MySQL SSL Gives Warnings about big name Certificate Authorities

I have been able to setup my MySQL to use LetsEncrypt certificates with the steps below, unfortunately it is issuing warnings about official certs being self-signed (like from DigiCert, Comodo, etc…), so I wonder if there’s something missing from the configuration. anyways, here’s my ssl configuration:

[mysqld] require_secure_transport = on mysqlx = 0 ssl_capath  = /etc/ssl/certs ssl_ca      = /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem ssl_cert    = /etc/mysql/cert.pem ssl_key     = /etc/mysql/privkey.pem ssl_cipher  = DHE-RSA-AES256-GCM-SHA384 tls_version = TLSv1.2 

the problem

Everything in the ssl_capath comes up as a warning in the startup log (im doing tail -f /var/log/mysql/error.log):

YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 [Warning] [MY-010068] [Server] CA certificate /etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem is self signed. YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 [Warning] [MY-010068] [Server] CA certificate /etc/ssl/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem is self signed. ... 


the ssl_ca file is from doing wget -O /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem

the ssl_cert is from getting my LE live subfolder cert.pem file, same with the ssl_key (from LE’s privkey.pem). I’ve also restricted cipher and TLS version, but that’s probably not it.

To verify that everything is indeed working correctly, I have added the following to my client configuration (locally, not on that server):

[mysql] ssl_capath = /etc/ssl/certs 

and this session output:

user@localhost:~$   mysql --ssl-mode=VERIFY_IDENTITY -h mydomain.mytld -u remote -p -e "show variables like '%ssl%'; show session status like '%cipher%';" +-------------------------------------+-------------------------------------------------+ | Variable_name                       | Value                                           | +-------------------------------------+-------------------------------------------------+ | admin_ssl_ca                        |                                                 | | admin_ssl_capath                    |                                                 | | admin_ssl_cert                      |                                                 | | admin_ssl_cipher                    |                                                 | | admin_ssl_crl                       |                                                 | | admin_ssl_crlpath                   |                                                 | | admin_ssl_key                       |                                                 | | have_openssl                        | YES                                             | | have_ssl                            | YES                                             | | performance_schema_show_processlist | OFF                                             | | ssl_ca                              | /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem | | ssl_capath                          | /etc/ssl/certs                                  | | ssl_cert                            | /etc/mysql/cert.pem                             | | ssl_cipher                          | DHE-RSA-AES256-GCM-SHA384                       | | ssl_crl                             |                                                 | | ssl_crlpath                         |                                                 | | ssl_fips_mode                       | OFF                                             | | ssl_key                             | /etc/mysql/privkey.pem                          | +-------------------------------------+-------------------------------------------------+ +--------------------------+------------------------------------------------------------------------------------------------------+ | Variable_name            | Value                                                                                                | +--------------------------+------------------------------------------------------------------------------------------------------+ | Current_tls_cipher       | DHE-RSA-AES256-GCM-SHA384                                                                            | | Current_tls_ciphersuites |                                                                                                      | | Ssl_cipher               | DHE-RSA-AES256-GCM-SHA384                                                                            | | Ssl_cipher_list          | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384 | +--------------------------+------------------------------------------------------------------------------------------------------+ 

Best Free Web Hosting With Free SSL Certificate –!

Think what if you get premium paid cpanel web hosting free for lifetime, isn’t it great idea for your needs ? Yes Raisinghost is now offering best free web hosting with free ssl certificate. We have perfectly balance free web hosting plan with the best features like 250MB space and bandwidth. Also our free hosting plan will have cpanel as control panel included with the single click script installer, free ssl, lets encrypt ssl, seo tools, site builder and much more.

We also allow freedom of easy service to our free hosting clients, lets think that beginner has signed up for free plan and he have earned so much good knowledge and he then wish to upgrade then we will allow him to upgrade current plan by pending small bucks…resources will get increased once upgrade gets finish. Our aim is offer free service for lifetime if client keeps their sites within our limits and free ssl certificate makes sites complete and will be compatible for best seo results.

