Jetty 9 - Enable OCSP Stapling for domain-validated certificate
I'm having some issues in enabling OCSP stapling in Jetty 9 and I really hope that someone can help me here...hopefully!
For my tests I purchased an SSL certificate from PositiveSSL (Comodo), which gave me a valid/trusted certificate. The domain in this example is "dev.mydomain.com", and it will simply point to my local ip (127.0.0.1).
I then transformed the provided certificate into the Java keystore format.
# Convert certificate to pkcs12
openssl pkcs12 -export -out dev.mydomain.com.pkcs12 -inkey dev.mydomain.com.key -in dev_mydomain_com.crt
# Create java keystore
keytool -importkeystore -srckeystore dev.mydomain.com.pkcs12 -srcstoretype pkcs12 -destkeystore dev.mydomain.com.keystore -deststoretype JKS
This is the simplified Java code I used for creating the Jetty server, activate the certificate, listen on the 443 port (https), and in theory activate OCSP:
Server _server = new Server(); // org.eclipse.jetty.server.Server
HttpConfiguration httpsConfig = new HttpConfiguration();
HttpConnectionFactory http1 = new HttpConnectionFactory(httpsConfig);
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath("dev.mydomain.com.keystore");
sslContextFactory.setKeyStorePassword("mypass");
sslContextFactory.setKeyManagerPassword("mypass");
// sslContextFactory.setValidateCerts(true); // tested
sslContextFactory.setEnableOCSP(true);
SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, http1.getProtocol());
// SSL Connector
ServerConnector sslConnector = new ServerConnector(_server, ssl, http1);
sslConnector.setHost("127.0.0.1");
sslConnector.setPort(443);
_server.addConnector(sslConnector);
_server.start();
_server.join();
On Java VM startup I'm also enabling these system properties:
Security.setProperty("ocsp.enable", "true");
System.setProperty("jdk.tls.server.enableStatusRequestExtension", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
After several tries, I tried also importing the certificate chain into the keystore, but it didn't make any difference on the outcome.
keytool -import -trustcacerts -alias ca -file COMODORSAAddTrustCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias dv -file COMODORSADomainValidationSecureServerCA.crt -keystore dev.mydomain.com.keystore
keytool -import -trustcacerts -alias te -file AddTrustExternalCARoot.crt -keystore dev.mydomain.com.keystore
To test whether OCSP was correctly enabled I used a tool called sslyze, but whatever I tried to do the response for OCSP was always negative:
OCSP Stapling - NOT SUPPORTED - Server did not send back an OCSP response
Here is the full output of sslyze:
C:\Tools\sslyze-1_4_1>sslyze --certinfo dev.mydomain.com:443
AVAILABLE PLUGINS
-----------------
OpenSslCipherSuitesPlugin
RobotPlugin
CertificateInfoPlugin
FallbackScsvPlugin
SessionRenegotiationPlugin
HeartbleedPlugin
CompressionPlugin
OpenSslCcsInjectionPlugin
SessionResumptionPlugin
HttpHeadersPlugin
CHECKING HOST(S) AVAILABILITY
-----------------------------
dev.mydomain.com:443 => 127.0.0.1
SCAN RESULTS FOR DEV.MYDOMAIN.COM:443 - 127.0.0.1
------------------------------------------------
* Certificate Information:
Content
SHA1 Fingerprint: 7c398c59bac3a231efc9823c6958a7bc711bfc0e
Common Name: dev.mydomain.com
Issuer: COMODO RSA Domain Validation Secure Server CA
Serial Number: 103185809289011988533713848804380317148
Not Before: 2018-04-18 00:00:00
Not After: 2019-04-18 23:59:59
Signature Algorithm: sha256
Public Key Algorithm: RSA
Key Size: 2048
Exponent: 65537 (0x10001)
DNS Subject Alternative Names: ['dev.mydomain.com', 'www.dev.mydomain.com']
Trust
Hostname Validation: OK - Certificate matches dev.mydomain.com
Android CA Store (8.1.0_r9): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
iOS CA Store (11): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
macOS CA Store (High Sierra): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Mozilla CA Store (2018-01-14): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Windows CA Store (2018-02-09): FAILED - Certificate is NOT Trusted: unable to get local issuer certificate
Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate
Received Chain: dev.mydomain.com
Verified Chain: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Contains Anchor: ERROR - Could not build verified chain (certificate untrusted?)
