New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run test on remote Server: enableCrypto operation on CakeSocket #1246
Comments
When troubleshooting don't assume anything. ;-) Check your CakePHP version with:
When this is ok (running 2.8.x) check what MISP is actually sending to your proxy using tcpdump and/or wireshark. |
Assuming it's fixed. |
Nope, still an issue:
Enabled debug I found the stacktrace:
The system has no issue to pull data from a well known misp instance. |
@Rafiot can you re-open that issue please? |
thx @RichieB2B as you asked:
Is that maybe an issue with ssl certs that are issued by an internal CA? The MISP Version both servers running:
|
Those version numbers look ok. The error message you are getting suggests CakePHP fails to set up the ssl tunnel correctly. The CakePHP error handling is not very good and the error message not descriptive enough to determine the cause. Check with tcpdump/wireshark what MISP is actually sending to your proxy and how the proxy responds. |
fwiw I am still trying to find the root cause. |
Did you check with tcpdump what MISP is actually sending to your proxy? |
Ok found the reason. Checked the TCPDUMP and I get Unknown CA. The CA is however added to the trusted CAs of the OS (and verified with wget). So the solution was to add the CRT of the CA as pem to Server certificate and it worked. (Btw I discovered another issue as it would be handy to get feedback from the UI if the server certificate is not with the right file extension: *.pem) it will simply do nothing, this is somehow not really intuitive but I will create a new issue for that. Anyway, I would have expected that if I set "self signed" that the complete check is disabled and it would trust whatever cert is provided from System B. |
another thing I observerd that it looks like the server SSL cert does not work, it is always the signing CA that needs to be imported (tested with two instances) That is a little odd, but not in our hands I guess but maybe we can increase the visibility for people that are trying to add a server to tell WHY a connection failed e.g. the CakePHP error message |
Basically for servers with a full chain - signing CA, (intermediary,) server cert you need to create a merged pem file and it should work fine. I know of some communities that use their own full signing chain that is signed by their own root CA that is not a "known" root CA by the mozilla CA store. For them it works fine with the full chain exported as a single merged pem. |
Adding the full chain (including intermediate CA's) is not actually needed. You need to add the top CA, the server needs to provide the intermediate CA's. Adding the intermediate CA's in the file will not fix the issue of the server only sending the server certificate and not the intermediate CA's. |
So we just had a chat session on gitter, and it if you have a root ca, a sub ca and the server cert. If it is missing the root ca (CakePHP is ignoring the OS CA) it will fail to use the cert. |
(*.pem) MISP#1246
I am recently seeing exactly the same issue with one sync partner. First some details about the install:
In my case curl/browsing also works for the remote partner, only MISP does not work.
|
Trying to set up connection to a new server.
I have two MISP instances that verified the issue.
MISP1 is productive and already connected to a remote MISP (so connection with proxy works)
MISP2 is a VM (the test VM) with updated OS and latest version Currently installed version..... v2.4.47
RMISP (the remote MISP) is Currently installed version..... v2.4.26
Added the RMISP as remote connection, added the auth key, uploaded the pem file.
Now running a test it gives:
Doing a curl
curl -k https://RMISP/events/xml/download.json
-->
{"name":"Authentication failed. Please make sure you pass the API key of an API enabled user along in the Authorization header.","message":"Authentication failed. Please make sure you pass the API key of an API enabled user along in the Authorization header.","url":"\/events\/xml\/download.json"}
I saw #740
But I updated MISP according to the update guide already, so I assume my cakephp is up2date as well.
I see that traffic is going to my proxy, but no data is on the receiver site. However if I browse the MISP instance, it works and curl also pops up in RMISP logs.
Don't use Proxy authentication.
Any ideas how to fix that?
Work environment
Expected behavior
Actual behavior
"
Error: Connection test failed. Reason: "Unable to perform enableCrypto operation on CakeSocket"
"
Steps to reproduce the behavior
Logs, screenshots, configuration dump, ...
The text was updated successfully, but these errors were encountered: