Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with SSL3 certificate #2

Open
brezular opened this issue Nov 10, 2016 · 4 comments
Open

Problem with SSL3 certificate #2

brezular opened this issue Nov 10, 2016 · 4 comments

Comments

@brezular
Copy link

Hi,
I've tried to used your plugin with IPS 6.0. I was able to download certificate with the command below ( I have to use keyword -ssl3):

echo | openssl s_client -connect 192.168.120.5:443 -ssl3 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

I'm getting the error message in /var/log/logstash/logstash.log.

{:timestamp=>"2016-11-10T08:51:27.465000+0100", :message=>"Cannot read URL or send the error as an event! Check your configuration for host url,user,password.", :request=>{"truststore_password"=>"MyPasswords", "auth"=>{:user=>"admin", :pass=>"cisco"}, "method"=>"get", "url"=>"https://192.168.13.20/cgi-bin/sdee-server?action=open&evIdsAlert&force=yes"}, :exception=>"SSL peer shut down incorrectly", :exception_backtrace=>nil, :level=>:error}

Here is my certificate:
cert1.pem.txt
@rootik
Copy link
Owner

rootik commented Nov 10, 2016

Hello,
by unknown reason full output of openssl command is in your .pem file, not just a certificate. Perhaps, problem with sed command.
Try to put this stripped certificate version in your certificate store. Rename it to cert.pem first.
cert_new.pem.txt

@brezular
Copy link
Author

Hi,
my mistake I previously attached the whole output the openssl command to let you known how my certificate looks like. I tried the plugin with a correct certificate, still I get "SSL peer shut down incorrectly".
I guess the issue is somehow connected with using SSL3 certificate.

@rootik
Copy link
Owner

rootik commented Nov 10, 2016

Ok. What is your Java version? java -version

@rootik
Copy link
Owner

rootik commented Nov 10, 2016

As we know

SSLv3 is disabled by default
Starting with JDK 6u91 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security file.

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

It should be noted that SSLv3 is obsolete and should no longer be used.

Enabling SSLv3 for various Java versions explained here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brezular @rootik