2

I am trying understand what is going wrong here. Due to reasons I don't understand, my company's software requires two ports to connect using NTLM. Initially it connects on 443, then redirects to 4244 for authentication then is returned to 443 afterwards. The same certificate is bound on the server to both ports.

My first HTTPS GET works fine, however the second complains about the certificate. I believe this is due to the redirect back. If I set the domain for set_auth to 4244, it fails on the redirect back, if I set it to 443 (i.e. leave the port off) then it fails to authenticate.

client = HTTPClient.new()
client.ssl_config.set_trust_ca('./SenseStandalone/root.pem')
client.ssl_config.set_client_cert_file(cert, key)
...
@base_uri = "https://SenseStandalone"
https_url = @base_uri+path #+'?xrfkey='+@xrf
client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_PEER
client.set_auth(@base_uri, 'login', 'password')
t = client.get(https_url, query, extheader, :follow_redirect => true)
pp t
redirect = t.http_header.request_uri.to_s
puts redirect
client.set_auth('https://SenseStandalone:4244', 'login', 'password')
r = client.get(redirect, nil, extheader, :follow_redirect => true)
pp r.status_code, r.body

What I really neeed it do be able to set the domain to the whole server. Setting it to 'nil' causes it to fail altogether.

Of course I can fix this with:

client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE

But I'd rather not do that if I have a choice.

As an aside, any idea why I need to do the first redirect manually? The second one redirects on its own.

The actual error: So to be specific the error is: C:/dev/Ruby22-x64/lib/ruby/2.2.0/openssl/ssl.rb:240:in `post_connection_check': hostname "sensestandalone" does not match the server certificate (OpenSSL::SSL::SSLError)

The certificate is the same for both ports:

C:\Windows\system32>netsh http show sslcert

SSL Certificate bindings:

IP:port                      : 0.0.0.0:4244
Certificate Hash             : 7b2969cf62af93fc0ebca19b597a370a32be89b7
Application ID               : {cebd7eb4-e9bb-4377-85be-d961248daa80}
Certificate Store Name       : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

IP:port                      : 0.0.0.0:443
Certificate Hash             : 7b2969cf62af93fc0ebca19b597a370a32be89b7
Application ID               : {3af37b68-4503-431e-b020-9e85fe225814}
Certificate Store Name       : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check                  : Enabled
Revocation Freshness Time    : 0
URL Retrieval Timeout        : 0
Ctl Identifier               : (null)
Ctl Store Name               : (null)
DS Mapper Usage              : Disabled
Negotiate Client Certificate : Disabled

SSL Certificate (443):

