xipki | Highly scalable and high-performance open source PKI | TLS library
kandi X-RAY | xipki Summary
kandi X-RAY | xipki Summary
XiPKI (eXtensible sImple Public Key Infrastructure) is a highly scalable and high-performance open source PKI (CA and OCSP responder).
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Executes a remote management action
- Update the cache store
- Create a new ocsp store based on the configuration
- Initialize ocsp
- Handles a POST request
- Update the cache store
- Create a new ocsp store based on the configuration
- Initialize ocsp
- Retrieves the extensions for a given certificate
- Checks that the SubFields are valid
- Checks if the field is valid
- Initialize the directory
- This method retrieves information about a protocol
- Checks that the public key is a public key
- Returns the OCSP status information from the issuer certificate store
- Returns CertStatus information from OCSP store
- Returns an EJB certificate status information
- Create a new instance of an object
- Create a new object for signing
- Private int ;
- Refreshes the contents of a key
- Initialize the XC CC statements
- Handles POST request
- Returns the CRL for the given CA
- Initialize the extra log files
- Handle a GET request
- Convert a CA configuration file to a zip stream
- Checks the specified certificate
- From interface Responder
xipki Key Features
xipki Examples and Code Snippets
def gather_ops_or_named_saveables(self):
"""Looks up or creates SaveableObjects which don't have cached ops.
Returns:
A tuple of (
existing_restore_ops: list,
named_saveables: dict,
python_positions: list,
def put(self, key, vals, indices=None, name=None):
"""Create an op that stores the (key, vals) pair in the staging area.
Incomplete puts are possible, preferably using a dictionary for vals
as the appropriate dtypes and shapes can be inf
def as_default(self):
try:
if not self._used_once:
# If an outer eager VariableStore was explicitly created and set by
# the first time this template store was used (even if not at
# constructor time) then pick up th
Community Discussions
Trending Discussions on TLS
QUESTION
I am currently trying to connect to an AWS REST API which requires at least TLS v1.2. The documentation stats that clients must also support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE).
When sending a GET
request using the HttpClient
, the connection simply times out. I have set the TLS version explicitely to TLSv1.2
like this:
ANSWER
Answered 2022-Mar-30 at 12:52We finally found the reason for this. Windows did not have the required cypher suites enabled. We have used IISCrypto to enable the corresponding cypher suites and all is ok now.
It looks like it's possible to force .NET to TLS 1.2, even though it was not enabled on the server itself.
QUESTION
We have an on premise server (Windows Server 2012 R2) with an Azure Pipelines agent running on it. Today (31st Jan 2022) this agent could not longer connect to our Azure DevOps organisation.
Judging by the log files, I assume this is because it is trying to connect with an older TLS version, which as of today is no longer available - https://devblogs.microsoft.com/devops/azure-devops-services-to-require-tls-1-2/
So I followed the instructions on how to make sure TLS 1.2 was enabled, and confirmed my settings in the registry editor and by running the PowerShell script suggested here - https://docs.microsoft.com/en-us/security/engineering/solving-tls1-problem#update-windows-powershell-scripts-or-related-registry-settings
All seems ok, yet it still fails to connect with the same issue. The machine has been restarted as well. If I try the URL it is requesting in the in built Internet Explorer browser, it fails, but with Chrome it succeeds, so it must still be trying to connect with TLS 1.2, but I don't know why. I've tried reinstalling the agent (with the latest build) as well but it fails on the same error. Any suggestions?
...ANSWER
Answered 2022-Jan-31 at 23:27Enabling below Cyphers with IISCrypto on the server helped us fix the issue
Cipher Suites
TLS 1.2 (suites in server-preferred order) TLS
- _DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256 TLS
- DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128
This from Vijay's solution
QUESTION
I am using a company-hosted (Bitbucket) git repository that is accessible via HTTPS. Accessing it (e.g. git fetch
) worked using macOS 11 (Big Sur), but broke after an update to macOS 12 Monterey.
*
After the update of macOS to 12 Monterey my previous git setup broke. Now I am getting the following error message:
...ANSWER
Answered 2021-Nov-02 at 07:12Unfortunately I can't provide you with a fix, but I've found a workaround for that exact same problem (company-hosted bitbucket resulting in exact same error).
