ssl,https,haproxy,opensslRelated issues-Collection of common programming errors

11 years ago
admin
17 minutes

  • chris
    apache-2.2 ssl openssl
    I am trying to install an SSL certificate, and I get the following errors:AH02241: Init: Unable to read server certificate from file /path/my.crt SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509) AH02312: Fatal error initialising mod_ssl, exiting.Here’s the process I followed:I generated my private key with:openssl genrsa -out my.key 2048I created the CSR with:

  • Jim D
    ssl curl
    Starting today (or within the last few days) I’ve hit an SSL error when trying to connect to github.com (e.g. to clone a repository).This is a legacy server running Red Hat 4.1.2-33.Here’s what it looks like when I try to connect:$ curl https://www.github.com –verbose * About to connect() to www.github.com port 443 (#0) * Trying 192.30.252.130… connected * Connected to www.github.com (192.30.252.130) port 443 (#0) * CAfile: /etc/pki/tls/certs/ca-bundle.crtCApath: none * NSS error -12286 *

  • David Tinker
    ssl openssl gentoo rabbitmq erlang
    I am trying to get RabbitMQ working with SSL on a couple of Gentoo servers. I get the following error in /var/log/rabbitmq/rabbit@…log when I try to connect to the management console using https:SSL: certify: ssl_connection.erl:1641:Fatal error: bad certificateI followed the instructions here: http://www.rabbitmq.com/ssl.htmlThe annoying thing is that I have 2 cloned servers and it is working on one and not the other. As far as I can tell the machines are configured identically. I wrote a scri

  • Chris Dunaway
    ssl windows certificates .net
    I have written an application (in C#) to communicate with one of our customers via a web service. Our customer requires us to use bi-directional SSL. The customer has sent us their certificate (in the form of a .p7b file). The client certificate was provided to me in the form of a .cer file.I’ve installed the certificates and in the program I use the HttpWebRequest class and add the client certificate to the ClientCertificates collection.When I run the program I get an exception:System.Net.We

  • D.W.
    cryptography ssl
    The CRIME attack taught us that using compression can endanger confidentiality. In particular, it is dangerous to concatenate attacker-supplied data with sensitive secret data and then compress and encrypt the concatenation; any time we see that occurring, at any layer of the system stack, we should be suspicious of the potential for CRIME-like attacks.Now the CRIME attack, at least as it has been publicly described so far, is an attack on TLS compression. Background: TLS includes a built-in c

  • Kalai
    encryption ssl openssl
    I am getting SSL: alert [“write”]: fatal : bad record mac from the OPENSSL logs during the handshake and Client is not sending the Application data and its creating the handshake again and again.What could be the issue please anybody help me in this?

  • Thomas Pornin
    cryptography ssl iis
    In SSL if the handshake is not succesful, does it always end with a handshake alert? Or are there other ways to finish the SSL connection (acceptable by standard). I am asking this, because in an HTTPS server configured to require client authentication, if the client does not send a certificate, I see (via network packets) a TLS Finished message from server to client; I was expecting an alert.

  • D.W.
    protocol-design ssl man-in-the-middle
    A recent blog post from Ivan Ristic (expert extraordinaire on all things SSL) says:all major browsers are susceptible to protocol downgrade attacks; an active MITM can simulate failure conditions and force all browsers to back off from attempting to negotiate TLS 1.2, making them fall back all the way down to SSL 3. At that point, the predictable IV design is again a problem. Until the protocol downgrade weakness is fixed, newer protocols are going to be useful only against passive attackers, bu

  • WATTO Studios
    java ssl
    I am trying to send push notification to iPhone using Java-pns but I am getting the following error…javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failureThis is my code…String token=”95076d2846e8979b46efd1884206a590d99d0f3f6139d947635ac4186cdc5942″;String host = “gateway.sandbox.push.apple.com”; int port = 2195; String payload = “{\”aps\”:{\”alert\”:\”Message from Java o_O\”}}”;NotificationTest.verifyKeystore(“res/myFile.p12”, “password”, false); KeyStore keyStore = Ke

  • highflyer
    java sockets ssl x509certificate truststore
    I am trying to setup a SSL Socket connection (and am doing the following on the client)I generate a Certificte Signing Request to obtain a signed client certificate Now I have a private key (used during the CSR), a signed client certificate and root certificate (obtained out of band). I add the private key and signed client certificate to a cert chain and add that to the key manager. and the root cert to the trust manager. But I get a bad certificate error.I am pretty sure I am using the right c