C:\openssl\bin>openssl s_client -connect sensestandalone:443 -tls1 -servername sensestandalone | openssl x509 -text -noout
Loading 'screen' into random state - done
depth=0 CN = SenseStandalone
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = SenseStandalone
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d9:cd:81:4e:f8:8c:28:ed:f5:1d:0c:67:ae:5c:45
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=SenseStandalone-CA
        Validity
            Not Before: Jan  2 04:19:53 2017 GMT
            Not After : Jan  9 04:19:53 2027 GMT
        Subject: CN=SenseStandalone
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8b:23:c4:f9:6c:d2:19:90:db:9c:51:2a:14:5e:
                    88:c5:24:cf:e9:3a:67:82:7a:8f:db:9b:ad:39:99:
                    9c:4c:1c:c4:11:ae:6a:96:20:24:e1:e2:19:c3:9e:
                    53:ba:52:45:4d:93:79:80:8b:c3:d9:3f:e7:7e:88:
                    65:16:b7:e5:84:8e:7c:1d:1e:e4:b4:df:29:8b:b4:
                    1e:6b:c2:c0:b8:83:78:16:de:4d:65:80:b0:b5:c6:
                    53:86:05:63:b3:2b:52:a0:20:8a:35:b0:fc:5d:25:
                    e8:77:32:b3:8c:28:b3:53:39:d1:4e:7b:df:0b:ee:
                    4c:51:bd:bf:01:f2:99:4b:59:31:c2:8e:04:a3:15:
                    0e:2c:34:da:e7:66:11:1d:77:85:80:28:d2:6b:05:
                    97:28:c0:97:a3:e4:8e:28:a7:d0:24:d5:69:da:e2:
                    2c:b1:5f:ee:5b:28:4e:44:04:c2:45:32:26:d7:8f:
                    19:56:95:e1:2a:ac:72:e1:57:ef:85:7e:53:dc:09:
                    44:22:4e:02:d6:20:69:02:c0:6a:49:23:76:5e:6d:
                    4f:e1:c6:9c:1b:a2:75:9d:b2:f7:65:89:cf:89:10:
                    37:c3:57:b0:a8:77:aa:c4:15:a8:7c:00:e6:75:c9:
                    06:7d:76:9e:cb:51:e9:ae:4e:e9:f8:57:ee:e2:e4:
                    de:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                17:90:47:3E:66:51:DA:14:1A:A5:85:77:D2:36:66:61:E4:3A:08:FF
            X509v3 Authority Key Identifier:
                keyid:C9:D1:A4:38:7F:FA:6F:9A:05:DD:CC:8A:D9:7B:4C:12:98:38:86:AE

            1.3.6.1.5.5.7.13.3:
                ..Service
            1.3.6.1.5.5.7.13.1:
vgu,...e...q......Y.*r...GiG!./aL..+..O......>..w.9...M`f..,....T..w`...i^.b..&...!C.... ]..{h9.W...W3...F(...(=.)..Z....x..F..2
            1.3.6.1.5.5.7.13.2:
...SJ....S.8/....................(P*R.............5]..........?..b..l..=\.O......L.W.x.,.......|.. .,....t2aK..z)..s=..3,......x
    Signature Algorithm: sha256WithRSAEncryption
         27:2d:1d:c1:43:00:77:ec:76:a9:f1:f8:c3:73:26:58:e8:7d:
         fc:61:3b:cf:91:dd:cf:b7:6c:66:ac:5d:c7:bb:08:10:85:2a:
         4a:be:b8:d2:df:c3:02:ff:02:f9:9d:89:e7:6c:6c:82:d9:99:
         9a:47:2a:65:01:c8:d2:ad:f4:c8:e1:a4:12:72:3a:c6:11:d6:
         90:b2:4e:2a:42:a5:d6:53:69:1b:57:ee:2c:02:b6:a1:8a:a5:
         bb:6d:23:04:46:69:74:fa:c7:f3:70:d4:a7:d0:8b:ca:cd:ff:
         65:5e:e3:44:20:be:28:58:08:5b:5f:9d:f0:07:1b:b9:ee:ca:
         7e:33:99:49:2e:57:b8:5e:dd:82:e4:7e:85:33:e7:3d:27:7c:
         d5:a9:b0:24:22:6b:17:3e:34:91:c6:a0:22:b7:3c:85:6c:64:
         ed:d2:72:a7:ac:a7:5d:04:b5:fa:4a:48:49:bc:31:0f:48:38:
         20:84:4e:a3:fe:f2:2c:bc:89:ee:0d:2f:4d:3f:87:29:9f:f7:
         c6:3d:97:a3:12:28:a0:92:5a:64:7f:45:de:18:b3:c3:91:5f:
         eb:85:9a:99:e9:e2:f5:cc:a6:47:65:5f:be:d6:dd:50:88:38:
         5c:17:88:16:25:07:20:e2:cd:13:ca:69:14:97:73:ad:d9:cd:
         52:3b:0b:e4

SSL Certificate (4244):