Along with this plan we have multiple range of paid hdd and ssd web hosting plans and clients can buy best speed hosting by spending small amount as our services are cheaper and affordable. We offer free migration and 30 days money back guarantee with every shared/reseller web hosting plans and its completely unconditional.

Features offered with Best Free Web Hosting With Free SSL Certificate :

– Max SSD Web Space
– Max Website Traffic
– DDOS Protection
– 99.9 % Uptime Guarantee
– Single Click Script Installer
– Activation Involved Few Variation
– cpanel as control panel
– seo tools
– max email accounts
– max ftp accounts
– max subdomains
– max mysql databases
– backup availability

Thank you.

Connecting to SQL Server from SSMA (the certificate chain was issued by an authority that is not trusted!)

I am trying to use SQL Server Migration Assistant for the first time from my home PC. I have SQL Server in one Docker container and Oracle in another. I can connect to Oracle from SSMA, however when trying to connect to SQL Server I see this error:

enter image description here

I have read plenty of questions on here that explain how to resolve the problem if it is seen when connecting from SQL Studio Manager e.g. this one: The certificate chain was issued by an authority that is not trusted. I have no problem connecting from SQL Studio Manager – just SSMA. How can I connect to SQL server from SSMA?

I have tried unticking ‘Encrypt connection’ on the SSMA SQL Server login window and I see the same error.

[]*Blazing Fast Ssd Reseller | $5 Per Month | Free Ssl Certificate!

As a hosting customer, you understand the importance of a fast loading web page for your site or business. Wage Page load speeds impact everything from search engine rankings to conversion rates to bounce rates. Think of the last time you waited for a slow-loading page to load on the net. The truth is, you didn’t wait for the page to load. You moved on to the next site to purchase or get your information from if results are not meet with the expectation. Your customers want fast hosting just as much as you do and we are sure that our blazing-fast SSD reseller hosting program is suitable for your requirement.

We have the main factor that is SSD drives on our servers which helps websites to load started than regular. Also, our reseller hosting services are completely white-labeled and have some amazing key features like max ssd space, free auto ssl, free let’s encrypt SSL, SEO tools, free migration service, whm panel, 30 days money-back guarantee, unlimited space quota feature, fast customer support, live chat support. These features make our blazing-fast SSD reseller more reliable and demanding than others, so try once and experience the difference.

More Features and Info about Blazing Fast SSD Reseller:
– Maximum SSD space
– 30 Days Money Back Guarantee
– Free Migration Service
– Free SSL Certificate
– Single Click Script Installer
– Free Domain Name With Annual Billing Cycle
– Lets Encrypt SSL
– Sitepad Website Builder
– WHM Panel
– White Labelled Service
– cPanel as control panel
– Live Chat And Ticket Support
– Cloudlinux Support
– Maximum PHP memory
– Unlimited Databases
– Built-In Anti-virus
– 99.9% Uptime Guarantee
– Multiple PHP Versions
– Latest Stable Php versions

SSD Reseller Plans –

Startup SSD Reseller: $5/Month
– 22GB Web Space
– 10 Cpanel accounts
– White Labelled Services
– 30 Days Money Back Guarantee
– Free Migration Service.

Pro SSD Reseller: $8/Month
– 55GB Web Space
– 25 Cpanel accounts
– White Labelled Services
– 30 Days Money Back Guarantee
– Free Migration Service.

Premium SSD Reseller: $12/Month
– 75GB Web Space
– 40 Cpanel accounts
– White Labelled Services
– 30 Days Money Back Guarantee
– Free Migration Service.

Elite SSD Reseller : $14/Month
– 150GB Web Space
– 60 cpanel accounts
– White Labelled Services
– 30 Days Money Back Guarantee
– Free Migration Service.

Order Now:¬†…osting.php

Thank you.

Redirecting domains on https without creating a certificate for them?

I own, say, 100 domains. I want to add redirect for each of them to a new domain. And not only to a domain, but a custom query string. For instance

domain1.example/url1 -> domain11.example/url2 domain2.example/url1/url4 -> domain15.example/fdsafds/url33/url555  # and so on......., 100 domains with 100+ URLs each 

All the original URLs and the new ones are known beforehand. And there’re hundreds of URLs for each domain.

