How do I configure possitiveSSL on embedded yaws? - erlang

I bought a possitiveSSL certificate from ComodoSSL
these are the files I was received from them
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - domain_com.crt
How do I replace these files with the following embedded yaws configuration?
{ssl,[{keyfile, "/home/user/Develop/yaws-2.0.2/etc/yaws/yaws-key.pem"},
{certfile, "/home/user/Develop/yaws-2.0.2/etc/yaws/yaws-cert.pem"},
{depth,0},{dhfile,"/home/yser/Develop/yaws-2.0.2/etc/yaws/dhparams.pem"}]},

I have solved this problem by combining the following files into one filename.crt:
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - domain_com.crt
Then I added the key signature I used to request the ssl certificate into a file.key file.
so the result is something like this:
{port, 443}
{ssl,[{keyfile, "/home/file.key"},
{certfile, "/home/filename.crt"},
{depth,0}]}

Related

Azure Key Vault - Certificate generation

I am using the following script to generate a new ROOT CA that will be used to generate sub-ca's and client certificates.
New-SelfSignedCertificate -CertStoreLocation "cert:\CurrentUser\My" -Subject "CN=$certificateCleanName" -KeySpec Signature -KeyUsage CertSign -TextExtension #("2.5.29.19 ={critical} {text}ca=1")
This works perfectly, but I would prefer to generate them in the Key Vault Directly (via Powershell).
I know you can generate a self signed certificate in the key vault directly with this command:
$manualPolicy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=something.com" -ValidityInMonths 24 -IssuerName Self -RenewAtNumberOfDaysBeforeExpiry 100
$certificate = Add-AzureKeyVaultCertificate -VaultName $vaultName -Name $certificateName -CertificatePolicy $manualPolicy
However, with the command above, I am not able to generate the exact same certificate properties as in the first command that use to generate the certificate locally.
Any idea how I can specify the following arguments to create the certificate with the exact same settings directly in the KeyVault?
-KeyUsage CertSign -TextExtension #("2.5.29.19 ={critical} {text}ca=1")

IBM Mobile First - Http request failed: javax.net.ssl.SSLHandshakeException

I am trying to consume an OData service using SAP Netweaver Gateway Adapters. But I am facing an issue like below
Runtime: Http request failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Here is my worklight.properties
########## MobileFirst SSL keystore
#############################################
#SSL certificate keystore location.
ssl.keystore.path=conf/default.keystore
#SSL certificate keystore type (jks or PKCS12)
ssl.keystore.type=jks
#SSL certificate keystore password.
ssl.keystore.password=<keystorepassword>
Here is my adapter.xml
<connectivity>
<connectionPolicy xsi:type="nwgateway:NWGatewayHTTPConnectionPolicyType">
<protocol>https</protocol>
<domain>mydomain</domain>
<port>myport</port>
<connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
<socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
<serviceRootUrl>/sap/opu/odata/SAP/ZBIN_POC_SRV/</serviceRootUrl>
<authentication>
<basic/>
<serverIdentity>
<client>001</client>
<username>username</username>
<password>password</password>
</serverIdentity>
</authentication>
<!-- Following properties used by adapter's key manager for choosing specific certificate from key store-->
<sslCertificateAlias></sslCertificateAlias>
<sslCertificatePassword></sslCertificatePassword>
<maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>
</connectionPolicy>
</connectivity>
<procedure name="retrieveTravelAgency"/>
And also I imported default.keystore here, PFA
Here is the link I am following.
Can anyone help me out on this, Thanks in advance.