C:\openssl\bin>openssl s_client -connect sensestandalone:4244 -tls1 -servername sensestandalone | openssl x509 -text -noout
depth=0 CN = SenseStandalone
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = SenseStandalone
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d9:cd:81:4e:f8:8c:28:ed:f5:1d:0c:67:ae:5c:45
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=SenseStandalone-CA
        Validity
            Not Before: Jan  2 04:19:53 2017 GMT
            Not After : Jan  9 04:19:53 2027 GMT
      Subject: CN=SenseStandalone
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8b:23:c4:f9:6c:d2:19:90:db:9c:51:2a:14:5e:
                    88:c5:24:cf:e9:3a:67:82:7a:8f:db:9b:ad:39:99:
                    9c:4c:1c:c4:11:ae:6a:96:20:24:e1:e2:19:c3:9e:
                    53:ba:52:45:4d:93:79:80:8b:c3:d9:3f:e7:7e:88:
                    65:16:b7:e5:84:8e:7c:1d:1e:e4:b4:df:29:8b:b4:
                    1e:6b:c2:c0:b8:83:78:16:de:4d:65:80:b0:b5:c6:
                    53:86:05:63:b3:2b:52:a0:20:8a:35:b0:fc:5d:25:
                    e8:77:32:b3:8c:28:b3:53:39:d1:4e:7b:df:0b:ee:
                    4c:51:bd:bf:01:f2:99:4b:59:31:c2:8e:04:a3:15:
                    0e:2c:34:da:e7:66:11:1d:77:85:80:28:d2:6b:05:
                    97:28:c0:97:a3:e4:8e:28:a7:d0:24:d5:69:da:e2:
                    2c:b1:5f:ee:5b:28:4e:44:04:c2:45:32:26:d7:8f:
                    19:56:95:e1:2a:ac:72:e1:57:ef:85:7e:53:dc:09:
                    44:22:4e:02:d6:20:69:02:c0:6a:49:23:76:5e:6d:
                    4f:e1:c6:9c:1b:a2:75:9d:b2:f7:65:89:cf:89:10:
                    37:c3:57:b0:a8:77:aa:c4:15:a8:7c:00:e6:75:c9:
                    06:7d:76:9e:cb:51:e9:ae:4e:e9:f8:57:ee:e2:e4:
                    de:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                17:90:47:3E:66:51:DA:14:1A:A5:85:77:D2:36:66:61:E4:3A:08:FF
            X509v3 Authority Key Identifier:
                keyid:C9:D1:A4:38:7F:FA:6F:9A:05:DD:CC:8A:D9:7B:4C:12:98:38:86:AE

            1.3.6.1.5.5.7.13.3:
                ..Service
            1.3.6.1.5.5.7.13.1:
vgu,...e...q......Y.*r...GiG!./aL..+..O......>..w.9...M`f..,....T..w`...i^.b..&...!C.... ]..{h9.W...W3...F(...(=.)..Z....x..F..2
            1.3.6.1.5.5.7.13.2:
...SJ....S.8/....................(P*R.............5]..........?..b..l..=\.O......L.W.x.,.......|.. .,....t2aK..z)..s=..3,......x
    Signature Algorithm: sha256WithRSAEncryption
         27:2d:1d:c1:43:00:77:ec:76:a9:f1:f8:c3:73:26:58:e8:7d:
         fc:61:3b:cf:91:dd:cf:b7:6c:66:ac:5d:c7:bb:08:10:85:2a:
         4a:be:b8:d2:df:c3:02:ff:02:f9:9d:89:e7:6c:6c:82:d9:99:
         9a:47:2a:65:01:c8:d2:ad:f4:c8:e1:a4:12:72:3a:c6:11:d6:
         90:b2:4e:2a:42:a5:d6:53:69:1b:57:ee:2c:02:b6:a1:8a:a5:
         bb:6d:23:04:46:69:74:fa:c7:f3:70:d4:a7:d0:8b:ca:cd:ff:
         65:5e:e3:44:20:be:28:58:08:5b:5f:9d:f0:07:1b:b9:ee:ca:
         7e:33:99:49:2e:57:b8:5e:dd:82:e4:7e:85:33:e7:3d:27:7c:
         d5:a9:b0:24:22:6b:17:3e:34:91:c6:a0:22:b7:3c:85:6c:64:
         ed:d2:72:a7:ac:a7:5d:04:b5:fa:4a:48:49:bc:31:0f:48:38:
         20:84:4e:a3:fe:f2:2c:bc:89:ee:0d:2f:4d:3f:87:29:9f:f7:
         c6:3d:97:a3:12:28:a0:92:5a:64:7f:45:de:18:b3:c3:91:5f:
         eb:85:9a:99:e9:e2:f5:cc:a6:47:65:5f:be:d6:dd:50:88:38:
         5c:17:88:16:25:07:20:e2:cd:13:ca:69:14:97:73:ad:d9:cd:
         52:3b:0b:e4

