Part 3: Cryptography; SSL/TLS Encryption.
Common SSL ERRORS.
- Expired Certificate.
Most SSL certificates have a validity of one year. If the certificate is not renewed in time, the Web application will not be accessible with an expired certificate / time sync error.
Resolve the error by generating a new private, .csr and .crt with a new validity period.
2. Bad Cert Domain./Invalid Common Name (Name Mismatch)
A generated certificate says abc.target.com should be configured on a server that has abc.target.com.
Issuing def.target.com to a domain that has abc.target.com will display a common name error on the UI and bad cert domain on the backend (HTTP error logs).
Resolve the error; by ensuring the CN on the crt created matches the domain url. This is specified during CRT signing.
3. Missing certificate chain
From Part One; [https://medium.com/@vivian.kfrost/ssl-tls-encryption-99f41d0e6372] every certificate has three parts: a Leaf certificate, Intermediate and root. The three make a certificate chain and should all be added in a bundle (ca-bundle.crt)
[ssl:error] [pid 32312] [client : ] AH02039: Certificate
Verification: Error (2): unable to get issuer certificate
Resolve the error by;
Generate a root certificate from intermediate and Leaf; openssl s_client -showcerts -connect [host]:[port]
Add the root certificate, intermediate and leaf into one bundle.
4. SSL and TLS mismatch or interchange
Some applications /servers are configured to only use TLS. When switched to SSL the certificate will not authenticate and cause SSL issues; Common errors
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
[host]:[port]
Resolve the error by; checking the configurations on the current protocol used and ensure its TLS. Certificates signed by CAs are all in TLS.
5. Secure connection Failed
Secure Connection Failed An error occurred during a connection to
[host]:[port] . SSL received a record that exceeded the maximum
permissible length. (Error code: ssl_error_rx_record_too_long)
The error has few reasons ;
- The port connecting to it is not listening on either apache or nginx configurations.
- Same ports are listening on the server in more than one instance i.e that port could be listening on ssl.conf and httpd.conf
- On nginx specify the port is not listening on ssl
To resolve the error;
- Ensure the port is listening with Listen 443 on the config files.
- Close one port preferably httpd.conf.
- On nginx.conf use listen [PORT_NUMBER] ssl;
Java based errors;
- Keystore Password Errors;
The keystore password and alias should be added on the config file or a vault. Therefore, when an application creates a request it uses the password to check the keystore and the alias to pick the specific cert to be used. When the password is wrong the following error is encountered;
Exception in thread "main" java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:311) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38) at java.security.KeyStore.getKey(KeyStore.java:763)
To resolve the error; Change the password on the config/jar file to match the keystore password.
You can also use to change the keystore password.
keytool -storepasswd -new new_storepass -keystore keystore.jks
2. SSL Hostname verification;
When a server / application is expected to validate a hostname / similar to Common Name it will only match the current one on the certificate file. An error occurs when the hostame and CN dont match
timeout occurred while performing ssl socket operation
To resolve this add the certificate to a keystore. Ensure the server passing the ssl connection has the Common Name configured.
3. Certificate Chain error;
Java Application has trustores that contain all the certificates. Java applications verify the SSL handshake using the current certificates on the trustore in alignment with the alias configured.
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
To resolve the error add the certificate keychains to the trustores using the command
keytool -import -alias abc22 -file abc.target.comCA.crt -keystore myTruststore
For more resources use;
https://www.sslshopper.com/article-most-common-openssl-commands.html