'credential': 'change_to_real_secret'
},
...
which shows that my attempts were wrong for two reasons:
The protocol must be set to turn instead of stun.
The configuration items must be in the same array.
After those corrections, I do get the username in the coturn server logs as shown below:
87055: session 000000000000000540: new, realm=<myrealm>, username=<myuser>, lifetime=600
87055: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet ALLOCATE processed, success
87065: session 000000000000000540: realm <myrealm> user <myuser>: incoming packet BINDING processed, success
Note that the coturn server configuration can require authentication for the STUN binding request as well:
...
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
...
Fiddler almost not work for me. Seems the problem only with https.
For example to open https google.com I need to wait around 40 seconds
Screenshots:
immediately after request
after ~40 seconds
Fiddler log:
18:02:46:3326 Fiddler Running...
18:02:46:3922 Windows 8+ AppContainer isolation feature detected.
18:03:09:5427 Assembly 'C:\Program Files (x86)\Fiddler2\CertMaker.dll' was not found. Using default Certificate Generator.
18:03:09:5467 /Fiddler.CertMaker> Using Fiddler.DefaultCertificateProvider+CertEnrollEngine for certificate generation; UseWildcards=False.
18:03:11:3745 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. githubcom /ssllabs/research/wiki/Long-Handshake-Intolerance
18:03:11:3855 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. githubcom /ssllabs/research/wiki/Long-Handshake-Intolerance
18:03:11:3895 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. githubcom /ssllabs/research/wiki/Long-Handshake-Intolerance
18:03:11:3915 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. githubcom /ssllabs/research/wiki/Long-Handshake-Intolerance
18:03:11:3945 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. githubcom /ssllabs/research/wiki/Long-Handshake-Intolerance
18:03:20:2192 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6091.
18:03:20:3110 [Fiddler] No HTTP request was received from (chrome:10428) new client socket, port 6134.
18:03:20:3120 [Fiddler] No HTTP request was received from (chrome:10428) new client socket, port 6130.
18:03:28:8160 HTTPSLint> Warning: ClientHello record was 508 bytes long. Some servers have problems with ClientHello's greater than 255 bytes. githubcom /ssllabs/research/wiki/Long-Handshake-Intolerance
18:03:30:2198 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6095.
18:03:30:2198 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6097.
18:03:30:2198 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6099.
18:03:30:2198 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6101.
18:03:50:2219 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6163.
18:03:50:2219 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6141.
18:03:50:2219 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6167.
18:04:10:2230 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6176.
18:04:10:2230 [Fiddler] No HTTPS request was received from (chrome:10428) new client socket, port 6179.
Many times in chrome I see: Waiting for proxy tunnel...and site shows This webpage is not available (ERR_TIMED_OUT)
In EDGE I even can't open http site for all sub requests I see blue up arrow which means fiddler trying to load it (after ~40 seconds I get loaded all that requests)
I tried to reset Internet Properties-> Advanced tab-> Restore advanced settings - it doesn't help me.
Also I tried to restarted my system, also I restarted fiddler after any changes I made.
Fiddler settings:
Certificates generated by CertEnroll engine. I tried to change it to MakeCert. Few times I reset All certificates, also manually removes certificates.
Browsers: Chrome/Firefox
Gateway info in fiddler: No upstream gateway proxy is configured.
Recently I made clear installation of Windows 10.
I do not have any Antivirus.
Windows 10 Pro x64
Fiddler v4.6.2.0
I need fiddler for my work. Please help me
UPDATED:
This is can be issue with Protocols. Currently in fiddler I have next protocols:
fiddler.network.https> HTTPS handshake to www.bing.com (for #4) failed. System.IO.IOException Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. < An existing connection was forcibly closed by the remote host
and
fiddler.network.https> HTTPS handshake to www.google.com.ua (for #23) failed. System.ComponentModel.Win32Exception The client and server cannot communicate, because they do not possess a common algorithm
As I thought the issue was with protocols enabled in Internet Options in Windows and Fiddler protocols.
I ticked Use SSL 3.0 and use TSL 1.0 in Interent properties (all other should be unticked)
in Fiddler protocols I typed: ;ssl3;tls1.0
And after this changes everything works perfectly
Yes, Use SSL 3.0 and use TSL 1.0 in Internet properties for it to work. Previously I also did the same mistake but now working fine. I also checked on fiddler for the same.
I am trying to decrypt the https traffic by fiddler2 which has just been upgraded.
What is the problem to get this errror?
17:27:45:6821 !SecureClientPipeDirect failed: System.IO.IOException Unable to read data from the transport connection: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. < A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond on pipe to (CN=192.168.0.100, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com)
Thanks
The error message indicates that the client failed to complete the HTTPS handshake. What was the client? This message typically indicates that the client isn't configured to trust Fiddler's Root Certificate.
What, if any, other messages are shown on the Log tab?
I'm using Net::SFTP to transfer files. However, whenever I try to create a new object like so:
my $sftp = Net::SFTP->new('ip', user=>'user', password=>'pass');
It just hangs and does nothing. Does anyone know why this is? Am I doing something wrong? Thanks!
Update
Here is the debug output:
dev1.com: Reading configuration data /home/user/.ssh/config
dev1.com: Reading configuration data /etc/ssh_config
dev1.com: Connecting to 50.56.91.91, port 22.
dev1.com: Remote protocol version 2.0, remote software version OpenSSH_4.3
dev1.com: Net::SSH::Perl Version 1.34, protocol version 2.0.
dev1.com: No compat match: OpenSSH_4.3.
dev1.com: Connection established.
dev1.com: Sent key-exchange init (KEXINIT), wait response.
dev1.com: Algorithms, c->s: 3des-cbc hmac-sha1 none
dev1.com: Algorithms, s->c: 3des-cbc hmac-sha1 none
dev1.com: Entering Diffie-Hellman Group 1 key exchange.
dev1.com: Sent DH public key, waiting for reply.
dev1.com: Received host key, type 'ssh-dss'.
dev1.com: Host 'ip_here' is known and matches the host key.
dev1.com: Computing shared secret key.
dev1.com: Verifying server signature.
dev1.com: Waiting for NEWKEYS message.
dev1.com: Send NEWKEYS.
dev1.com: Enabling encryption/MAC/compression.
dev1.com: Sending request for user-authentication service.
dev1.com: Service accepted: ssh-userauth.
dev1.com: Trying empty user-authentication request.
dev1.com: Authentication methods that can continue: publickey,gssapi-with mic,password.
dev1.com: Next method to try is publickey.
dev1.com: Trying pubkey authentication with key file '/home/user/.ssh/id_rsa2'
In addition to the user and password options, set debug => 1. You will get some diagnostic output that may tell you what the problem is.
Search if your connection data is correct. Use a simple code like that showed in Net::SFTP::Foreign .