  • i0n
    https git leopard certificate-authority ppc
    I have a git repository with submodules on github, when I try and set up the submodules locally by doing:git submodule init git submodule updateI get this error:error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed while accessing https://github.com/wincent/Command-T.git/info/refsfatal: HTTP request failed Clone of ‘https://github.com/wincent/Command-T.git’ into submodule path ‘dotfiles/vim/bundle

  • Felipe Micaroni Lalli
    connection timeout https github
    I have exactly the same problem as described here: http://stackoverflow.com/questions/12849986/connection-timeout-when-accessing-githubSo I’ll just copy & paste:I have some weird problems. When I try to log in my Githubaccount, I get a “net::ERR_EMPTY_RESPONSE” error.I tried with Chrome, Firefox and Opera. In Firefox, if a clean thecache and offline data, it works for a while. Then I can log in, but Istill can’t create a Github repository, even if I clear the cacheagain.My friend, in the sam

  • Android-Droid
    android https connection
    I’m working on an application which is downloading data from a web server.It seems to download data without any problems in the beginning, but a few days ago I start receiving this kind of exceptions : javax.net.ssl.SSLException: Read error: ssl=0x7a6588: I/O error during system call, Connection reset by peer and I’m not sure what cause that problem and how can I fix that. Here is the whole LogCat message :12-12 11:43:27.950: W/System.err(22010): javax.net.ssl.SSLException: Read error: ssl=0x7a6

  • dongshengcn
    java https connection httpclient
    I am using apache HttpClient. While debugging something, I found I am getting error when I execute the same HTTPS HEAD request for the second time using the same connection (connection kept alive). The host is https://dongshengcn.iriscouch.com. I am not sure where is wrong, is the server? is it a HttpClient bug? I tend to think this is a HttpClient bug somewhere. Anyways, I am wondering if someone can point me to the right direction. Here is the code and logging info:import org.apache.http.Http

  • DreamsNeverDie
    java android web-services ssl https
    I am calling https webservice and its works fine before, but now when i am trying to call it its give me following errors.Log Errors :12-23 06:28:11.969: W/System.err(3014): javax.net.ssl.SSLException: SSL handshake aborted: ssl=0x1cc160: I/O error during system call, Connection reset by peer 12-23 06:28:11.979: W/System.err(3014): at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method) 12-23 06:28:11.979: W/System.err(3014): at org.apache.harmony.xnet.provi

  • Nabil
    java security ssl https websphere
    I have a web application that call a SOAP Web service secured via SSL .(https://zzzzzzzzzzzz/xxxxx). The server send two certificates (Root and Leaf) so i import the two certificate using the property : com.ibm.websphere.ssl.retrieveLeafCert .To enable ssl validation on websphere i just add the certificates Into websphere : SSL certificate and key management -> key stores and certificate -> NodeDefaultTrustStore -> Signer cerificates -> Retrieve from port : host : hostname port : 443 alias :

  • VinC
    android json https http-post
    I am trying to connect via HttpPost and send a username and password to a website and then receive a string from that website. I have tried various methods that have worked for me in the past but now when I send the username and password identifiers the app times out for as long as 4 minutes and then spits out the following exception:07-16 16:32:32.897: W/System.err(632): Unable to connect to the server07-16 16:32:32.907: W/System.err(632): org.apache.http.conn.HttpHostConnectException: Connecti

  • Samy Ateia
    java ssl https
    I’m building an application that periodically checks some rss feeds for new content. Some of these feeds are only reachable via https and some have self signed or somehow broken certificates. I want to be able to check them never the less.Edit: Please note that security is not an issue in this application the goal is to access the content with minimal effort. So don’t down-vote just because you read to many “ignoring ssl should never be used in production posts”.I’m using this code to circumvent

  • RedFilter
    svn https hudson jenkins pkcs#12
    There is a problem with the usage of SVN + PKCS12 + HTTPS. When I want to add an SVN repository to a Jenkins Template, I get an error. It seems that the SVN Client does not support this way of authentication. First I checked on a Debian workstation, with Jenkins 1.467, whether this would work and it did. I used the same certificate for this. Second, I tried the same and other versions of Jenkins on my server without any result. Now the question: I this a bug in Jenkins, or am I totally doing som

  • michas
    django internet-explorer firefox https applet
    We have developed an analytics application that use a special Java applet (developed by IBM) to view some data. It’s a Django application that runs on Apache. Everything worked fine until we moved to SSL. The behavior is very strange and we are confused and a little bit worried how to make the applet work on HTTPS. Ok, I have read many threads about security updates that were introduced in JRE 7u51 (Java JRE plugins) but I think that this is not the reason of our problems. My current environment

