anyone understand the error in this ??, I'm trying to install SSL pinning (previously asked), about this why?
the PEM certificate already exists ... but an error message like this appears
tlsexception (tlsexception: failure trusting builtin roots (os error: bad_pkcs12_data(pkcs8_x509.c:614), errno = 0))
Related
I'm testing an internal website and on playback I'm seeing this error:
POST /Ex_ACO_EI/Details/2433:
'SSLError(MaxRetryError("HTTPSConnectionPool(host=\'examiner-stage.site.com\',
port=443): Max retries exceeded with url: /Ex_ACO_EI/Details/24 33
(Caused by SSLError(SSLCertVerificationError(1, \'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
local issuer certificate (_ssl.c:1056)\')))"))'
I'm using PyCharm for my IDE.
Any ideas would be greatly appreciated.
A quick hack is always disable SSL verification ( on python requests lib if you use the default HTTPLocust).
To fix it properly, you need to validate that server cert again . May be intermediate certificate is missing ? You can try
openssl s_client -connect yoursite:443
And see what wrong with it.
I am kind of new to perl world but my script fails when loaded via SFTP with below error ,
IN SUBROUTINE: CSRF TOKEN DECODED CONTENT:
error while setting up ssl connection (SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) at /home/rcc/perl5/lib/perl5/LWP/Protocol/https/connect/Socket.pm line 23.
Looping through csrf response array, param = [error while setting up ssl connection (SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) at /home/rcc/perl5/lib/perl5/LWP/Protocol/https/connect/Socket.pm line 23.
]
Under the assumption its because of TLS depreciation , we upgraded SSL version but still doesn't work, can someone help us understand how to fix the issue ?
Or is there a latest version of perl LWP which by upgrade can fix the issue ? repacking the current package seems to be complex.
Thanks in advance.
The SSL handling is not done directly by LWP::Protocol::connect. Instead it uses IO::Socket::SSL which then uses Net::SSLeay which then uses the linked in OpenSSL library which is not necessarily the one used by the openssl binary. The general capability to use TLS 1.2 depends on the version of OpenSSL which should be at least 1.0.1.
To get the versions of the various parts use the following code
use strict;
use IO::Socket::SSL;
printf "IO::Socket::SSL %s\n", $IO::Socket::SSL::VERSION;
printf "Net::SSLeay %s\n", $Net::SSLeay::VERSION;
printf "OpenSSL compiled %x\n", Net::SSLeay::OPENSSL_VERSION_NUMBER();
printf "OpenSSL linked %x - %s\n", Net::SSLeay::SSLeay(),
Net::SSLeay::SSLeay_version(0);
... SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Note that a TLS handshake problem can have lots of different reasons and an unsupported TLS protocol version is just one of many. No shared ciphers is another common problem at this stage of the connection.
I am using this Dart Socket IO client library. I have set up a Socket.IO server with a self-signed certificate on port 443. When I try to connect, the error message is:
(OS Error:
CERTIFICATE_VERIFY_FAILED: self signed certificate(handshake.cc:352))
How do i get the client or Dart to ignore the error prompt from self-signed certificates?
I know that the NodeJS equivalent of the socket.io allows it by setting the variable rejectUnauthorized to false. But it seems no such variable in Dart...
This is the code used in Dart to initialize and connect to the server:
IO.Socket socket = IO.io('https://localhost', {
'transports': ['websocket'],
'reconnectionAttempts': 1,
'rejectUnauthorized': false
});
I have a perl code that sends SOAP request through SOAP::Lite like this:
eval
{
$sresp = SOAP::Lite
->uri('http://machine/key')
->proxy('https://usr:pwd#website.com/addr/addr/remotescript.pl')
->remotescript_pl_function(#parms, $gmtime);
};
if ($#)
{
print $#;
}
After existing certificate for *.website.com has been replaced I am not getting valid responses anymore, I am getting
500 Can\'t connect to website.com:443 at localscript.pl line 123.
If I enable
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
everything works. But I would like to verify the SSL hostname, how can I do that, or track down the problem? (I am a little lost in this proxying).
I have c++ code with libcurl that goes along the same lines and works well. Entering https://website.com into browser works fine. Entering http://machine (machine is on local network) works.
edit 1:
Both perl -MIO::Socket::SSL=debug4 yourscript.pl and analyze-ssl.pl from p5-ssl-tools show error message 1416F086 which lead me to information that SSL certificate has "Chain issues" that have to be fixed in certificate installation.
edit 2:
After fix of the certificate is the error gone! Perfect, solved!
Here is solution mentioned in comments by Corion and Steffen Ullrich:
Running either:
https://github.com/noxxi/p5-ssl-tools script analyze-ssl.pl
perl -MIO::Socket::SSL=debug4 yourscript.pl
displayed same error: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. This pointed me to: telegram bot SSL error: SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed} where I found that I too have "Chain issues Incomplete".
After fixing certificate the error is gone.
When running the method:
CFReadStreamSetProperty(theReadStream, kCFStreamPropertySSLSettings (CFDictionaryRef)tlsPacket->tlsSettings);
To secure the connection of a CFReadStream, my iphone client returns the error:
Error Domain=kCFStreamErrorDomainSSL Code=-9824 "Operation could not be completed. (kCFStreamErrorDomainSSL error -9824.)"
and the server sends the error:
ERROR [STDERR] javax.net.ssl.SSLHandshakeException: no cipher suites in common
Is there any way to allow CFReadStream to use additional ciphers during the handshake process?
For anyone else who runs into this problem:
It turns out that the problem was on the server side. If you run into this issue yourself I would urge you to check that the handshake on the server side is working properly.