You have basically two options here: add the self-signed certificate to your JVM truststore or configure your client to Option 1 Export the certificate from your browser and import it in your JVM truststore (to establish a chain of trust): <JAVA_HOME>\bin\keytool -import -v -trustcacerts -alias server-alias -file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit Option … Read more
This was an enormously helpful link to find: http://php.net/manual/en/migration56.openssl.php An official document describing the changes made to open ssl in PHP 5.6 From here I learned of one more parameter I should have set to false: “verify_peer_name”=>false Note: This has very significant security implications. Disabling verification potentially permits a MITM attacker to use an invalid … Read more
1. Using the x509 module openssl x509 … … 2 Using the ca module openssl ca … … You are missing the prelude to those commands. This is a two-step process. First you set up your CA, and then you sign an end entity certificate (a.k.a server or user). Both of the two commands elide … Read more
Finally managed to solve all the issues, so I’ll answer my own question. These are the settings/files I’ve used to manage to get my particular problem(s) solved; The client’s keystore is a PKCS#12 format file containing The client’s public certificate (in this instance signed by a self-signed CA) The client’s private key To generate it … Read more
* Uses proxy env variable http_proxy == ‘https://proxy.in.tum.de:8080’ ^^^^^ The https:// is wrong, it should be http://. The proxy itself should be accessed by HTTP and not HTTPS even though the target URL is HTTPS. The proxy will nevertheless properly handle HTTPS connection and keep the end-to-end encryption. See HTTP CONNECT method for details how … Read more
Update Now that I’ve karma wh..err mined enough from this answer everyone should know that this should have been fixed. re: via Ownatik again bundle install fails with SSL certificate verification error gem update –system My answer is still correct and left below for reference if that ends up not working for you. Honestly the … Read more
Unfortunately – it could be many things – and lots of app servers and other java ‘wrappers’ are prone to play with properties and their ‘own’ take on keychains and what not. So it may be looking at something totally different. Short of truss-ing – I’d try: java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore … to see if that … Read more
I used the following two steps which I found in the comments/posts linked in the other answers: Step one: Convert the x.509 cert and key to a pkcs12 file openssl pkcs12 -export -in server.crt -inkey server.key \ -out server.p12 -name [some-alias] \ -CAfile ca.crt -caname root Note: Make sure you put a password on the … Read more
For RVM & OSX users Make sure you use latest rvm: rvm get stable Then you can do two things: Update certificates: rvm osx-ssl-certs update all Update rubygems: rvm rubygems latest For non RVM users Find path for certificate: cert_file=$(ruby -ropenssl -e ‘puts OpenSSL::X509::DEFAULT_CERT_FILE’) Generate certificate: security find-certificate -a -p /Library/Keychains/System.keychain > “$cert_file” security find-certificate … Read more
The link mentioned by Subimage was right on the money for me. It suggested changing the virtual host tag, ie, from <VirtualHost myserver.example.com:443> to <VirtualHost _default_:443> Error code: ssl_error_rx_record_too_long This usually means the implementation of SSL on your server is not correct. The error is usually caused by a server side problem which the server … Read more