Received Chain Order: OK - Order is valid
Verified Chain contains SHA1: ERROR - Could not build verified chain (certificate untrusted?)
Extensions
OCSP Must-Staple: NOT SUPPORTED - Extension not found
Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more
OCSP Stapling
NOT SUPPORTED - Server did not send back an OCSP response
SCAN COMPLETED IN 0.78 S
------------------------
Sorry for the long post, but I tried to provide as much details as possible!
Thank you! Yuvi
See also questions close to this topic
-
Java screen how to make the input line always be below
My problem is: When i scan for user input in this method
public static void listenForCommand() { @SuppressWarnings("resource") final Scanner s = new Scanner(System.in); System.out.print(">"); final String line = s.nextLine(); String[] args = new String[line.split(" ").length-1]; for (int i = 1; i < line.split(" ").length; i++) args[i-1] = line.split(" ")[i]; commandEntered(line.split(" ")[0], args); }then there is "> " but if something gets printed or logged then it looks like this https://imgur.com/a/M5TE51b (i cant use Image format because it says: "You need at least 10 reputation to post images." and i dont have 10 repuation.)
So how do i fix this? Are there some apis or libraries for this? I want that it looks like spigot or bukkit.
My Command Listener Class: When the console gets input, it will split the first word in to the command and everything else are the args. Then it asks for every registered command in the main if there is a command registered with entered commandname.
package at.gebes.utils.command; import java.util.Scanner; import at.gebes.bot.Bot; public final class CommandListener { public static String[] commandNames = new String[1000]; public static String[] commandDescriptions = new String[1000]; private static CommandExecutor[] CommandClasses = new CommandExecutor[1000]; public static int counter = -1; public static void registerCommand(final String CommandName, final String CommandDescription, final CommandExecutor CommandClass) { counter++; commandNames[counter] = (CommandName); commandDescriptions[counter] = (CommandDescription); CommandClasses[counter] = CommandClass; } public static void listenForCommand() { @SuppressWarnings("resource") final Scanner s = new Scanner(System.in); System.out.print(">\n"); final String line = s.nextLine(); //final String line = System.console().readLine(); String[] args = new String[line.split(" ").length-1]; for (int i = 1; i < line.split(" ").length; i++) args[i-1] = line.split(" ")[i]; commandEntered(line.split(" ")[0], args); } public static void commandEntered(final String cmd, final String[] args) { if (counter < 0) { return; } boolean commandExists = false; try { for (int i = 0; i <= counter; i++) { if (commandNames[i].equalsIgnoreCase(cmd)) { CommandClasses[i].onCommand(commandNames[i], args); commandExists = true; break; } } } catch (final NullPointerException e) { e.printStackTrace(); } if (!commandExists) { Bot.getLogger().info("Unknown Command. Try \"help\" for a list of commands."); } }}
-
Trying to switch scene inside a controller and it returns InvocationTargetException
Caused by: java.lang.NullPointerException: Location is required. at javafx.fxml.FXMLLoader.loadImpl(FXMLLoader.java:3207) at javafx.fxml.FXMLLoader.loadImpl(FXMLLoader.java:3175) at javafx.fxml.FXMLLoader.loadImpl(FXMLLoader.java:3148) at javafx.fxml.FXMLLoader.loadImpl(FXMLLoader.java:3124) at javafx.fxml.FXMLLoader.loadImpl(FXMLLoader.java:3104) at javafx.fxml.FXMLLoader.load(FXMLLoader.java:3097) at cypher.choose.ChooseController.encrypt(ChooseController.java:30) ... 58 moreI get this error from the code in the controller:
@FXML public void encrypt(ActionEvent event) throws IOException{ Stage primaryStage = (Stage)((Node)event.getSource()).getScene().getWindow(); Parent encrypt = FXMLLoader.load(getClass().getResource("cypher/encrypt/encrypt.fxml")); Scene encryptScene = new Scene(encrypt,800,500); primaryStage.setScene(encryptScene); }This is the layout of my package:
I'm sure similar questions have been asked but I've been looking for a while and couldn'y find the answer
-
Why would a class be able to cast an unrelated class with only a runtime error but not a compiler error
Here's my code:
public class A { int size = 100; public int getSize() { return size; } interface D { } class B implements D { } class C { int size = 999; public int getSize() { return size; } } public void test() { D d = new B(); System.out.println(((C) d).getSize()); } public static void main(String[] args) { A a = new A(); a.test(); } }The code compiles without any compiler error. Why wouldn't it have a compiler error. Class C does not have any relationship with the reference type class D and the actual class type B. How did it pass the compiler check for type casting?
-
Apache2 can't use SSL after upgrade (Solved)
After a global upgrade (apt-get upgrade) Apache2 won't work with SSL anymore.
Ubuntu 16
Apache version : 2.4.37
OpenSSL version : OpenSSL 1.1.1-pre7 (beta) 29 May 2018
LD_LIBRARY_PATH=/usr/local/lib
When I try to start the service I get the following error :
Dec 12 18:43:59 labo apachectl[1677]: apache2: Syntax error on line 146 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/ssl.load: Cannot load /usr/lib/apache2/modules/mod_ssl.so into server: /usr/lib/apache2/modules/mod_ssl.so: symbol SSL_CTX_set_post_handshake_auth, version OPENSSL_1_1_1 not defined in file libssl.so.1.1 with link time reference
If I disable ssl from apache2 I can successfully start the service.
I tried to reinstall apache2 & openssl, it doesn't get any better.
Google can't help.
Any idea ?
Found the problem :
The OpenSSL version I was using was the wrong one. I compiled OpenSSL1.1.1-pre7 several months ago to fit some security requirements. Apparently the upgrade didn't update OpenSSL to the good version (OpenSSL 1.1.1 11 Sep 2018).
the following steps made the correction :
~# sudo a2dismod ssl ~# sudo apt-get purge openssl ~/openssl-1.1.1-pre7# make uninstall //Uninstall the version I build ~# sudo apt-get install openssl ~# sudo a2enmod ssl -
Create ssl certificate for java website running on Tomcat server
I have recently signed up on Cloudflare.com for ssl connection. But I don’t have any idea how to install ssl certificate on my java website running on Tomcat server. So can anyone please show me step by step how to activate ssl on my java website.
-
How can I confirm a handshake was completed with SSL Sockets in Java?
Here's some pseudocode
Client: boolean sent = false; byte[] message = new String("test").getBytes(); send() { sent = sslSocket.sendMessage(message); if (sent) sslSocket.close(); }I'm writing tests that should be fairly quick. Once the
Clientsuccessfully sends a message, it should close immediately. In my tests, theClientreturnssent == true, so the socket closes. However, theServeris throwing areceived close_notify during handshakeexception. This exception does not happen when I useThread.sleep(200)right before closing theClient.Our sockets are our own abstractions and wrappers for Java's sockets. From this post, I have to assume that the Server has not completed the handshake, but the
Clienthas? Why else wouldsentreturntrue? I can't confirm that the message actually HAS been received by theServer, however, because the exception is thrown immediately. I only haveClientsentboolean to rely on.So my question is how can I confirm the handshake was completed?
Thank you for the help, and sorry for any ambiguity! I can clear any confusions!
-
CryptQueryObject systematically falls
I try to integrate root certificate installation within my programm installer. I have to create an object from certificate and then add it to the store.
const std::string cert = R"cert( -----BEGIN CERTIFICATE----- /***/ -----END CERTIFICATE----- )cert"; PCCERT_CONTEXT pCertCtx = NULL; CRYPT_INTEGER_BLOB blob; blob.pbData = (BYTE*)cert.c_str(); bool result = CryptQueryObject(CERT_QUERY_OBJECT_BLOB, &blob, CERT_QUERY_CONTENT_FLAG_CERT, CERT_QUERY_FORMAT_FLAG_BASE64_ENCODED, 0, NULL, NULL, NULL, NULL, NULL, (const void**)&pCertCtx); if (!result) { DWORD errorMessageID = ::GetLastError(); LPSTR messageBuffer = nullptr; size_t size = FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, errorMessageID, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPSTR)&messageBuffer, 0, NULL); std::string message(messageBuffer, size); //Free the buffer. LocalFree(messageBuffer); return ERROR_INSTALL_FAILURE; }I make my own dll with this custom action and add this to WiX.
