answerstu

ssl - How to create a self-signed certificate with OpenSSL

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps:openssl req -new > cert.csropenssl rsa -in privkey.pem -out key.pemopenssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 1001cat key.pem>>cert.pemThis works, but I get some errors with, for example, Google Chrome: This is probably not the site you are looking for! The site's security certificate is not trusted!Am I missing something? Is this the correct way to build a self-signed certificate?...Read more

openssl - How to verify the certificate for the ongoing ssl session

I am using SSL to create a secure connection and using the certificate which is certified by the CA. After making the ssl session, I want to check the validity of the certificate and if it is not valid, i need to break all the ongoing session.How can I track the ongoing ssl sessions to check how many sessions are established using this certificate. Is there any api to track the ssl active session.Shall I use SSL_CTX_remove_session() to terminate the SSL session. Or is there any specific API for terminating the SSL session in openSSL. If resumpt...Read more

SSL session tickets vs session ids

To improve SSL handshake performance for not retaining(short) connections there are two separate features known widely:TLS session idsTLS session ticketsIn case of very many short connection sessions which mechanism in terms of performance overhead is preferable and should be used?I know server need to cache session ids, also session tickets are easily shareable in case of load balancing, but let's assume there is a single server listening on a single port(no load balancing) and it receives very many SHORT incoming TLS connection sessions.So wh...Read more

http.sys and winhttp.dll have SSL/TLS "session resumption" and "false start"?

I have an application written in Delphi which attaches client-side winhttp.dll, on server side it uses mORMot (SOA/ORM client-server library which attaches "http.sys" for web server functionality). The next step will be also a web-client written in JS.So, for every normal connection with ~100ms latency, will be > 350ms with a SSL/TLS handshake included. I read that thru "session resumption" and "false start"(by reusing certificate and pushing data faster) latency can be something like < 200ms, which is a very big gain for me.So my question i...Read more

ssl - How to enable session resumption on Netty Client side

Reading an article about the cost of SSL handshake, I saw the possibility to have session tickets and session resumption to avoid paying the cost of re-establishing the session.In my architecture, I use Netty in the client side and Tomcat on the server side. Googling I saw several guides to enable it on nginx and other server implementation, but for the netty implementation on the client side, I couldn't find anything.At this point, I was wondering if it was directly managed by SSLEngine for me at the client side, and I have to do nothing, or t...Read more

ssl - Kubernetes NGINX Ingress TLS issue

I deployed k8s cluster in cloud (VMVare vSphere) - 3 masters and 1 worker node. Then with helm installed nginx-ingress:helm install stable/nginx-ingressDeployed few pods of simple http-svcChanged nginx-controller service type from LoadBalancer to NodePort and added externalIPs (IP adressess of my master nodes), so it's look like:NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEing-nginx-ingress-controller NodePort 10.233.15.202 172.16.40.21,172....Read more

cloudfoundry - --skip-ssl-validation option not working with uaac in cloud foundry

I have created an instance of the uaac service in cloud foundry and have associated it with one of my application. Now, when I try to target my CLI to the uaac instance I get the following error,$ uaac target <uaac URL> failed to access <uaac URL>: Invalid SSL Cert for <uaac URL>/login. Use '--skip-ssl-validation' to continue with an insecure targetI have added the option as per the message, $ uaac target <uaac URL> --skip-ssl-validationBut again I get the same error, failed to access <uaac URL>: Invalid SSL Cert f...Read more

ssl - sshing in aws load balancer and configuring it for subdomain routing?

We want to use Amazon Elastic BeanStalk service for deployment in EC2 Boxes.We want to deploy our Ruby on Rails Application in such a way that we can do sub-domain based routing to different rails app.And we want to use single SSL Certificate for our load balancer and want to configure our load balancer in susch a away tha subdomain based routing takes place.HA Proxy does this work well but when we are trying to use Amazon Elastic BeanStalk service for our deployment, aws creates a load balancer but didn't associate it with any Key-Pair.So we a...Read more

ssl - Certbot automatic renewal vulnerabilities

I have certbot including automatic renewal in use in several installations with clients.Now I have been reading here:https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188herehttps://community.letsencrypt.org/t/solution-client-with-the-currently-selected-authenticator-does-not-support-any-combination-of-challenges-that-will-satisfy-the-ca/49983and herehttps://github.com/certbot/certbot/issues/5405as well here:https://community.letsencrypt.org/t/important-what-you-need-to-know-about-t...Read more

ssl - Certificate Based Authentication Using Camel Jetty

I have a issue where i have to pass client certificate for the Authentication purpose.My code: <camel:sslContextParameters id="sslContextParameters"> <camel:keyManagers keyPassword="indigo"> <camel:keyStore resource="/home/sahil/Demo/new.jks" password="changeit"/> </camel:keyManagers> <camel:trustManagers> <camel:keyStore resource="/home/sahil/Demo/123.jks" password="changeit"/> </camel:trustManagers> <camel:serverParameters clientAuthentication="WANT" /> <...Read more

swisscomdev - ssl certificate was not renewed

My swisscom cloud foundry service is not available anymore because the SSL certificate was not automatically renewed. I even cannot turn off the certificate, it says that a running process of type "RENEW" exists. How can I renew the certificate? Why is this not done automatically?...Read more

SSL Connection on Solace MQTT Throwing Unknown Protocol error

I am using Solace VMR for MQTT Publish/subscribe service . I am using paho library for publishing and subscribing . I need SSL connection with the Solace for the purpose. I configured Server and CA Certificate . Using SolAdmin , I can see that SSL service is enabled on port 8883 . So when I am trying to connect to Solace MQTT for publishing the data , it is throwing me a error :2016-09-09T16:54:50+0000 solace event: SYSTEM: SYSTEM_SSL_CONNECTION_REJECTED: - - SSL Connection rejected: reason (unknown protocol); connection to XXX.XX.XX.XXX:8883 ...Read more