I also don't know exactly why the problem occurs, but my best guess would be that the libressl library shipped with Monterey has some sort of problem with specific (?TLSv1.3) certs. This guess is because the brew-installed openssl v1.1 and v3 don't throw that error when executed with /opt/homebrew/opt/openssl/bin/openssl s_client -connect ...:443
To get around that error, I've built git from source built against different openssl and curl implementations:
- install
autoconf
,openssl
andcurl
with brew (I think you can select the openssl lib you like, i.e. v1.1 or v3, I chose v3) - clone git version you like, i.e.
git clone --branch v2.33.1 https://github.com/git/git.git
cd git
make configure
(that is why autoconf is needed)- execute
LDFLAGS="-L/opt/homebrew/opt/openssl@3/lib -L/opt/homebrew/opt/curl/lib" CPPFLAGS="-I/opt/homebrew/opt/openssl@3/include -I/opt/homebrew/opt/curl/include" ./configure --prefix=$HOME/git
(here LDFLAGS and CPPFLAGS include the libs git will be built against, the right flags are emitted by brew on install success of curl and openssl; --prefix is the install directory of git, defaults to/usr/local
but can be changed) make install
- ensure to add the install directory's subfolder
/bin
to the front of your$PATH
to "override" the default git shipped by Monterey - restart terminal
- check that
git version
shows the new version
This should help for now, but as I already said, this is only a workaround, hopefully Apple fixes their libressl fork ASAP.
QUESTION
I am getting this warning from github on my npm project build process... I tried searching on the internet and also read the blog link posted by github - but I could not find the solution to it anywhere. Am I missing something ?
Warning seen
...npm notice Beginning October 4, 2021, all connections to the npm registry - including for package installation - must use TLS 1.2 or higher. You are currently using plaintext http to connect. Please visit the GitHub blog for more information: https://github.blog/2021-08-23-npm-registry-deprecating-tls-1-0-tls-1-1/
ANSWER
Answered 2021-Sep-10 at 15:18Besides updating your version of node to an active or current LTS you want to ensure your NPM registry is set to an HTTPS endpoint:
QUESTION
This worked fine for me be building under Java 8. Now under Java 17.01 I get this when I do mvn deploy.
mvn install works fine. I tried 3.6.3 and 3.8.4 and updated (I think) all my plugins to the newest versions.
Any ideas?
...ANSWER
Answered 2022-Feb-11 at 22:39Update: Version 1.6.9 has been released and should fix this issue! 🎉
This is actually a known bug, which is now open for quite a while: OSSRH-66257. There are two known workarounds:
1. Open ModulesAs a workaround, use --add-opens
to give the library causing the problem access to the required classes:
QUESTION
I am following this guide.
Ingress requests are getting logged. Egress traffic control is working as expected, except I am unable to log egress HTTP requests. What is missing?
...ANSWER
Answered 2022-Feb-07 at 17:14AFAIK istio collects only ingress HTTP logs by default.
In the istio documentation there is an old article (from 2018) describing how to enable egress traffic HTTP logs.
Please keep in mind that some of the information may be outdated, however I believe this is the part that you are missing.
QUESTION
Recently the 3rd party email service provider I was using made a change. They disabled support for TLS 1.0 and TLS 1.1.
I provide support for an ancient system that still uses php 5.3 and phpmailer 5.2.
My tests indicates that TLS 1.2 is enabled.
But, the PHPMailer code cannot connect to the email server after the disabling of TLS 1.0 and 1.1
Also, note that I am not a full time php expert.
Is there a way to make PHPMailer 5.2 use tls 1.2?
...ANSWER
Answered 2021-Nov-07 at 14:47It's not up to PHPMailer, its up to the version of PHP that you're using to run it, so the solution is to update your PHP version. The major changes relating to TLS were largely in PHP 5.6, so upgrading to that would be a good intermediate point if you're really stuck with this legacy version.
QUESTION
When compiling any typescript program that just imports mongodb
, i get 12 errors like:
ANSWER
Answered 2022-Jan-06 at 15:48I'm unable to reproduce your problem in my local environment, so I think it is a problem probably related to some other package in your project.
As suggested on this issue, you should try deleting your package-lock.json
and generating it again with npm.
QUESTION
My question: when building a minimal JRE, how can one make sure that no required module is missing?
To illustrate the question, here is an example where I want to build a minimal JRE for my project. Let's assume for this example that logback is my only dependency.
I run the following command to see what modules are required:
...ANSWER
Answered 2022-Jan-16 at 19:31The JAR you're using there has "no module descriptor" (see first line of output) and thus can't tell you what modules it depends on, so you have to find out yourself. The canonical tool for that is jdeps
but it may not be enough.
I wrote a jdeps tutorial that gets you started, but the interesting bit is this section. The gist is this command:
QUESTION
Ever since I've upgraded my Mac
to Monteray
, I've been having issues with Vagrant
.