<Binary Id="pathFixer" SourceFile="$(var.product.inputFilesDir)\path-fixer.dll" /> <Binary Id="additionalActions" SourceFile="$(var.product.inputFilesDir)\additional-actions.dll" /> <CustomAction Id="SetNativeMessageHostPath" BinaryKey="pathFixer" DllEntry="SetNativeMessageHostPath" Execute="deferred" Impersonate="no"/> <CustomAction Id="SetInstallDir" Property="SetNativeMessageHostPath" Value="[INSTALLDIR]" Execute="immediate" /> <CustomAction Id="installRootCert" BinaryKey="additionalActions" DllEntry="installRootCert" Execute="deferred" Impersonate="no"/> <CustomAction Id="ResetOldVersionFound" Property="OTHER_VERSION_FOUND" Value="" Execute="immediate" /> <CustomAction Id="GetPerUserOldVersionFound" Property="USER_OTHER_VERSION_FOUND" Value="[OTHER_VERSION_FOUND]" Execute="immediate" /> <CustomAction Id="GetPerMachineOldVersionFound" Property="MACHINE_OTHER_VERSION_FOUND" Value="[OTHER_VERSION_FOUND]" Execute="immediate" /> <CustomAction Id="SetPerUserOldVersionToRemove" Property="OTHER_VERSION_FOUND" Value="[USER_OTHER_VERSION_FOUND]" Execute="immediate" /> <CustomAction Id="SetPerMachineOldVersionToRemove" Property="OTHER_VERSION_FOUND" Value="[MACHINE_OTHER_VERSION_FOUND]" Execute="immediate" /> <InstallExecuteSequence> <Custom Action="SetPerUserOldVersionToRemove" Before="RemoveExistingProducts">MSIINSTALLPERUSER=1</Custom> <Custom Action="SetPerMachineOldVersionToRemove" Before="RemoveExistingProducts">MSIINSTALLPERUSER=""</Custom> <Custom Action="SetInstallDir" After="InstallInitialize"/> <RemoveExistingProducts After="InstallInitialize" /> <InstallExecute After="RemoveExistingProducts" /> </InstallExecuteSequence> <Media Id="1" Cabinet="$(var.project.name).cab" EmbedCab="yes" CompressionLevel="high" /> <CustomAction Id="SetPerUserFolder" Directory="APPLICATIONFOLDER" Value="[AppDataFolder]" Execute="immediate" /> <CustomAction Id="SetPerMachineFolder" Directory="APPLICATIONFOLDER" Value="[ProgramFilesFolder]" Execute="immediate" /> <InstallExecuteSequence> <Custom Action="SetPerUserFolder" After="CostFinalize">NOT Installed AND MSIINSTALLPERUSER=1</Custom> <Custom Action="SetPerMachineFolder" After="SetPerUserFolder">NOT Installed AND MSIINSTALLPERUSER=""</Custom> <Custom Action="SetNativeMessageHostPath" After="PublishProduct">NOT REMOVE</Custom> <Custom Action="installRootCert" After="PublishProduct">NOT REMOVE</Custom> </InstallExecuteSequence>Debuging says directly that due installing functions is executed. But with some magic operations like join MessageBox, Debuging, i take from
CryptQueryObjecttrueandfalseperiodcly, but not systematicly.GetLastErrorsaysParameter is incorrect. Why could this happen? -
Api Certificate Authentication is used
I am working with an external api that use a certificate authentication.
And i want to test the request with Postman
So here is what i did :
1) I put the url on postman
2) I put the method POST (because it's a post method) + the json content
Ok so step 1) and 2) are the steps that i often do so i don't think that the problem is here
3) The api use the certificate authentification so i put the parameters to settings->Certificates
For the api security i have a pfx file. With this file i did that tutorial and i extract the crt file and key file that i put to postman and after this the request time out ...
This is my first time using this security so i don't know if i have to do it like this ... here is the tutorial that help me
-
How to validate self signed certificate of a server
I am trying to validate self sign certificate issued by local Root CA. My application also has the same Root CA. I am using a proxy service to reach server. The basic role of the proxy service is simple redirecting the request to server. Below is the code I am trying to use it
package main import ( "net/http" "crypto/tls" "log" "crypto/x509" "flag" ) const localCertFile = `-----BEGIN CERTIFICATE----- MIIDwzCCAqugAwIBAgIJAI6nmnGw6bGbMA0GCSqGSIb3DQEBCwUAMIGgMQswCQYD VQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwNQmFza2luZyBS aWRnZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1MxIDAeBgNVBAMM F2Nsb3VkLXRydXN0Y2EuYXZheWEuY29tMSAwHgYJKoZIhvcNAQkBFhFzdXBwb3J0 QGF2YXlhLmNvbTAeFw0xODA1MjUxMDE2MjNaFw0yODA1MjIxMDE2MjNaMIGgMQsw CQYDVQQGEwJVUzETMBEGA1UECAwKTmV3IEplcnNleTEWMBQGA1UEBwwNQmFza2lu ZyBSaWRnZTESMBAGA1UECgwJQXZheWEgSW5jMQwwCgYDVQQLDANHQ1MxIDAeBgNV BAMMF2Nsb3VkLXRydXN0Y2EuYXZheWEuY29tMSAwHgYJKoZIhvcNAQkBFhFzdXBw b3J0QGF2YXlhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJp sdLWk3S9MefVajUSaEZf4pjo58Z6t3vqvxNaJ1oDBDRuBJZzHv4Grs7SfQFnzRRH ivZTa6vNHJCaDMds5qztf6BhpyEwwdQdtCCQgiaAIV1HuLA1dnR4iAT2jUH4Pvxt /BDj60j2YDFfV5j6Fh20lH5sKpkVEftPZ8PClEhqJ286h+U3i96WnTR54FIu6DKU 4RQjp3Cu2an/824HjNSLy5Tgr5N3RrosOJ4cZga9663p0DuIfpkQUvf+uPPafKUO Ct90QwFpEDrX7jYB1VIy9by4OI/UvZjijCJ4Q/5Xl+SKZLD1gs5/QXSccOSyayEk 7/941MbGqwKjZXcszC8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAihQiDedCG3un V0TWmo9e4gHkoMfMgeKOEtNLiIFejZjMILyiY9/bv/vemp27WR1tbKz/Mo/zcJbU oxDyHrEszp4ZYAwK2vFRT1T2r3rIGgUf4XyPSu8fEYLnPeCdm3BFpCrC4jIsaxJ3 BJYvmFUSCLw1IjcgCrBp4lpMRKySjCPpZiisldDBKrJrulNwx7g1I1CYxLn2jkIu b/uL0SOJPDMriS3UZ0eqByBJTZ57rkVAeW6VUbwXxIBXQX1aC2PIT2n1svywHgY2 HlK5YUaCPPL3C1MiL2Qn9ZIQwcW/eY758polgOQIo6iys9MkG7sdYlpP61V5tZud 6FqDS2taqA== -----END CERTIFICATE-----` func main() { insecure := flag.Bool("insecure-ssl", false, "Accept/Ignore all server SSL certificates") flag.Parse() rootCA, _ := x509.SystemCertPool() if rootCA == nil { rootCA = x509.NewCertPool() } /*cert, err := ioutil.ReadFile(localCertFile) if err != nil { log.Fatalf("Failed to append %q to RootCAs: %v", localCertFile, err) }*/ if ok := rootCA.AppendCertsFromPEM([]byte(localCertFile)); !ok { log.Println("No certs appended, using system certs only") } config := &tls.Config{ InsecureSkipVerify: *insecure, RootCAs: rootCA, //ServerName: "trust.170918167.comsubjectKeyIdentifier = hash", } tr := &http.Transport{TLSClientConfig: config} client := &http.Client{Transport: tr} req, _ := http.NewRequest(http.MethodGet, "https://cmm-register.default.svc.cluster.local:7070/MediaManager/ws/sysconfig", nil) resp, err := client.Do(req) if err != nil { log.Fatal(err) } log.Println(resp) //Error when ServerName is diabled //Get https://service:7070/sysconfig: x509: certificate is valid for trust.170918167.comsubjectKeyIdentifier = hash, not service //When ServerName is set //Get https://service:7070/sysconfig: x509: certificate signed by unknown authority (possibly //because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "cloud-trustca.test.com") }So how to fix this issue as I need to validate the server certificate using the same CA. When I try to use openssl to verify the server certificate it get validated properly using the same root ca.
Currently I am using Go v1.9.
-
Waiting in a Jetty thread
In my
Spring Bootweb app I make two calls to a legacy system. When the first call returns I need to wait some time before making the second call.I don't want to
sleepin my thread, but to return it to the pool until some time has passed and I can make the second call.So the question is: How could I implement this?
-
jax-rs web service giving 404 when using embedded jetty
This has been bugging me for the past 2 days now.My problem is that i have developed a jax-rs web service using embedded jetty and this works completely fine as a standalone project.The problem arises when i try to call the main method that starts the jetty server via reflection from another code. I have cross checked that there are no class-loader issues (apparently as no error is being thrown) but the path at which i access my web service returns 404,no errors are thrown.I can see from the logs that the server is starting just fine but the rest endpoint is not being hit or resolved or whatever is the reason for 404.Also note that the dependent jars for that project as well as the class containing the main method are being loaded via a url classloader created from the urls of the source files and jars. Desperately need help
Code that starts jetty server
public void startJettyServer() {
try { /* code to enable logging in jetty */ StdErrLog logger = new StdErrLog(); logger.setLevel(1); Log.setLog(logger); ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS); context.setContextPath("/"); /* * code to enable startup listeners StartupListener sup=new * StartupListener(); context.addEventListener(sup); */ Server jettyServer = new Server(8080); jettyServer.setHandler(context); ServletHolder jerseyServlet = context.addServlet(org.glassfish.jersey.servlet.ServletContainer.class, "/*"); jerseyServlet.setInitOrder(0); //jerseyServlet.setInitParameter("jersey.config.server.provider.classnames", //org.demonking.JettyServiceApp.class.getCanonicalName()); jerseyServlet.setInitParameter("jersey.config.server.provider.packages", "org.demonking"); System.out.println("i am here"); jettyServer.start(); // jettyServer.join(); // jettyServer.stop(); } catch (Exception e) { e.printStackTrace(); } finally { // jettyServer.destroy(); } }code that calls this method
public static void main(String[] args) throws ClassNotFoundException { // TODO Auto-generated method stub try { AppServer appServer = new AppServer(); appServer.startJettyServer(); System.out.println("exiting main"); } catch (Exception ex) { System.out.println("in exception in app class"); ex.printStackTrace(); } }Code that calls the main method via reflection
List<URL> urlsR = new ArrayList<URL>(); //location of source files File file = new File("C:\\Users\\DemonKing\\Documents\\eclipseprojects\\JettyDemo\\bin\\"); // convert the file to URL format URL url = file.toURI().toURL(); urlsR.add(url); //location of dependent jars File file2 = new File("F:\\JettyJarsComplete"); for (File child : file2.listFiles()) { File resFile = new File(file2 + "\\" + child.getName()); System.out.println(resFile); URL url2 = resFile.toURI().toURL(); urlsR.add(url2); } URL[] urls = urlsR.toArray(new URL[urlsR.size()]); // load this folder into Class loader ClassLoader cl = new URLClassLoader(urls); Class<?> cls = cl.loadClass("org.demonking.App"); Method m = cls.getDeclaredMethod("main", String[].class); m.invoke(null, (Object) null); -
LDAP err32 on Jetty JAAS setting with Openldap
I try to LDAP JAAS configuraion with openldap. I got err32 which is not found object error.
5c10ab9e conn=1033 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" method=128 5c10ab9e conn=1033 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" mech=SIMPLE ssf=0 5c10ab9e conn=1033 op=0 RESULT tag=97 err=0 text= 5c10ab9e conn=1033 op=1 SRCH base="ou=group,dc=example,dc=org" scope=2 deref=3 filter="(&(objectClass=groupOfNames)(member=uid=joe,ou=people,dc=example,dc=org))" 5c10ab9e conn=1033 op=1 SRCH attr=cn 5c10ab9e conn=1033 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=Please help me to make this correct.
