ssl - w3toppers.com

How can I decode a SSL certificate using python?

Python’s standard library, even in the latest version, does not include anything that can decode X.509 certificates. However, the add-on cryptography package does support this. Quoting an example from the documentation: >>> from cryptography import x509 >>> from cryptography.hazmat.backends import default_backend >>> cert = x509.load_pem_x509_certificate(pem_data, default_backend()) >>> cert.serial_number 2 Another add-on package that might be … Read more

OpenSSL hangs during PKCS12 export with “Loading ‘screen’ into random state”

Please try to add winpty before oppenssl: winpty openssl … or you can run a new bash wrapped by winpty: winpty bash In the windows console, there is some problem with terminal input/output so winpty can help if some software requires unix terminal behavior. winpty helped me to run openssl in this environment: git version … Read more

Is TLS 1.1 and TLS 1.2 enabled by default for .NET 4.5 and .NET 4.5.1?

Is TLS 1.1/1.2 enabled by default in .NET 4.5 and .NET 4.5.1? No. The default protocols enabled for the various framework versions are: .NET Framework 4.5 and 4.5.1: SSLv3 and TLSv1 .NET Framework 4.5.2: SSLv3, TLSv1, and TLSv1.1 .NET Framework 4.6 and higher: TLSv1, TLSv1.1, and TLS1.2 Sources: [1] [2] [3] While Microsoft recommends against … Read more

SSL error unsafe legacy renegotiation disabled

WARNING: When enabling Legacy Unsafe Renegotiation, SSL connections will be vulnerable to the Man-in-the-Middle prefix attack as described in CVE-2009-3555. With the help of https://bugs.launchpad.net/bugs/1963834 and https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1856428 Beware that editing your system’s openssl.conf is not recommended, because you might lose your changes once openssl is updated. Create a custom openssl.cnf file in any directory with … Read more

Connecting to ‘Explicit FTP over TLS’ in Python (??)

*get* ‘227 Entering Passive Mode (10,19,1,137,195,128).\n’ The problem is that the server is returning the wrong IP address inside the response to the PASV command. This is typical for servers in some internal network behind some firewall. In this case 10.19.1.137 is returned, which is an IP address usable in local networks only. This is … Read more

How can I set SignalR in Android Studio to ignore SSL issues for delvelopement

If just for development, I think you can refer the following code (available in SO): public class HttpsTrustManager implements X509TrustManager { private static TrustManager[] trustManagers; private static final X509Certificate[] _AcceptedIssuers = new X509Certificate[] {}; @Override public void checkClientTrusted( X509Certificate[] x509Certificates, String s) throws java.security.cert.CertificateException {} @Override public void checkServerTrusted( X509Certificate[] x509Certificates, String s) throws java.security.cert.CertificateException … Read more

What is the reason of kSecTrustResultRecoverableTrustFailure?

It may be a server certificate problem…. Check here, I solved my kSecTrustResultRecoverableTrustFailure problem, adding subjectAltName = DNS:example.com into openssl config file, specifically in server key generation… If you are not using openssl to generate it, I’m sorry but I can help you.. Anyway if you want to use openssl, here is a good tutorial … Read more

Enabling SSL on tomcat using pem file

While most answers concentrate on versions 7.0 and 8.0 of Tomcat that were supported at the time of the question, since version 8.5.2 (May 2016) it is possible to use PEM files directly without conversion to a PKCS12 file. You can either: put the PEM encoded private key and all certificates in the order from … Read more

TLS 1.2 + Java 1.6 + BouncyCastle

If you look at RFC 4492 5.2, you’ll see that the server CAN send the “ec_point_formats” extension, but is only supposed to do so “when negotiating an ECC cipher suite”. If you want TLSClient to just ignore the extra extension instead of raising an exception, I suggest overriding TlsClient.allowUnexpectedServerExtension(…) to allow ec_point_formats in the same … Read more

SSLHandshakeException: Received fatal alert: handshake_failure when setting ciphers on tomcat 7 server

Well, I got this issue solved. It appears that by creating a self-signed certificate, using keytool, without providing -keyalg parameter makes the key-pair algorithm default to DSA. None of my ciphers suite included DSA algorithm. In that case, although the client and the server had intersection between their cipher-suites, neither was suitable for the key … Read more