I'm trying to set up ldap with Python. When I run ./manage.py syncldap I get:
SERVER_DOWN: {'info': 'TLS: hostname does not match CN in peer certificate',
'desc': "Can't contact LDAP server"}
Other people working on the same codebase on their local machines don't seem to be having any problem. Any thoughts?
Check the CN from Subject of server cert
openssl x509 -noout -text -in imsva_cert.pem | grep Subject
Subject: C=en, ST=xx, O=yy, OU=zz, CN=test.com
The "hostname" in the error is to say the host name in your command to access LDAP server, so please just use host test.com, e.g.
ldapsearch -H "ldaps://test.com:636" ...
Also don't forget add test.com in your DNS server to make sure ldapsearch can get the A record for host test.com. Specify the info in /etc/hosts is a easy way.
Your other folk, using the same codebase on their local machines, are they talking to the same LDAP server? The SSL certificate used to enable LDAP over SSL/TLS will have a name embedded in it. (Not editable, you would need to reissue a new cert with a new CN)
The message is saying the Hostname of the server is not the same as the hostname in the certificate (This is why Wildcard certs are so darn useful. No need for a new cert for every box, just use the wildcard and keep the domain the same).
I would examine the certificate, in whatever keystore it is held in, on the server side, and look at the hostname to see the differences..
Related
first i create a ca-cert key pair with
openssl req -new -x509 -keyout private_key.pem -out public_cert.pem -days 365 -nodes
Generating a RSA private key
..+++++
.................................+++++
writing new private key to 'private_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:35.222.65.55 <----------------------- this ip should be server ip very important
Email Address []:
now i run a server with python code
# libraries needed:
from http.server import HTTPServer, SimpleHTTPRequestHandler
import ssl , socket
# address set
server_ip = '0.0.0.0'
server_port = 3389
# configuring HTTP -> HTTPS
httpd = HTTPServer((server_ip, server_port), SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile='./public_cert.pem',keyfile='./private_key.pem', server_side=True)
httpd.serve_forever()
now this server can be connected for both secure ca-cert case and ingore-ca-cert server connections when using SSL case
that is
curl --cacert public_cert.pem --cert-type PEM https://35.222.65.55:3389
and
curl -k https://35.222.65.55:3389
will work
how to detect if the request is ingnore-ca-cert or not from server side ?
how to not allow insecure connection from server side ?
The server side has no control over the certificate validation done at the client side. The server has no knowledge if the client has verified the certificate or not. Nothing in the exchanged data indicates if the client is doing a curl -k or a curl without this option. Thus it is not possible to stop clients with broken or disabled validation from connecting to the server.
I'm learning the fabric to automatically connect the ec2 instance which is already created. I set a ssh_config in the ssh folder
Home myhostname
Hostname 52.62.207.113
User ubuntu
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
PasswordAuthentication no
IdentityFile ~/.ssh/mykey-pem
And I wrote a python file to test
from fabric import Connection
c = Connection('52.62.207.113')
result = c.run('uname -s')
The terminal response
paramiko.ssh_exception.SSHException: No authentication methods available.
I'm not sure what happens. I try to manually
ssh -i mykey.pem ubuntu#52.62.207.113
It is successfully connecting the EC2 instance
Home myhostname
Hostname 52.62.207.113
...
c = Connection('52.62.207.113')
I'm not a fabric user, but I guess you're expecting fabric to make use of the entry from your ssh_config file here? I can see two likely problems:
You have Home myhostname. The correct keyword here is Host, not Home:
Host myhostname
Hostname 52.62.207.113
If you want fabric to use the Host section for myhostname, you probably have to tell it to connect to myhostname:
c = Connection('myhostname')
You're telling it to connect to an IP address, and it probably wouldn't relate that to the host section
The actual error that you're getting, "No authentication methods available", is probably because fabric didn't apply the Host section from ssh_config, and it doesn't know of any key files that it should use for the session.
I think you missed PreferredAuthentications options.
And you typed your key file name incorrectly.
Change the config file as shown below and try connecting again.