Here is my setting
login.conf
xyz { org.eclipse.jetty.jaas.spi.LdapLoginModule required debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" hostname="localhost" port="389" bindDn="cn=admin,dc=example,dc=org" bindPassword="admin" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="ou=people,dc=example,dc=org" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="person" roleBaseDn="ou=group,dc=example,dc=org" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="groupOfNames"; };user and group ldif file
# People, example.org dn: ou=people,dc=example,dc=org ou: people objectClass: organizationalUnit # Groups, example.org dn: ou=group,dc=example,dc=org ou: group objectClass: organizationalUnit dn: uid=joe,ou=people,dc=example,dc=org objectClass: person objectClass: inetOrgPerson uid: joe cn: Joe Doe sn: Doe givenName: Joe userPassword: joe description: This is an example user dn: uid=tom,ou=people,dc=example,dc=org objectClass: person objectClass: inetOrgPerson uid: tom cn: Tom Cruise sn: Tom givenName: Cruise userPassword: tom description: This is an example user dn: cn=c3admin,ou=group,dc=example,dc=org objectClass: groupOfNames cn: c3admin member: uid=joe,ou=people,dc=example,dc=org dn: cn=c3viewer,ou=group,dc=example,dc=org objectClass: groupOfNames cn: c3viewer member: uid=tom,ou=people,dc=example,dc=organd running openldap on docker.
docker run -p 389:389 -p 689:689 --name my-openldap-container --detach osixia/openldap:1.2.2this docker create basic setting and has admin (DN: cn=admin,dc=example,dc=org)
When I try to login with user id joe, password joe, I got err 32 error.
This is openldap log.
5c10ab9e conn=1032 fd=13 ACCEPT from IP=172.17.0.1:36146 (IP=0.0.0.0:389) 5c10ab9e conn=1032 op=0 BIND dn="cn=admin,dc=example,dc=org" method=128 5c10ab9e conn=1032 op=0 BIND dn="cn=admin,dc=example,dc=org" mech=SIMPLE ssf=0 5c10ab9e conn=1032 op=0 RESULT tag=97 err=0 text= 5c10ab9e conn=1032 op=1 SRCH base="ou=people,dc=example,dc=org" scope=2 deref=3 filter="(&(objectClass=person)(uid=joe))" 5c10ab9e conn=1032 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= 5c10ab9e conn=1033 fd=14 ACCEPT from IP=172.17.0.1:36150 (IP=0.0.0.0:389) 5c10ab9e conn=1033 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" method=128 5c10ab9e conn=1033 op=0 BIND dn="uid=joe,ou=people,dc=example,dc=org" mech=SIMPLE ssf=0 5c10ab9e conn=1033 op=0 RESULT tag=97 err=0 text= 5c10ab9e conn=1033 op=1 SRCH base="ou=group,dc=example,dc=org" scope=2 deref=3 filter="(&(objectClass=groupOfNames)(member=uid=joe,ou=people,dc=example,dc=org))" 5c10ab9e conn=1033 op=1 SRCH attr=cn 5c10ab9e conn=1033 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=this is jetty server error.
javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'ou=group,dc=example,dc=org' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3179) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2891) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1846) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1786) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:418) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:396) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:378) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:286) at org.eclipse.jetty.jaas.spi.LdapLoginModule.getUserRolesByDn(LdapLoginModule.java:358) 2018-12-12 01:33:02.313:WARN:oejj.JAASLoginService:qtp1359044626-13: javax.security.auth.login.LoginException: Error obtaining user info. at org.eclipse.jetty.jaas.spi.LdapLoginModule.login(LdapLoginModule.java:472) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)ldap.conf file has only tls configuration like below.
# TLS certificates (needed for GnuTLS) TLS_CACERT /container/service/slapd/assets/certs/ca.crt TLS_REQCERT demand -
Certificate Revocation List check Failed in IE - Is there a fix in server side?
There is a security alert for my website in Internet Explorer- "Revocation Information for the security certificate for the site is not available...". There are no such errors in Chrome or Firefox. On doing a bit of research, I was able to find out that Chrome/Firefox are using OCSP for checking if the certificate is revoked or not. Also, there is a alternative OCSP stapling that I could configure in my web server.
My Questions are,
- Why Internet explorer is failing the Certificate Revocation Status check process while the other browsers are succeeding?
- Is there a fix that we could do in the server to fix this problem in server side for Internet explorer without OCSP feature ?
- Is this a real vulnerability?
Thanks, Haleem.
-
Check for TLS certificate revocation in open jdk
Check for TLS certificate revocation using CRL and OCSP are enabled by default in open jdk?
