top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

TLS issue after system upgrade [CLOSED]

0 votes
407 views

I've just upgraded my server (Slackware64-14.0) and installed freeDiameter-1.1.6 and now I can't run this app. The error "The certificate hasn't got a known issuer" received.

Cerificate is generated by provided with sources make_certs.sh script.

Logfile:
root@rad1a:/usr/local/src/freeDiameter-1.1.6/build# freeDiameterd libfdproto initialized.
libgnutls '3.0.23' initialized.
TLS: Local certificate chain '/usr/local/etc/freeDiameter/mycert' is invalid :
 - The certificate hasn't got a known issuer.
ERROR: in '__v__ = (fd_conf_parse())': Invalid argument
ERROR: in '__v__ = (fd_core_parseconf(conffile))': Invalid argument

Is there any simple solution for this?

closed with the note: None
posted Jun 6, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

OMG,
I just discovered that config file format has changed...After editing TLS problem disappears.

Sorry for the false alarm.

answer Jun 6, 2013 by anonymous
Similar Questions
+1 vote

I've been off the list for a bit, getting ducks in a row here and everything.

I noticed a number of posts about SSL & TLS security settings lately and I wanted to point out that maintaining your SSL configurations is an on-going processes.

New exploits are discovered and released quite often, and often the fault lies with a cipher and not necessarily an overall SSL/TLS protocol.

So using a cipher list like "all except RC4" is probably not sufficient anymore. And what is secure may depend completely on the SSL/TLS software you use, be it OpenSSL or Java's built in SSL libraries.

For example, with OpenSSL, you should be using 1.0.1t or higher, and even then only TLS1.2 with a handful of ciphers. I'm not sure what the recommended options for java's libraries are at the moment. A really good, free tool is Qualys' SSL Labs server test tool located at: https://www.ssllabs.com/ssltest/ Run that against your implementation and follow its recommendations.

Of course, at the end of the day, it will be up to you and your firm to decide what risks you are willing to take with your SSL communications and whether or not you need to support insecure browsers, i.e. browsers that cannot negotiate up to the most secure protocol and ciphers.

+1 vote

Is the PEM-based certificate configuration available for both JSSE-based and APR-based connectors in Tomcat 9 at this point? The documentation says e.g. the "certificateFile" attribute is for "OpenSSL Only", and when I try to launch Tomcat using the NIO connector and a PEM-based certificate file, Tomcat says that the keystore is corrupted (even though no keystore was actually specified).

+2 votes

I'm trying to set TLS protocol with the next parameter into the ssl.conf file:

 SSLProtocol all -SSLv2 -SSLv3 

but then my web application fails. I only can see next error in log file

[info] SSL library error 1 in handshake (server my.server:443, client xx.xx.xx.xx)
[info] SSL Library Error: 336027900 error:140760FC:SSL routines:func(118):reason(252)
[info] Connection to child 4 closed with abortive shutdown(server my.server:443, client xx.xx.xx.xx) 

I can`t see as well, into the customlog file, a "GET" that I can see when all protocols are enabled (no forcing TLS):

10.5.137.162 - - [03/Feb/2015:09:30:47 0100] "GET /application/resources/css/template_v6.0.xsl HTTP/1.0" 200 28323  

Any help will be appreciated

+2 votes

Currently my Apache server supports SSLV2, V3, TLSV1. My client requirement is to enable TLSV1.1 or above on the webserver.

Current Version of Apache: Apache V2.2.16 When I tried to Add SSLProtocol All TLSv1.1 TLSv1.2. Server has thrown the error saying Illegal Protocol.

Please do let me know the steps for enabling TLSV1.1 or above.

...