Handoff and Universal Links failed on iOS 9

I am setting up my apple-app-site-association file follow this tutorial:
Handoff works on iOS 8 but handoff does not work on iOS 9.
I setup a free hosting site and upload the apple-app-site-association file onto the root of website: universallink.net46.net
1. I created a JSON file and named it handoff.json:
{
"activitycontinuation":
{
"apps": ["XXXXXXXXXX.com.home.handoff"]
},
"applinks":
{
"apps":[],
"details":
{
"XXXXXXXXXX.com.home.handoff":
{
"paths":["*"]
}
}
}
}
The XXXXXXXXXX here is the team id of the Distribution provisioning profile
I used Keychain Access app to export a iPhone Distribution certificate to a Certificates.p12 key.
I signed the JSON file with these commands:
Create a certificate in the openssl command.
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys -out output_crt.pem
Create a secret key.
openssl pkcs12 -in Certificates.p12 -nocerts -nodes -out output_key.pem
Create an intermediate certificate.
openssl pkcs12 -in Certificates.p12 -cacerts -nokeys -out sample.ca-bundle
Sign the handoff.json file with the following command.
cat handoff.json | openssl smime -sign -inkey output_key.pem -signer output_crt.pem -certfile sample.ca-bundle -noattr -nodetach -outform DER> apple-app-site-association
I uploaded the signed file "apple-app-site-association" onto the root of website universallink
I configured the entitlement:
<dict>
<key>com.apple.developer.associated-domains</key>
<array>
<string>activitycontinuation:www.universallink.net46.net</string>
<string>activitycontinuation:universallink.net46.net</string>
<string>applinks:www.universallink.net46.net</string>
<string>applinks:universallink.net46.net</string>
</array>
</dict>
I implement the function application:continueActivity.... and return YES.
I installed the app on the iOS 9 beta 4 device and also installed the Certificates.p12 at step 3 into the device.
I sent a message to myself the link of universallink website
I expected my app would be launched but actually, it was Safari.
I don't know if I did something wrong.
You are signing it wrong. You need a
certificate and key for an identity issued by a certificate authority trusted by iOS
See apples official documentation here: https://developer.apple.com/library/prerelease/ios/documentation/UserExperience/Conceptual/Handoff/AdoptingHandoff/AdoptingHandoff.html#//apple_ref/doc/uid/TP40014338-CH2-SW10
I Think This:
"details":
{
"XXXXXXXXXX.com.home.handoff":
{
"paths":["*"]
}
}
Should be this:
"details": [{
"appID": "XXXXXXXXXX.com.home.handoff",
"paths": ["*"]
}]
I was trying to make it work by using a local server (an OTA https python server) with a self created certificate using SSL and it didnĀ“t work. I could track the communications and listen to the channel but in the different tests I tried, the json file was never asked for, so there is the problem, the SSL certificate.
Go to : https://support.apple.com/en-gb/HT205205 as "not all the root certificates" are supported by apple (most of them are though).

Getting an error while Connecting to APNS server

source: www.raywenderlich.com/32960/apple-push-notification-services-in-ios-6-tutorial-part-1
Terminal Command:
Initiums-iMac:Desktop initium$ openssl s_client -connect
gateway.sandbox.push.apple.com:2195
-cert PushChatCert.pem -key PushChatKey.pem
Terminal Response:
CONNECTED(00000003) depth=1 /C=US/O=Entrust,
Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009
Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
3122:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s3_pkt.c:1106:SSL
alert number 40
3122:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/SourceCache/OpenSSL098/OpenSSL098-47.2/src/ssl/s23_lib.c:182:
Following the tutorial www.raywenderlich.com/32960, I think I faced the same issue... almost.
Anyways, I think it was because I had goofed up with the .p12 file specifically.
Did you export the correct private key from inside "Keychain Access > Keys"?
This part comes under "Generating the Certificate Signing Request (CSR)" where you have to export the private key as a p12 file.
Delete all the unnecessary certificates and keys, start from scratch and closely follow the tutorial.

MQTT:SSL routines:SSL3_GET_RECORD:wrong version number

I am trying to use SSL with MQTT and gets following error,
1379677998: Client connection from 127.0.0.1 failed: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.
1379678058: OpenSSL Error: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
1379678058: Socket read error on client (null), disconnecting.
My conf file has seetings as below,
port 8883
cafile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/test-root-ca.crt (also tried all-ca.crt here)
certfile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/server.crt
keyfile /home/administrator/Downloads/mosquitto-1.2.1_dilip/test/ssl/server.key
tls_version tlsv1
require_certificate true (tried commenting this too)
and I run, 08-ssl-connect-cert-auth.test from test folder. code snippet included below
mosquitto_tls_opts_set(mosq, 1, "tlsv1", NULL);
mosquitto_tls_set(mosq, "../ssl/test-root-ca.crt", "../ssl/certs", "../ssl/client.crt", "../ssl/client.key", NULL);
mosquitto_connect_callback_set(mosq, on_connect);
mosquitto_disconnect_callback_set(mosq, on_disconnect);
rc = mosquitto_connect(mosq, "localhost", 8883, 60);
Environment info:
Python 2.7.3
OpenSSL 1.0.1 14 Mar 2012
Description: Ubuntu 12.04.2 LTS
Release: 12.0
mosquitto-1.2.1/mosquitto-1.2
Please let me know what could go wrong here? I also tried generating certificates using gen.sh.
Thanks in advance.
-Dilip
On a general note - you should be generating your own certificates, don't use the ones provided by mosquitto for testing, or use the gen.sh script without modifying it for your own details.
To use the certificates provided, you should be using all-ca.crt in the broker. It contains the example root CA and intermediary CA certificates. The client only requires the root CA for verification purposes.
You are using a full path to the certificates in the broker configuration, but relative paths in the client. Are you sure that they are both correct?
Have you tried running the tests unmodified with make test? This would tell you if there is a problem with your openssl installation for example.

Resources