This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Uri_Bialik
Mod
Mod
‎2015-12-23 07:21 AM

Web-services - Working with self-signed certificates

When making a web-service request to the management server an https connection is created.

Typically, keep the Gaia portal certificate and do not replace it was a "real" certificate from an trusted certificate authority.

Keeping Gaia's certificate means that:

* Browsers are expected to warn you from entering the Gaia portal.

* Some tools and programming language will not allow you to connect to the management server via web-services because they would report that the server's certificate is not trusted

There are a few options:

* Replace Gaia's portal certificate with a trusted certificate - See sk97648

* Bypass the SSL certificate checks - This is highly not recommend as it leaves you vulnerable to a man-in-the-middle attack.

* Verify the server's identity by checking the certificate's fingerprint (a.k.a certificate's thumbprint).

Here are code snippets that verify the server's fingerprint using c# and Python:

Using C#

                ServicePointManager.ServerCertificateValidationCallback = delegate(object obj, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors errors)
                {
                    // validate fingerprint hash
                    if (certificate.GetCertHashString() == expected_fingerprint) 
                    {
                        return true;
                    }
                    return false;
                };

Using Python

class HTTPSConnection(httplib.HTTPSConnection):
    """
    Class for handling the HTTPS Connection
    """
    def connect(self):
        httplib.HTTPConnection.connect(self)
        self.sock = ssl.wrap_socket(
            self.sock, self.key_file, self.cert_file,
            cert_reqs=ssl.CERT_NONE)
        if getattr(self, 'fingerprint') is not None:
            digest = self.fingerprint
            alg = "SHA1"
            fingerprint = hashlib.new(
                alg, self.sock.getpeercert(True)).hexdigest().upper()
            if fingerprint != digest.replace(':', '').upper():
                raise Exception('fingerprint mismatch: %s' % fingerprint)
    def get_fingerprint_hash(self):
        httplib.HTTPConnection.connect(self)
        self.sock = ssl.wrap_socket(
            self.sock, self.key_file, self.cert_file,
            cert_reqs=ssl.CERT_NONE)
        fingerprint = hashlib.new(
            "SHA1", self.sock.getpeercert(True)).hexdigest()
        return fingerprint.upper()

To get the server's fingerprint in a secure way, run "api fingerprint" on the management server.

Labels
0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events