Initially, I use to see a vBoxManage
error on terminal
when running vagrant up
. I posted a question on this on SO previously, see here for details.
Today, I uninstalled VirtualBox
again (removed VirtualBox VMs
folder and moved application to trash) and reinstalled VirtualBox 6.1.3
for OS X hosts` (link here).
I then ran vagrant up
on terminal
and it successfully compiled:
After seeing the famous green teddy, I tried going to vvv.test
but, the page doesn't load. I've tried accessing URLs of sites that have been provisioned
before, but they too do not load.
I've also ran vagrant up --debug
, and nothing concerning was seen.
My Vagrant
version is 2.2.19
Unsure what steps to take next?
Edit:
Steps taken:
- Have ran
vagrant up --provision
to provision sites inconfig.yml
file (config.yml
file can be seen below) - Have tried to access
website-dev.test
, page doesn't load - Have tried to access
vvv.test
, page doesn't load - Have ran
vagrant reload --provision
and repeated steps 2 and 3, but same results - Have ran
vagrant halt
andvagrant up
and repeated steps 2 and 3, but same results
I don't believe there's an issue in my config.yml
file, as before Monteray
update, everything was working fine (and I've made no changes to my yml
file since). But, to cover all scenario's, here is my config.yml
file:
ANSWER
Answered 2021-Dec-15 at 18:33Thanks to guidance from @Tinxuanna, I've managed to solve the issue (finally!).
For anyone else having similar issues, here's what I did:
- Access the
/etc/hosts
folder - Find file called
hosts
and open it in a text editor. - Remove the IP addresses related to
vagrant
(I kept a backup of the original file just in case) - After saving
hosts
file the IP addresses removed, I ranvagrant up --provision
- I then ran
vagrant up
- Then accessed
vvv.test
- You're done!
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install xipki
Get a copy of project code git clone https://github.com/xipki/xipki
Build the project In folder xipki mvn clean install -DskipTests Then you will find the following binaries: DB Tool: assembles/xipki-dbtool/target/xipki-dbtool-<version>.zip CA: assembles/xipki-ca/target/xipki-ca-<version>.zip OCSP: assembles/xipki-ocsp/target/xipki-ocsp-<version>.zip CLI (Command Line Interface): assembles/xipki-cli/target/xipki-cli-<version>.tar.gz ((or xipki-cli-<version>-jdk8.tar.gz for JDK 8))
Unpack the binary xipki-dbtool-<version>.zip.
If you use database other than PostgreSQL, MariaDB and MySQL, you need to get the JDBC driver and copy it to the directory lib/jdbc.
Unpack the binary xipki-ca-<version>.zip and install CA as described in the unpacked README file.
Note that CA and OCSP can be installed in the same servlet container.
Unpack the binary xipki-ocsp-<version>.zip and install OCSP responder as described in the unpacked README file.
Unpack the binary xipki-cli-<version>.tar.gz (or xipki-cli-<version>-jdk8.tar.gz for JDK 8)
Adapt the CMP client configuration xipki/cmpclient/cmpclient.json
If you get "java.lang.ClassNotFoundException: <jdbc class>", please copy the missing JDBC driver jar to the directory lib/ext.
HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the PKCS#11 sessions. In this case, the cli should be started as follows. Setup CA (choose p11 if the key is saved in PKCS#11 device, p12 in PKCS#12 device. Verify the installation, execute the command in CLI: ca-info myca1.
Start the servlet container HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the PKCS#11 sessions. In this case, the servlet container should be started as follows
Setup CA in CLI (If error like "Identity or Certificate with label=mylabel already exists" occurs, you need to comment the line which generate the key (e.g. dsa-p11 ec-p11, rsa-p11, sm2-p12) or delete the existing key using command delete-key-p11). Start CLI. bin/karaf HSM devices of Thales, e.g. nCipher, can use Thales preload to manage the PKCS#11 sessions. In this case, the cli should be started as follows preload bin/karaf Setup CA (choose p11 if the key is saved in PKCS#11 device, p12 in PKCS#12 device. In case of using new keys and certificates, in CLI: source xipki/ca-setup/cacert-none/setup-*-*.script where * is place holder. In case of using existing keys and certificates, in CLI: source xipki/ca-setup/cacert-present/setup-*-*.script where * is place holder. If you wish to generate the siging key and certificate for the OCSP responder, in CLI: source xipki/ca-setup/setup-ocsp-*.script. If you wish to add the SCEP support, in CLI: source xipki/ca-setup/setup-scep.script. Verify the installation, execute the command in CLI: ca-info myca1
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page