  • th3morg
    proxy load-balancing c3p0 haproxy
    In order to increase performance of my Java/Spring web app deployed in Tomcat 7, I am trying to use MySQL read replicas for queries that I’ve annotated as read-only okay. I have been using c3p0 for connection pooling prior to setting up an haxproxy server that will load balance requests to the read replicas and it works fine. I know that these two things kind of work against each other because each are trying to pool connections, however if I don’t use connection pooling at the application layer

  • Zach L
    java ssl haproxy sslsocketfactory
    I get connection failures that appear randomly when connecting to an HAProxy server using SSL. I have confirmed that these failures happen on JDK versions 1.7.0_21 and 1.7.0_25 but not with 1.7.0_04 or with 1.6.0_38.The exception is Exception in thread “main” javax.net.ssl.SSLPeerUnverifiedException: peer not authenticatedat sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397)at SSLTest2.main(SSLTest2.java:52)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)a

  • coneybeare
    apache-2.2 logging log-files haproxy
    I am trying to clean out some of the log clutter from my machines and am starting by removing requests that are generated from the server themselves. I have cache warmers running around the clock and I don’t want these polluting the logs.I was able to get apache to stop logging local requests by adding a dontlog for the local IP:SetEnvIf Remote_Addr “RE\.DA\.CT\.ED” dontlog CustomLog “|logger -p local3.info -t http” combined env=!dontlogand now I am looking for something similar to put in a conf

  • Chris
    haproxy
    I am having some issues with HAProxy configuration. I have been playing around with it to try and make it more resilient to high server loads and Denial of Service. However, I felt it was working fine until suddenly I was victim of a (D)DoS attack – Haproxy was reporting the backend as down even though I could still access it fine via the direct port.Could somebody please check my HAProxy config and see if there is somewhere I am messing up or why I would be experiencing this.. I just can’t seem

  • Anand Soni
    amazon-ec2 load-balancing haproxy rabbitmq
    I wanted to use HAProxy for my web app for load balancing purpose. I am trying to add a new rabbitmq node dynamically in HAProxy server using command : haproxy -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid). I am doing tcp connection mode with leastconn balance algorithm in load balancing. What is expected is when there is 3 connection in one rabbitmq, I add a new rabbit server in HAProxy server. so the next connection would pass to 2nd rabbitmq server which is not happening in my case.

  • nbevans
    haproxy
    Is it possible for HAproxy to reload its configuration at runtime, without dropping existing connections?I’ve looked high and low in the documentation for some mention of this but have been unsuccessful. Does anybody know off hand?Thanks.

  • Anony-Mousse
    load-balancing haproxy
    We are using HAPROXY to cluster two app servers. Currently, for test purpose, the 2 servers are virtual servers.We are observing lot of Concurrency warnings being logged in the server logs as below[CacheListener] Possible concurrency problem: Replicated version id 273 is less than or equal to in-memory version for  session tDC2DAPeZ8ChQ74l1cHgig__What I found, when I did a search in google, is that many such instances could lead to load balancer crashing.I think the issue logged here : https://

  • guojinpeng
    connection statistics reset haproxy was
    I’m using haproxy for load balance, it works very happily.I setup a statistics page, this page return “the connection was reset” while I refresh it sometimes.listen status 0.0.0.0:8080stats enablestats refresh 5sstats uri /admin Is this a bug or there’s some configurition problem?thanks!

  • user1075894
    haproxy stunnel pound
    I’m looking at introducing a loadbalancer to my existing site infrastructure to help with traffic growth and provide a level of failure protection.The site I am running uses SSL certificates for the login section and I will need to continue with this functionality. The backend servers will need to be aware of the originating IP address so I can’t use the TCP loadbalancing function and will need the SSL terminated on the loadbalancer so I can insert aX-Forwarded-ForHeader. I have seen a couple of

  • Andrew Smith
    iptables haproxy ddos linux-kernel rate-limiting
    Please do not reply with “this is not possible”, as it’s waste of time. I am developing cloud appliance and I have a valid reason to protect this layer against DDoS, and there are few companies doing the same, so please dont tell me that I dont have the point, as many companies looking to buy this solution and I dont see the problem with implementing it using stock LinuxMy Linux kernel is crashing with oops on 10.000 connections due to lack of resources like CPU and RAM. I was wondering how to l

  • mindsurfer
    apache-2.2 ssl-certificate openssl
    I use self-signed certificates with no issue but today I have tried to create a SSL certificate for commercial use. But apache doesn’t start and gives the following error:Notice: I have confirmed that crt file is valid as CSR decoder loads the content as well.*AH02241: Init: Unable to read server certificate from file XXXX/XXXX/XXXX.csr SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nest

