CER | Homework of CER | Machine Learning library

I think creating RestTemplate with new keyword will not send the certificate to the server. Instead, you should wrap the SSL certificate in the Rest template. Please try this:

After setting the devbotsxyz/xcode-notarize@v1 field verbose:true, I observed that Apple returns a link to a JSON explaining why the package is INVALID for notarization.

In this JSON, it was informed that all the files composing my PKG (there are many as I couldn't use --onefile with Pyinstaller in my context) were invalid because they weren't signed and timestamped.

After some researches, I found this post on the Apple Developer Forum and understood that PKG files need to be sign INSIDE OUT: First, you sign each file generated by Pyinstaller, then sign the PKG gathering all those files.

To do so, you can't use the productsign command (as it only work for .pkg, .zip and .dmg) but codesign.

However, codesign doesn't use a Developer Id Installer certificate, but a Developer Id Application certificate, so I had to add this new certificate to the workflow as well.

Note that as my PKG would be composed of hundreds of files, I also needed a bash script to use codesign to sign each one of them.

My final workflow looks like this:

To solve this issue in GCP’s GKE, sometimes replacing cacerts files helps to solve it, but following these steps is the correct way to do it:

a) Use a Service Account. In order to have more reference about the GCP’s Service Accounts, take a look into this Official Documentation.

b) Add storage-rw scope to the cluster’s scopes when creating the cluster. As this documentation indicates, you can do it with the command:

Please, be aware that the cipher suites described in your debug output doesn't show the cipher suite that was actually used by openssl, ECDHE-RSA-AES256-GCM-SHA384. In fact, they don't include any cipher suite that requires AES 256. It may not be of relevance, but it may be a symptom of any misconfiguration, and can explain why the handshake is failing. As indicated in the Oracle documentation when describing Java 8 supported cipher suites:

Cipher suites that use AES_256 require installation of the JCE Unlimited Strength Jurisdiction Policy Files.

As a consequence, please, be sure you installed and properly configured the JCE Unlimited Strength Jurisdiction Policy Files.

As indicated by @dave_thompson_085 in his excellent comment, only Oracle Java 8 below 8u161 requires adding the unlimited policy, as stated in Appendix C of the aforementioned Oracle documentation.

The JCE Unlimited Strength Jurisdiction Policy Files are bundled into the JDK since JDK 8u151, but the unlimited policy was not defined as the default one since JDK 8u161.

In JDK 8u151 or 8u152, as stated in one of the previous cited links, and explained as well by @dave_thompson_085 - thank you very much again, in order to make the unlimited version of the JCE the one that should be used, you need to define the system property crypto.policy. From the docs:

This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically by using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information.

The issue is not present in OpenJDK.

As an alternative solution, as suggested in this related SO question, probably using an alternate provider like BouncyCastle could be of help as well.

C# does not support a low level verifying process, in particular no decryption with the public key is possible. However, this is supported by Bouncy Castle:

Try this with a single call to Get-ChildItem and have it look for files. Then in the Where-Objectclause, you filter on the DirectoryName to exclude the folders you don't want in the output.

Also, you can simplify your regex and use it case-insensitively.

Try:

This might be somewhat opinionated and also depends on your project somewhat, but I think the main risk is how people will actually use those. Some of them will use it for production for sure, because it is easier, or they don't understand keypairs and just want it to work and so on.

Any project should be secure by default, for everybody involved, including endusers and developers as well if your project is something like a library or component. Secure by default in this case would mean not providing an actual keypair, because that would potentially be a backdoor in case of at least some of its uses - even though it was not meant to be used like that.

Another thing to consider is the reputation of your project. If you include a key and users misuse it on the internet, it will be easy to find and potentially exploit vulnerable instances of your project with tools like Shodan. Nobody will care the developers did it wrong - it will be your project that's found vulnerable.

A better way to consider would be to provide something like an init script that would generate a key and a certificate for that specific instance. It could still be easy for the user and developer, and also secure for everybody. In case of a linux package, this could even be done by the installer script with most packaging solutions so it would be fully transparent for the user.

Im not familiar with this library, however you can find all result-codes here: result-codes

5012 means:

DIAMETER_UNABLE_TO_COMPLY 5012 This error is returned when a request is rejected for unspecified reasons.

There are 2 options to your situation:

1. There is some problem with your CER, so the Diameter node you are trying to reach is sending you back CEA with result-code 5012.
2. The open source library you are trying to use do not let you send the CER and gives you a message with 5012 as a response to your CER.

To solve the issue:

1. If your CER went to the network take a capture using wireshark/tcpdump and make sure you received CEA. You can look at your CER and check what is wrong with it (you can also send it here). Maybe your CER is not according to RFC 3588/6733?
2. If the library do not let you send the CER look at the library log and see if you can spot any error. If you do see an error you can consult the guy who wrote the library.

When the MobileFirst server creates the request to reach adapter B, the default behaviour is to frame the request, based on the URL of the currently executing request. That is, it uses the request originally used to reach adapter A, to frame the request to reach the target adapter B.

It works well in case 1, where the webserver is accessed using a "http://.." URL. In case 2, where MFP1 has to make an outbound call to the webserver using the "https://.." URL, it needs to first complete a SSL Handshake with the webserver. In case the MFP1 JVM lacks the certificates of the webserver, it fails to establish SSL Handshake and can lead to the error you saw.

In your case, there are two approaches you can take:

1. Choose to keep the adapter A to adapter B call internal to MFP1. This prevents the outbound "https://" call and you will not see the problem. Additionally, this helps in keeping the travel time shorter and also prevent a new connection on the webserver. To enable this setting, use the JNDI property mfp.adapter.invocation.url. For instance, if you set the value of this property to "http://localhost:9080/mfp", adapter B will be invoked as "http://localhost:9080/mfp/api/adapters/adapterB". The call stays local. More details on this property here.
2. If you wish to retain the request to adapter B go through the webserver using the secure endpoint, then you should ensure the webserver's root certificates are made available to the MFP1 JVM's trust store so that SSL handshake can be established successfully.