I'm testing an internal website and on playback I'm seeing this error:
POST /Ex_ACO_EI/Details/2433:
'SSLError(MaxRetryError("HTTPSConnectionPool(host=\'examiner-stage.site.com\',
port=443): Max retries exceeded with url: /Ex_ACO_EI/Details/24 33
(Caused by SSLError(SSLCertVerificationError(1, \'[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
local issuer certificate (_ssl.c:1056)\')))"))'
I'm using PyCharm for my IDE.
Any ideas would be greatly appreciated.
A quick hack is always disable SSL verification ( on python requests lib if you use the default HTTPLocust).
To fix it properly, you need to validate that server cert again . May be intermediate certificate is missing ? You can try
openssl s_client -connect yoursite:443
And see what wrong with it.
Related
I am kind of new to perl world but my script fails when loaded via SFTP with below error ,
IN SUBROUTINE: CSRF TOKEN DECODED CONTENT:
error while setting up ssl connection (SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) at /home/rcc/perl5/lib/perl5/LWP/Protocol/https/connect/Socket.pm line 23.
Looping through csrf response array, param = [error while setting up ssl connection (SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure) at /home/rcc/perl5/lib/perl5/LWP/Protocol/https/connect/Socket.pm line 23.
]
Under the assumption its because of TLS depreciation , we upgraded SSL version but still doesn't work, can someone help us understand how to fix the issue ?
Or is there a latest version of perl LWP which by upgrade can fix the issue ? repacking the current package seems to be complex.
Thanks in advance.
The SSL handling is not done directly by LWP::Protocol::connect. Instead it uses IO::Socket::SSL which then uses Net::SSLeay which then uses the linked in OpenSSL library which is not necessarily the one used by the openssl binary. The general capability to use TLS 1.2 depends on the version of OpenSSL which should be at least 1.0.1.
To get the versions of the various parts use the following code
use strict;
use IO::Socket::SSL;
printf "IO::Socket::SSL %s\n", $IO::Socket::SSL::VERSION;
printf "Net::SSLeay %s\n", $Net::SSLeay::VERSION;
printf "OpenSSL compiled %x\n", Net::SSLeay::OPENSSL_VERSION_NUMBER();
printf "OpenSSL linked %x - %s\n", Net::SSLeay::SSLeay(),
Net::SSLeay::SSLeay_version(0);
... SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Note that a TLS handshake problem can have lots of different reasons and an unsupported TLS protocol version is just one of many. No shared ciphers is another common problem at this stage of the connection.
I have a perl code that sends SOAP request through SOAP::Lite like this:
eval
{
$sresp = SOAP::Lite
->uri('http://machine/key')
->proxy('https://usr:pwd#website.com/addr/addr/remotescript.pl')
->remotescript_pl_function(#parms, $gmtime);
};
if ($#)
{
print $#;
}
After existing certificate for *.website.com has been replaced I am not getting valid responses anymore, I am getting
500 Can\'t connect to website.com:443 at localscript.pl line 123.
If I enable
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
everything works. But I would like to verify the SSL hostname, how can I do that, or track down the problem? (I am a little lost in this proxying).
I have c++ code with libcurl that goes along the same lines and works well. Entering https://website.com into browser works fine. Entering http://machine (machine is on local network) works.
edit 1:
Both perl -MIO::Socket::SSL=debug4 yourscript.pl and analyze-ssl.pl from p5-ssl-tools show error message 1416F086 which lead me to information that SSL certificate has "Chain issues" that have to be fixed in certificate installation.
edit 2:
After fix of the certificate is the error gone! Perfect, solved!
Here is solution mentioned in comments by Corion and Steffen Ullrich:
Running either:
https://github.com/noxxi/p5-ssl-tools script analyze-ssl.pl
perl -MIO::Socket::SSL=debug4 yourscript.pl
displayed same error: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed. This pointed me to: telegram bot SSL error: SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed} where I found that I too have "Chain issues Incomplete".
After fixing certificate the error is gone.
i`m trying to connect mongodb to php application from compose to local,but get this error.
but i can remote using mongo chef
No suitable servers found (serverSelectionTryOnce set): [TLS handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed calling ismaster
I think you have 3 options to solve this problem.
1. Disable SSL on your server
Find mongod.conf, if you're using linux, then normally it should locate at /etc/mongod.conf, use # to comment these lines under net. Finally, you need to restart mongodb for making change works.
net:
ssl:
mode: requireSSL
PEMKeyFile: ./mongodb.pem
...
2. Use the option called weak_cert_validation on your client
This is not a safety solution, but this is definitely one of the simplest one.
For example, if the mongoDB server has enable SSL but without (or did't) offering CA certificate(means self-signed certificate), then set weak_cert_validation as true in the client side, a example for C client:
mongoc_ssl_opt_t ssl_opts = {0};
ssl_opts.weak_cert_validation = true;
mongoc_client_set_ssl_opts(client, &ssl_opts);
3. Follow configure-ssl to create a certificate and get it signed for your program.
Here some provider: https://en.wikipedia.org/wiki/Certificate_authority#Providers
I do not use a proxy.
Here is my code:
use JIRA::Client::Automated;
my $jira = JIRA::Client::Automated->new(https://myserver.com, "user", "password");
And the error response is:
Unable to GET /jira/rest/api/latest/issue/DCS-51191: 500 Can't connect
to myserver.com:443 Can't connect to myserver.com:443
Bad file descriptor at
C:/Users/Fred/applis_portables/Strawberry_Perl/perl/vendor/lib/LWP/Protocol/http.pm
line 47.
at createPage2.pl line 16.
Thank you for your help.
It seems that there is a self signed certificate on JIRA server. To bypass, I added following code:
my $jira_ua = $jira->ua();
$jira_ua->ssl_opts( verify_hostname => 0 );
The error doesn't look like a JIRA::Client::Automated error. It's generated by LWP::UserAgent and usually means exactly what is shown.
Do you have a self signed certificate on your server?
Did you try to open that URL in in your browser? https://myserver.com:443 (exactly as you provide it to the module).
Try using curl from your webserver:
curl -vvv https://myserver.com/jira/rest/api/latest/issue/DCS-51191
Maybe it's just a missing www. prefix in your server URL?
I am creating an NSURLMutableRequest and setting HTTP methods and content-types and such. All was working fine until my last compile. I now get this in the Console, but the app doesn't crash:
CODE:
Internal error.
Exception from other package:
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
and then the program continues. Code can be posted if you need it. The URL I am contacting is:
https://apps.quickbooks.com/j/AppGateway
This is VERISIGN not some Joe Blow make-your-own SSL cert.
Thanks guys!
Should have researched. QBOE XML processor is down.