  • chris
    apache-2.2 ssl openssl
    I am trying to install an SSL certificate, and I get the following errors:AH02241: Init: Unable to read server certificate from file /path/my.crt SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=X509) AH02312: Fatal error initialising mod_ssl, exiting.Here’s the process I followed:I generated my private key with:openssl genrsa -out my.key 2048I created the CSR with:

  • David Tinker
    ssl openssl gentoo rabbitmq erlang
    I am trying to get RabbitMQ working with SSL on a couple of Gentoo servers. I get the following error in /var/log/rabbitmq/rabbit@…log when I try to connect to the management console using https:SSL: certify: ssl_connection.erl:1641:Fatal error: bad certificateI followed the instructions here: http://www.rabbitmq.com/ssl.htmlThe annoying thing is that I have 2 cloned servers and it is working on one and not the other. As far as I can tell the machines are configured identically. I wrote a scri

  • bahamat
    email openssl cyrus
    We have recently launched a site and a few days ago the mail.log file started to grow incredibly quickly (2gb per day). I’ve just had a look at log file and the lines below below are repeated thousands of time:Jul 3 17:00:23 ubuntu cyrus/imaps[6138]: Fatal error: imaps: required OpenSSL options not present Jul 3 17:00:23 ubuntu cyrus/master[9410]: process 6138 exited, status 75 Jul 3 17:00:23 ubuntu cyrus/master[9410]: service imaps pid 6138 in READY state: terminated abnormally Jul 3 17:00:

  • Kalai
    encryption ssl openssl
    I am getting SSL: alert [“write”]: fatal : bad record mac from the OPENSSL logs during the handshake and Client is not sending the Application data and its creating the handshake again and again.What could be the issue please anybody help me in this?

  • Charan
    android android-ndk openssl
    I successfully compiled openssl using android ndk build and .so files are built successfully.I am trying to ‘include’ built .so files in an android project.Getting an error in below line:#include “openssl/evp.h”fatal error: openssl/evp.h: No such file or directory compilation terminated. make: * [obj/local/armeabi/objs/iedemo/anotherdemo.o] Error 1However, I am include stdio.h and string.h files.I am explore /usr/include/openssl directory, I am able find all openssl related .h files here. And, s

  • ubaltaci
    12.04 bind apparmor openssl
    when I try to start bind9; simply fail because of chroot & openssl/etc/init.d/bind9 startlog messages;Feb 17 08:26:27 ISTVS2024 named[2440]: initializing DST: openssl failure Feb 17 08:26:27 ISTVS2024 named[2440]: exiting (due to fatal error) Feb 17 08:26:27 ISTVS2024 kernel: [ 92.091098] type=1400 audit(1361082387.173:14): apparmor=”DENIED” operation=”file_mmap” parent=2439 profile=”/usr/sbin/named” name=”/var/named/run-root/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so” pid=2

  • Phil
    openssl
    So, I downloaded cowpatty from their site[1] and I am trying to compile it. However, there is an error that prevents the make-process.root@phil-laptop:/home/phil/wifite-2.0r85/cowpatty-4.6# make cc -pipe -Wall -DOPENSSL -O2 -g3 -ggdb -c -o md5.o md5.c md5.c:20:25: fatal error: openssl/md5.h: No such file or directory#include <openssl/md5.h>^ compilation terminated. make: *** [md5.o] Error 1OpenSSL is installed on this system. Any advice?Thanks![1] http://wirelessdefence.org/Contents/coW

  • Mitch
    gnome-terminal openssl
    recently i tried to install bully, but no matter which version i used, the same error occurred:andy@anti:~/Arbeitsfläche/bully-1.0-22/src$ make cc -I`pwd` -I`pwd`/utils/ -I`pwd`/tls/ -I`pwd`/wps/ -I`pwd`/crypto/ -I`pwd`/common/ -o bully bully.c -lpcap -lssl -lcrypto In file included from bully.c:63:0: crypto/crypto_openssl.c:16:30: Schwerwiegender Fehler: openssl/opensslv.h: Datei oder Verzeichnis nicht gefunden Kompilierung beendet. make: *** [bully] Fehler 1 andy@anti:~/Arbeitsfläche/bully-1.0

  • Vardan Gupta
    ssl jboss openssl jboss7.x
    JBAS015537: Activating WebServices Extension 12:29:34,069 INFO [org.jboss.ws.common.management.AbstractServerConfig] (MSC service thread 1-4) JBoss Web Services – Stack CXF Server 4.0.2.GA 12:29:34,323 ERROR [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-4) Error initializing endpoint: java.lang.Exception: Unable to load certificate key /mnt/jboss/kjockeystore (error:0906D06C:PEM routines:PEM_read_bio:no start line)at org.apache.tomcat.jni.SSLContext.setCertificate(Native Me

Web site is in building