I'm getting below error while trying to connect twitter streaming API using IBM WAS 6.1 for public stream.
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.n.a(n.java:28)
..............
Caused by: com.ibm.jsse2.util.h: No trusted certificate found
at com.ibm.jsse2.util.g.a(g.java:24)
Below setting is used to connect public streaming API
ConfigurationBuilder cb = new ConfigurationBuilder();
cb.setDebugEnabled(true)
.setOAuthConsumerKey("kAhViQqgEGR0cdx7VCtKQ")
.setOAuthConsumerSecret("5S3FodQaLv79v8hflczXuCR1btyafRcp3UVRccOYg")
.setOAuthAccessToken("1444743066-dIsA9jRZYw3fRfO5oysYv9A3VNkqUafT7iYkhV6")
.setOAuthAccessTokenSecret("xuoqLYYGE71Qe56XKYJCnh4s1u5bSoyO4RJRmOjHH4")
.setPrettyDebugEnabled(true)
.setDebugEnabled(true)
.setUserStreamRepliesAllEnabled(true)
It looks like you're connecting to the Twitter server via SSL (https), and you haven't added its SSL certificate to your WebSphere Trust Store.
See Certificate Management and the links around it.
To me, the easiest approach is to select the "Cell Default Trust Store" and use the "Retrieve from Port" feature to import the remote server's certificate.
Related
I'm trying to access a certain API and I have been provided with a smart card which contains the certificate that I'm supposed to use to establish a SSL connection with the said API. I'm trying to do this through a Delphi appliction.
The following is the info of the certificate:
The certificate used to establish a secure connection is stored on a
smart card and it can be accessed from the PKI Applet using PKSC#11
API. The certificate is loaded in the slot / token structure on the
PKI Applet. After the certificate is extracted from the smart card (in
DER format) it can be used as a standard X.509 certificate for TLS/SSL
and HTTPS protocols.
I'm able to extract the certificate (via pkcs11CertificateStorage tool from SecureBlackbox) but I'm hvaing trouble using it for a SSL connection with Delphi.
Here's a simplified version of what I'm doing to attach the certificate to the request (using ipWorks REST component):
var
CertStorage: TsbxCertificateStorage;
ipwREST1: TipwREST;
// ...
CertStorage.Open('pkcs11://user:' + Pin + '#/' + StorageFilename + '?slot=0'+ RO);
ipwREST1.SSLCertEncodedB := CertStorage.Certificates[0].Bytes;
ipwREST1.Get('https://...');
The error that I get from the REST component:
273: Could not acquire security credentials: error 0x8009030E
Which led me to the error explanation by the component developer:
When using a certificate for client authentication, ensure the certificate's private keys are accessible. The certificate in the Windows certificate store must contain the corresponding private keys, and be marked as exportable.
and I'm not sure how to interpret this.
I've tried saving the certificate in a file, using openSSL to convert to PEM and attaching it in other ways but with no success.
I feel like I'm missing something in my approach. Any help would be appreciated, thanks.
My app fetches resources from AWS bucket (accessed thru a cloudfront).
Some of the users fails to fetch the data due to
NSURLErrorDomain Code=-1200 "An SSL error has occurred and a secure connection to the server cannot be made."
As we use AWS service I assume that the SSL certificate is fine, the fact that it happens to a small (but not small enough) portion of the users should say that the SSL certificate is OK.
Any other post I saw about this issue suggested to add a flag to App Transport Security Settings in info.plist file that will allow unsecured connection. This is not something I can (or want) to do.
Thanks for the help :)
This might happen if you're using a VPN.
But will also happen if you're using a proxy tool like Charles Proxy but haven't installed/trusted the Charles Proxy certificate.
It also happened to me when I was on a public wifi network. It seemed that some how the public wifi was doing some sort of a MITM to maybe add some ads. I didn't face the same problem when I was using LTE or a non-public wifi
I found this solution from the Apple Developer Forums which does not involve modifying the App Transport Security Settings:
And you shouldn’t need an ATS exception in your scenario. The
approach I recommend is as follows:
Set up a custom certificate authority (CA) within your organisation (many organisations already have this).
Have it issue a certificate for your private server.
Use MDM to install your organisation CA’s root certificate on your devices.