Requirement: there has to be an intermediate "domain-redirector" via which the domains will be redirected, and that’ll do all the job:

domain1.example/url1 -> my_redirector.example/url1 -> domain11.example/url2 domain2.example/url1/url4 -> my_redirector.example/url1/url4 -> domain15.example/fdsafds/url33/url555  # and so on....... 

This way I’d create A record for each of the domains pointing to my_redirector.example. And at my_redirector.example I’d be able to extract a) original query string from the URL b) original domain

Note that it needs to work with both http and https.

Question 1: will original domain and URL or query path be accessible at my_redirector.example?

Question 2: will I have to create a SSL certificate for each of the original domains domain1-domain100 at my_redirector.example, in order to be able to redirect https requests?

P.S. I’m a developer, therefore I’m capable of writting a custom utility to facilitate redirects at my_redirector.example

Certificate Signed Using Weak Hashing Algorithm impact on a workstation

I did a vulnerability scan on some of our company workstations. These are workstations used by employees (dev, HR, accounting, etc.) to do their job. One of the common result I found is SSL/TLS Certificate Signed Using Weak Hashing Algorithm. Based on the vulnerability description "An attacker can exploit this to generate another certificate with the same digital signature, allowing an attacker to masquerade as the affected service." I’m thinking this is more on a server side.

My question is, what could be the impact of this in an ordinary workstation?
What can an attacker/pentester do to the workstation with this vulnerability?

JWK with X.509 Certificate – is self signed okay?

I’m working with a client that, in order to use their OAuth 2.0 web API, requires me to provide them with a JWK that contains an embedded X.509 certificate. Then, when I’m requesting information from the API, they say I need to pass a "signed (with private keys) JWT Bearer token" on each request.

I’ve never worked with JWK’s before so I was looking over the official JWK documentation, but it’s very dense and doesn’t really talk about how these are used in real life applications.

I found this site / command line tool that can generate JWK’s in different formats, and it generates the JWK with an X.509 certificate that is self-signed. I’m wondering, in this case, is it okay to use a self-signed cert to talk to this API? I understand that with web browsers, you absolutely need a cert that is from a trusted CA because the client and web server are essentially strangers, but this cert isn’t being used publicly for a website; it’s just being used between my application and this OAuth API, and both parties already trust each other.

So really my question is, would generating a JWK with a self-signed X.509 certificate be sufficient, and then use the private key of the certificate to sign JWT Bearer tokens when actually using the API?

Does sslstrip have to do something with Bettercap’s certificate?

I am trying to perform a MITM attack using bettercap against a website that doesn’t have the HSTS security policy implemented at all.

When I try the following command: bettercap -T AddressIpoftheTarget -X --proxy --https-proxy, it works fine. Bettercap succeeds in injecting his own self-signed certificate to the web browser. The browser shows the "Not Secure" warning, and lets me accept the invalid certificate by proceeding to the website in an unsecure way.

When I try this command: bettercap -T AddressIpoftheTarget -X --https-proxy it doesn’t work. I don’t understand why the --proxy is needed. Is it because it enables the sslstrip? How does sslstrip contribute in all of this during this scenario?

What are the security implications of adding an Intermediate Certificate into the Trusted Root Store in Windows?

I have 2 certificates (one root and one intermediate).

In Windows OS, the Root certificate is in the trusted root store (for current user). The other intermediate certificate (signed by the root CA), is to be found (under current user also) under the Intermediate CA store.

I am using SSL verification in one of my client applications (Kafka Confluent) and realized the client only enumerates certificates in the root store. Therefore SSL handshake fails (the intermediate CA is needed).

One solution is to import that certificate into the Trusted Root Certificate Authorities. With that solution, SSL verification at client works. However, is there any concern in doing so?

From security point of view does it make a difference if the intermediate CA exists in the Root store vs the Intermediate store on Windows?

UPDATE If more context is needed as to what exactly I am facing you can check the issue here