The command seemed to hang at the end both times..

jww
  • 97,681
  • 90
  • 411
  • 885
Leigh K
  • 43
  • 8
  • 1
    In the web security model, an [***origin***](https://en.wikipedia.org/wiki/Same-origin_policy) is a {protocol, host, port} triplet. As far as web components are concerned, `https://SenseStandalone` and `https://SenseStandalone:4244` are different origins and are in different security contexts. That may explain your redirect problem. – jww Jan 26 '17 at 05:33
  • Added the actual error and bindings above. There is no alternate names for the certificate. I can test against a FQDN next week if you think it might make a difference. – Leigh K Jan 26 '17 at 09:30
  • NB: The only name it has is 'sensestandalone'. – Leigh K Jan 26 '17 at 09:35
  • I've got a feeling your are going to need these next: [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639). – jww Jan 26 '17 at 09:44
  • So our software creates the certs, not me. Its part of our companies product – Leigh K Jan 26 '17 at 10:59
  • I've never seen a certificate like that, but I'm not going to say it malformed because a Private PKI can do whatever it wants. It would be really nice to see the hostname in the *Subject Alternate Name (SAN)* because it would avoid a lot of "what if" questions. Does your company supply custom Ruby software to work with the certs (like a Gem?). – jww Jan 26 '17 at 11:20
  • I'm going to spitball something, so take it with a grain of salt (and keep in mind the SAN comment). You make the request using `sensestandalone`, but the X.509 cert has *`CN=SenseStandalone`*. According to [RFC 6125, Section6.4.1](https://tools.ietf.org/html/rfc6125#section-6.4.1): *"If the DNS domain name ... is a "traditional domain name", then matching ... is performed by comparing the set of domain name labels using a case-insensitive ASCII comparison, as clarified by [DNS-CASE]"*. [DNS-CASE] is just lowercase. Can you breakpoint in `ssl.rb` and see what is going on in there? – jww Jan 26 '17 at 11:27
  • Or maybe, can you get new certificates issued for testing purposes with `CN=sensestandalone` (ie., the name in lowercase)? The other thing I would like to see is a Subject Alternate Name (SAN) added to each cert. You might consider filing a bug because its missing. In PKIX its ***nealry*** required, but a Private PKI can do whatever it wants. Now, the problem is, Ruby uses PKIX rules, not Private PKI rules. Also see [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639). It gives you the rules and cites the standards. – jww Jan 26 '17 at 11:34
  • My company doesn't do anything with ruby generally - I may be the first to try. If you can provide me a reference to SAN being required, I can log a bug with them. The software generates it's own self-signed certs, so I can reinstall it and change the name to lower-case (and/or FQDN). – Leigh K Jan 26 '17 at 19:32

1 Answers1

0

So I managed to get a difference certificate. I set both the FQDN and hostname as SAN's in lowercase.
One of these has fixed my issue. I am not sure which. I would appreciate a reference to the requirement for Subject Alternate names as the developers I spoke to as my company see this as just a suggestion.

Leigh K
  • 43
  • 8