Home myhostname
Hostname 52.62.207.113
User ubuntu
PreferredAuthentications publickey
IdentityFile ~/.ssh/mykey.pem
I've created a Flask API connecting to an RDS Aurora database using the Postgres engine. The endpoints work fine, and I can connect to them using Postman and cURL. When I try to connect via a unittest script, however, I receive the following error:
fe_sendauth: no password supplied
I'm not sure why it would only occur when tests are being run, does anyone have any insight?
try:
export POSTGRES_USER=" your pc username"
export POSTGRES_PW="your pc password"
It worked in my case.
I had a similar issue,to solve it i had to edit
sudo vi /var/lib/pgsql/data/pg_hba.conf
in METHOD column from MD5 to trust
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
Im trying to open a simple webpage with python using Urlib2 in a TAILS system but I am unable to make it work, with error 111, connection refused. So that is obviously because TAILS refuses all non-Tor traffic,and the solution should be opening a proxy with:
proxy = urlib2.ProxyHandler({protocol:"127.0.0.1:{}".format(PORT)})
opener = urlib2.build_opener(proxy)
opener.open("https://jojeji")
I tried lots of protocols and ports, asumming that this choice is the only problem I have. Tails has a configuration file in etc/ferm/ferm.conf. In the output part it says:
# White-list access to Tor's SOCKSPort's
daddr 127.0.0.1 proto tcp syn dport 9050 {
mod owner uid-owner _apt ACCEPT;
mod owner uid-owner proxy ACCEPT;
mod owner uid-owner nobody ACCEPT;
}
daddr 127.0.0.1 proto tcp syn mod multiport
destination-ports (9050 9061 9062 9150) {
mod owner uid-owner $amnesia_uid ACCEPT;
}
There are white lists also for:
access to onionshare
access to Monkeysphere
access to CUPS
access to the accesibility daemon
access to system DNS and TOr's DNS PORT
access to Tor's TransPort
access to Tor control port filtrer
access to Tor ControlPort
So wich values should a TAILS user pass to the urlib2 proxy and, is there any better way to acces the internet trough urlib2?
Tails/Tor implements SOCKS5 proxy, not HTTP proxy. AFAIK, this is not directly supported by urlib2. You need to use the SocksiPy module as shown in this answer.
The socks proxy is 127.0.0.1 and the port is 9050.
Your other option is to use pycurl or even command-line curl (with --socks5-hostname=127.0.0.1:9050)
I'm writing some software that is supposed to acquire information from SSL-secured web page. Below there's piece of code I use to connect to server.
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl.wrap_socket (
s,
ca_certs = '/home/stilz/Desktop/Certyfikaty/GLOWNE_CA.cer',
cert_reqs = ssl.CERT_REQUIRED,
ssl_version = ssl.PROTOCOL_SSLv3,
)
ssl_sock.connect ((HOST, PORT))
However, this doesn't work. It throws exception with message "Handshake alert failed". I captured some TCP packets that come out of my script and also corresponding packets from Internet Explorer and figured out that my script doesn't send certificate at all (server returns something like "Fatal: no certificate supplied") while IE sends it normally. As far as I know file ca.cer is x509 certificate (beginning with "-----BEGIN CERTIFICATE-----").
Please help me and tell what I'm doing wrong. If I've supplied to few information, please let me know.
Regards
First of all, you need to determine if you need to authenticate yourself on the server (certificate is sent to the server only in this case) or you need to validate server's authenticity (in which case the certificate is not sent to the server).
Now about issues in your code:
Case 1: you don't need to authenticate on the server. In this case you don't need to specify your certificate and nothing is sent to the server.
Case 2: you need to authenticate yourself on the server. In that case you need to provide your certificate and your private key file in keyfile and certfile parameters. Only then your certificate is sent to the server (and the private key is used in the handshake).
I guess that your have case 1 in fact. So first of all you need to check if the server provides a valid certificate by connecting to it with a web browser and inspecting site's certificate chain. It can happen that the site sends its certificate but omits intermediate CA certificates.
In any case I'd like to remind about the discussion about certificates in Python docs which I suggest you re-read.
If the server requests (and requires) a certificate to be sent by the client, you need to supply ssl.wrap_socket with the path to your certificate (certfile) and its matching private key (keyfile). The ca_certs parameter is only used for the client to verify the server's certificate against known CA certificates, it has nothing to do with sending a client-certificate.
You may need to export your client-certificate and private key from IE (and then convert them to PEM format).