When we are connecting to AWS IoT using wss protocol on ios version 12.1.1, we were able to connect to IoT successfully, but immediately we could see onError event being triggered from IoT and then the connection gets closed. It tries to reconnect again but without any luck. The error we are getting from IoT is "{IsTrusted : true}".
We are not using any certificates, just using a profile access key and secret key.
The same build is able to connect properly on ios 12.0.1, 12.1
IOS version:12.1.1(Not working version)
AWS IOT SDK:2.0.0
iOS 12.1.1 introduced Apple's new Certificate Transparency policy. From Apple's release notes:
iOS 12.1.1 requires that publicly-trusted Transport Layer Security (TLS) server authentication certificates issued after October 15, 2018 meet the Certificate Transparency policy to be evaluated as trusted on Apple platforms.
This policy is becoming a widespread standard which Google already enforces in its Chrome browser. Amazon knew this was coming and, in response to these new policies, released updates to their MQTT backend (AWS IoT) to include appropriate certification on a new endpoint. See https://aws.amazon.com/blogs/iot/aws-iot-core-ats-endpoints/:
You must explicitly request an Amazon Trust Services endpoint for each region in your account. Any existing customer endpoint you have is most likely a VeriSign endpoint. If your endpoint has “-ats” at the end of the first subdomain, then it is an Amazon Trust Services endpoint. For example, ‘asdfasdf-ats.iot.us-east-2.amazonaws.com’ is an ATS endpoint.
In short, for my iOS App, we were using our AWS provided MQTT endpoint asdfasdf.iot.us-east-2.amazonaws.com (just an example), without the -ats. I updated the endpoint to asdfasdf-ats.iot.us-east-2.amazonaws.com and we were able to accomplish our SSL handshake.
I hope this helps with your issue! Good Luck!
I have an asp.net mvc web app that has been running in production for about 4 years. Suddenly since about a week ago, I am getting this error being returned for all calls to 3rd-party secure API's:
System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
This is for calls to SendGrid for sending emails, calls to Azure Blob Storage for uploading of documents, calls to Connect.io for logging.
I have managed to resolve the Azure Blob Storage problem temporarily by changing the connection string to use http instead of https.
Clearly something has broken on my app server, and I have no idea where to start looking.
Please help.
Edit:
Turns out I was using a sample library provided by one of my (lesser-used) 3rd party API's, and this library had an override of
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors)
which had it's own logic about what constitutes a valid certificate!!! AARGH!
This part become key information for your problem:
I am getting this error being returned for all calls to 3rd-party
secure API's
According to MSDN blog:
This error message is caused because the process is not being able to
validate the Server Certificate supplied by the Server during an HTTPS
(SSL) request. The very first troubleshooting step should be to see
if the server supplied certificate and every certificate in the chain
is trouble free.
Because it seems that one or more third party certificates are rejected, you may configure Trusted Roots part of your certificate trust lists to include all required third party CA as part of chain to work with secure APIs from trusted sources, including reissued certificates if any.
Further details: https://technet.microsoft.com/en-us/library/dn265983.aspx
NB (Optional):
As temporary measure, you can implement this certificate validation handler in WebRole.cs until all related third-party certificates has reissued (remember this setting will trust all issued certificates, hence it's not recommended for long term usage):
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
Additional reference: http://robertgreiner.com/2013/03/could-not-establish-trust-relationship-for-the-ssl-tls-secure-channel/
Similar thing happened in our system. Our problem was TLS version. The SSL offload appliance was configured to accept only TLS 1.2. One week ago this configuration accepted all TLS versions 1.0 to 1.2.
We had to reconfigure .NET's SecurityProtocol settings like:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12;
You can use this site to test which TLS version you are using: https://www.ssllabs.com/ssltest/index.html
Try to get some information about the certificate of the servers and see if you need to install any specific certs.
The server(s) may had a cert signed by a 3rd party CA which you hadn't trusted yet. The solution is to add that CA to the Trusted Root CA list.
I want to do Client/Server communication with HTTP/HTTPS encapsulation.
The HTTPS mode is used just for encryption data, i don't need authentification.
For HTTPS connection, I created and installed certificat on server side. Is it possible to connect to server even if client has no certificat? (I think Yes but....)
PS: I developed client on Windows, Android and iOS
Thanks
Yes if the cert is signed by a recognized CA (Certificate Authority), no if self-signed.
If you look in the Keychain under System Roots you will find over 200 CAs.