In ActiveMQ 5.15.6 they enabled the TLS host name verification, and I see my application failing after upgrade.
In their documentation they mentioned they have fixed the server side TLS validation by making default to False. Is their any way I can make TLS hostname verification FALSE at client side as well?
Yes, you can disable TLS hostname verification at the client side as well. Use something like this:
ssl://hostname:61616?socket.verifyHostName=false
or
ssl://hostname:61616?verifyHostName=false
Related
I am confused on SASL_SSL. Do we need SSL certificate configured for the Kafka producer application ? Or is it just the username and password ? What is the difference between SASL_SSL and SASL_PLAINTEXT ? I am sending message from a plain java application to a topic.
SASL_SSL used TLS encryption like SSL so you will need to create a certificate, and with SASL_SSL you need to specify an authentication method.
This page should help you https://developer.confluent.io/learn-kafka/security/authentication-ssl-and-sasl-ssl/
SASL_PLAINTEXT doesn't use TLS encryption (SASL_PLAIN does and this uses the username/password authentication).
It really all depends on your security requirements. SASL_SSL is mainly used when integrating with a existing authentication server but this increases your vulnerability to attacks.
Here's my code:
wireMockServer = new WireMockServer(wireMockConfig().httpsPort(8443).keystorePath("/Users/me/keystore.jks").keystorePassword("password"));
wireMockServer.start();
The problem is that when I'm trying to connect I'm getting:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
connection?
It seems that WireMock operates on HTTP mode rather than on HTTPS mode.
Why?
wiremock is running in https mode when you specify .httpsPort(8443). but the problem is, the library you are using to make https call is not trusting the ssl certificates.
There are multiple ways to do it. however you should make sure that you do this only in the testing environment but not in production.
Here are few resources to disable ssl check.
https://stackoverflow.com/a/21257694/3892213
https://stackoverflow.com/a/2703233/3892213
For SSL connection when does actually hostname verification done.
Some application servers provide option to disable hostname verification
like in Weblogic it can be disabled at server level
-Dweblogic.security.SSL.ignoreHostnameVerify
We can disable progamitically as discussed here by having custom verifier which implments javax.net.ssl.HostnameVerifier
Is there a generic way to disable hostname verification at server level.
It isn't. Hostname verification is part of HTTPS, not SSL.
I have configured an application where the load balancer will do an ssl offloading, all request from will come to https://application.com and it will internally redirect to apache port 80. I have saml configured with shibboleth in apache and it expects its destination URL as https. As apache always get the request on port 80 it is creating problem. It is complaining the destination expected is https://application.com but got http://applcation.com is there a way in apache to give the server name as https in apache, I tried using canonical name but no luck.
I set as below in my configuration
ServerName https://application.com
UseCanonicalName On
Please let me know if there is any other way to set this.
Why dont you set up an ssl vhost for shibboleth and use it ? You can go for selfsigned certificates for your ssl connection between webserver and LB.
I am using https to connect to an https server.
Specifically I am using apache httpclient and I configure the ssl context to use my keystore and truststore.
The https server I am using is IIS7 and is configured to require client authentication.
I think I have set it up properly.
Anyway, if I configure the httpClent's ssl context with a keystore (i.e. with client certificates) valid for IIS then there is no problem connecting.
Now my problem is the following:
If I do not configure the ssl context with any client certificate to send to IIS, there is no connection with the server. What makes me think though, is the fact that I was expecting to see some java exception in the code as a result of a hanshake failure alert.
Monitoring what is happening with wireshark, I could not see a certificate request from IIS to my application, but I noticed that after ServerHelloDone everything was encrypted.
I did not expect that. I think the handshake is usually in cleartext.
I used private key to decrypt traces and i saw a certificate request from IIS but after many starting and opening of new connections.
My app send back as a response a certificate of length 0 and IIS replies with a TLSv1 Finished.
After that the packets stop (i.e. seems that the communication ends).
I was expecting a handshake alert.
My question is, is this how it is supposed to work or at least how IIS works?
Or if I do not see the alert something is wrong with my use case?
Thanks
It sounds like IIS is only requiring client certificates for certain URLs (ie, for example.com/foo, but not example.com/bar).
In the initial handshake, it does not know which url you are requesting, so it does not require a certificate. When it sees that you are requesting a restricted resource (/foo), it then rehandshakes, requiring a certificate.
However, I would still expect a handshake_failure to occur.
As I was saying in an answer to this question, as far as I remember, IIS uses re-negotiation to get the client certificate. You should be able to change this behaviour using netsh and clientcertnegotiate=enable (depending on the version of IIS you're using).
You might also be interest in this similar question.
Failing to supply a certificate in response to a CertificateRequest isn't an SSL protocol error, so there is no handshake_error. 'Requiring' instead of just 'needing' client certificates is added-in by SSL libraries, and all they can do if you don't send one is just close the connection.