Newbe Dev Stack

Answer : Okay, I noticed that this post is viewed quite often recently and so it seems that a lot of people are facing the same issue that I did. If so then this might help you. I have followed a simple step-by-step tutorial to create a SSL-certification for my webserver. Like so many tutorials out there the outcome of the tutorial I followed was a self-signed certificate using OpenSSL. Yep self-signed , that was the problem. The browser could not trust the server due to it's certificate which is signed by itself. Well I wouldn't do either... A certificate has to be signed by an external trustworthy certificate authority (CA). So I stumbled upon Let's Encrypt which does all the work for you and is even easier to set up and the best is: it is absolutely free. Installation 1) Delete your old ssl cert files which you have created by using OpenSSL 2) Open backports to get certbot client on Debian. You should know that this will open a hole for unfinished software!...

Answer : In case, someone else faces this same problem, a possible solution (if you are using windows OS), is to follow the process below: Press the Windows Key Search For Internet Options Click on "Internet Options" Click On "Connection" Go to LAN Settings Uncheck "Use Proxy Server for LAN ...." It should work but the permanent solution is to make sure you turn all software that might be automatically setting up proxy for you.

Answer : I am answering to this to give an idea about the scenario and solution as per the android developer site for others benefit. I have solved this using custom trust manager. The problem was with the server certificate, it misses intermediate certificate authority. However with the first flow certificate path is completed somehow and result was successful certificate path validation. There is a solution for this in android developer site. it suggest to use custom trust manager that trusts this server certificate or it suggest to server to include the intermediate CA in the server chain. custom trust manager. source: https://developer.android.com/training/articles/security-ssl.html#UnknownCa // Load CAs from an InputStream // (could be from a resource or ByteArrayInputStream or ...) CertificateFactory cf = CertificateFactory.getInstance("X.509"); // From https://www.washington.edu/itconnect/security/ca/load-der.crt InputStream caInput = new BufferedInputStream...

Answer : I don't know what exactly you are calling handshake, but I propose this command that will probably capture more than 95% of what you can want: tcpdump -ni eth0 "tcp port 443 and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)" Now what does it do: eth0 : is my network interface, change it if you need tcp port 443 : I suppose this is the port your server is listening on, change it if you need tcp[((tcp[12] & 0xf0) >> 2)] = 0x16 : a bit more tricky, let's detail this below tcp[12] means capturing the 13th byte of the tcp packet, corresponding to first half being the offset, second half being reserved. The offset, once multiplied by 4 gives the byte count of the TCP header, meaning ((tcp[12] & 0xf0) >> 2) provides the size of the TCP header. The first byte of a TLS packet define the content type. The value 22 (0x16 in hexadecimal) has been defined as being "Handshake" content. As a consequence, tcp[((tcp[12] ...

Answer : You can save yourself the hassle of copy-pasting all that code and store the private key next to the certificate in a pfx / pkcs#12 file: openssl pkcs12 -export -in my.cer -inkey my.key -out mycert.pfx You'll have to supply a password, which you have to pass to the constructor of X509Certificate2 : X509Certificate2 cert = new X509Certificate2("mycert.pfx","password"); For everyone else with the same problem, I found a neat little piece of code that let's you do exactly that: http://www.codeproject.com/Articles/162194/Certificates-to-DB-and-Back byte[] certBuffer = Helpers.GetBytesFromPEM(publicCert, PemStringType.Certificate); byte[] keyBuffer = Helpers.GetBytesFromPEM(privateKey, PemStringType.RsaPrivateKey); X509Certificate2 certificate = new X509Certificate2(certBuffer, password); RSACryptoServiceProvider prov = Crypto.DecodeRsaPrivateKey(keyBuffer); certificate.PrivateKey = prov; EDIT: The code for the Helper method (which ot...

Answer : This is a peculiar error you will get if you run XAMPP in LINUX. Assumption : XAMPP is unzipped @ /opt/ folder. If you get the error "XAMPP: Another web server daemon with SSL is already running" when you run ./lampp start . Simply follow the steps below to get rid of this error: Open the file /opt/lampp/etc/httpd.conf . Search the Listen 80 and change it to some other port (e.g. Listen 2145 ) (Line No. 40). Open the file /opt/lampp/etc/extra/httpd-ssl.conf . Search the Listen 443 and change it to some other port (e.g. Listen 16443 ) (Line No. 39). Open the file /opt/lampp/lampp Search for the port testport 80 and replace it to testport 2145 . Also change the testport 443 to testport 16443 . (Happens to be the Line No. 197, 214) Now go and run /opt/lampp/lampp start . It should work now. Note: Line numbers may be different. I have similar problem and found the issue caused another service already running on port 443 (SSL). Check running l...

Answer : If you're trying to do stuff with the Java default system keystore ( cacerts ), then the default password is changeit . You can list keys without needing the password (even if it prompts you) so don't take that as an indication that it is blank. (Incidentally who in the history of Java ever has changed the default keystore password? They should have left it blank.) Add -storepass to keytool arguments. keytool -storepasswd -storepass '' -keystore mykeystore.jks But also notice that -list command does not always require a password. I could execute follow command in both cases: without password or with valid password $JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

Answer : Given that you're using this in your apache config: SSLCertificateFile /etc/apache2/cert/ssl.crt SSLCertificateKeyFile /etc/apache2/cert/ssl.key The /etc/apache2/cert/ssl.crt file should contain certificate of e.g. yourdomain.com certificate of first intermediate CA, signed by root CA (e.g.StartCom Class 1 Primary Intermediate Server CA) certificate of second intermediate CA, signed by first intermediate CA (if there is a second intermediate CA in your certificate chain) You need to put all intermediate CA's certificates in the crt file. Depending on the certificate chain of your certificate there will be varying number of CAs invovled. You don't even need to add the root CA, as it has to be in the trust store of any clients, otherwise clients will get an error page, also, if you add it to your chain, it will just be additional overhead for establishing SSL connections, as it has to be transferred for every new SSL session. Actually most client...

Answer : Certificates that will be used with an Application Load Balancer (ELB/2.0) need to be created in ACM in the same region as the balancer. Certificates that will be used with CloudFront always need to be created in us-east-1. To use an ACM Certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM Certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution. – http://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html The reason for this is that CloudFront doesn't follow the regional boundary model in AWS. CloudFront edge locations are all over the globe, but are configured and managed out of us-east-1 -- think of it as CloudFront's home region. Once a distribution reaches the Deployed state, it is not operationally dependent on us-east-1, but during provisioning, everything originates from that ...

Answer : This same thing happened to me when I was installing my certificate on my Android Tablet. Yes, you need to set a lock or pin code (but this can be removed after installing the certificate) Just copy the .pfx file in your Android phone On your phone Settings look for Security Under credential storage (this option might vary depending on your Phone settings), there should be an option to install certificates Restart your phone Hope this helps. This isn't the most secure solution - but it got the job done for me. I had to edit the SSL properties through IIS to ignore client certificates. IIS Setting Change It's not an Android/Chrome issue. The problem was from the fact that the server was requesting a certificate from the client. For Apache add/change the following parameter in your conf or in your sites definition: SSLVerifyClient none