-
OCSP Verifier to check a given certificate
I´m trying to implement an OCSP verifier to check if a given Certificate is still valid or already revoked. I have the following code
public class ValidateCertUseOCSP { /* * Filename that contains the root CA cert of the OCSP server's cert. */ private static final String ROOT_CA_CERT = "C:\\Users\\Computer\\Desktop\\DigiCertSHA2SecureServerCA_cert_out.pem"; /* * Filename that contains the OCSP server's cert. */ private static final String OCSP_SERVER_CERT = "C:\\Users\\Computer\\Desktop\\gearbest_cert_out.pem"; /** * Checks the revocation status of a public key certificate using OCSP. * * Usage: java ValidateCert <cert-file> [<OCSP-server>] * <cert-file> is the filename of the certificate to be checked. * The certificate must be in PEM format. * <OCSP-server> is the URL of the OCSP server to use. * If not supplied then the certificate must identify an OCSP * server by means of its AuthorityInfoAccess extension. * If supplied then it overrides any URL which may be present * in the certificate's AuthorityInfoAccess extension. * * Example: java \ * -Dhttp.proxyHost=proxy.example.net \ * -Dhttp.proxyPort=8080 \ * ValidateCert \ * mycert.pem \ * http://ocsp.openvalidation.org:80 * @param args */ public static void main(String[] args) { try { CertPath cp = null; Vector<X509Certificate> certs = new Vector<X509Certificate>(); URI ocspServer = null; if (args.length == 0 || args.length > 2) { System.out.println( "Usage: java ValidateCert <cert-file> [<OCSP-server>]"); System.exit(-1); } // load the cert to be checked certs.add(getCertFromFile(args[0])); // handle location of OCSP server if (args.length == 2) { ocspServer = new URI(args[1]); System.out.println("Using the OCSP server at: " + args[1]); System.out.println("to check the revocation status of: " + certs.elementAt(0)); System.out.println(); } else { System.out.println("Using the OCSP server specified in the " + "cert to check the revocation status of: " + certs.elementAt(0)); System.out.println(); } // init cert path CertificateFactory cf = CertificateFactory.getInstance("X509"); cp = (CertPath)cf.generateCertPath(certs); // load the root CA cert for the OCSP server cert X509Certificate rootCACert = getCertFromFile(ROOT_CA_CERT); // init trusted certs TrustAnchor ta = new TrustAnchor(rootCACert, null); Set trustedCertsSet = new HashSet(); trustedCertsSet.add(ta); // init cert store Set certSet = new HashSet(); X509Certificate ocspCert = getCertFromFile(OCSP_SERVER_CERT); certSet.add(ocspCert); CertStoreParameters storeParams = new CollectionCertStoreParameters(certSet); CertStore store = CertStore.getInstance("Collection", storeParams); // init PKIX parameters PKIXParameters params = null; params = new PKIXParameters(trustedCertsSet); params.addCertStore(store); // enable OCSP Security.setProperty("ocsp.enable", "true"); if (ocspServer != null) { Security.setProperty("ocsp.responderURL", args[1]); Security.setProperty("ocsp.responderCertSubjectName", ocspCert.getSubjectX500Principal().getName()); } // perform validation CertPathValidator cpv = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult cpv_result = (PKIXCertPathValidatorResult) cpv.validate(cp, params); X509Certificate trustedCert = (X509Certificate) cpv_result.getTrustAnchor().getTrustedCert(); if (trustedCert == null) { System.out.println("Trsuted Cert = NULL"); } else { System.out.println("Trusted CA DN = " + trustedCert.getSubjectDN()); } } catch (CertPathValidatorException e) { e.printStackTrace(); System.exit(1); } catch(Exception e) { e.printStackTrace(); System.exit(-1); } System.out.println("CERTIFICATE VALIDATION SUCCEEDED"); System.exit(0); } /* * Read a certificate from the specified filepath. */ private static X509Certificate getCertFromFile(String path) { X509Certificate cert = null; try { File certFile = new File(path); if (!certFile.canRead()) throw new IOException(" File " + certFile.toString() + " is unreadable"); FileInputStream fis = new FileInputStream(path); CertificateFactory cf = CertificateFactory.getInstance("X509"); cert = (X509Certificate)cf.generateCertificate(fis); } catch(Exception e) { System.out.println("Can't construct X509 Certificate. " + e.getMessage()); } return cert; }}
and when I run it it gives me the first error message:
run:
Usage: java ValidateCert <cert-file> [<OCSP-server>] C:\Users\Computer\AppData\Local\NetBeans\Cache\8.2\executor-snippets\run.xml:53: Java returned: -1 BUILD FAILED (total time: 1 second)