f



pkgadd using https URL (problems with keystore?)

   Hello.
   I'm running solaris 10 (11/06) x64.   I'm testing out some of the
new (to me) functionality of pkgadd.  Namely the ability to supply a
URL as the pkg name to install.

   I am able to perform a pkgadd when using http but cannot get https
to work.    The following command works just fine to pull the defined
pkg down over http and install it.

pkgadd  -d http://testhost.domain.net/repo/subversion-1.4.2-sol10-x86

  Using https I get this error.
pkgadd  -d https://testhost.domain.net/repo/subversion-1.4.2-sol10-x86
pkgadd: ERROR: Failure occurred with http(s) negotiation: <'Peername'
doesn't match 'host' or no matching entry>
pkgadd: ERROR: unable to download package datastream from
<https://testhost.domain.net/repo/subversion-1.4.2-sol10-x86>.
Segmentation Fault (core dumped)

   I have not been able to understand the supporting documentation
regarding the pkgadd keystore.   I tried installing the CA cert that we
use (in house CA) into the pkgadd keystore

pkgadm addcert -t /tmp/qra-base.cer

  Now I can do a pkgadm listcert and see the root authority cert I just
added which defaults
to installing in the file /var/sadm/security/truststore

   ls -al /var/sadm/security/truststore
-rw-------   1 root     root        1112 Jan 18 19:35
/var/sadm/security/truststore


   Then I tried running pkgadd with the keystore defenition but the
error I get is exactly the same.
This is how I added in the keystore path

pkgadd -k /var/sadm/security/truststore -d \
 https://testhost.domain.net/repo/subversion-1.4.2-sol10-x86

    My security policy does not allow http traffic on our production
network and I'd really like to be able to update my pkg management
utilities to leverage this new functionality in pkgadd.
   Any documents, tips, pointers, suggestions welcome!
   TIA!

0
1/19/2007 4:39:27 AM
comp.unix.solaris 26025 articles. 2 followers. Post Follow

3 Replies
2718 Views

Similar Articles

[PageSpeed] 57

weathercoach@gmail.com wrote:
>    Hello.
>    I'm running solaris 10 (11/06) x64.   I'm testing out some of the
> new (to me) functionality of pkgadd.  Namely the ability to supply a
> URL as the pkg name to install.
> 
>    I am able to perform a pkgadd when using http but cannot get https
> to work.    The following command works just fine to pull the defined
> pkg down over http and install it.
> 
> pkgadd  -d http://testhost.domain.net/repo/subversion-1.4.2-sol10-x86
> 
>   Using https I get this error.
> pkgadd  -d https://testhost.domain.net/repo/subversion-1.4.2-sol10-x86
> pkgadd: ERROR: Failure occurred with http(s) negotiation: <'Peername'
> doesn't match 'host' or no matching entry>
> pkgadd: ERROR: unable to download package datastream from
> <https://testhost.domain.net/repo/subversion-1.4.2-sol10-x86>.
> Segmentation Fault (core dumped)
> 
Can you see https://testhost.domain.net with a browser?

-- 
Ian Collins.
0
Ian
1/19/2007 4:47:58 AM
  Ian I sure can.
  I should have elaborated on this point.  I can use a browser or wget
to download the package via https.
  Thanks for the suggestion!

On Jan 18, 8:47 pm, Ian Collins <ian-n...@hotmail.com> wrote:
> weatherco...@gmail.com wrote:
> >    Hello.
> >    I'm running solaris 10 (11/06) x64.   I'm testing out some of the
> > new (to me) functionality of pkgadd.  Namely the ability to supply a
> > URL as the pkg name to install.
>
> >    I am able to perform a pkgadd when using http but cannot get https
> > to work.    The following command works just fine to pull the defined
> > pkg down over http and install it.
>
> > pkgadd  -dhttp://testhost.domain.net/repo/subversion-1.4.2-sol10-x86
>
> >   Using https I get this error.
> > pkgadd  -dhttps://testhost.domain.net/repo/subversion-1.4.2-sol10-x86
> > pkgadd: ERROR: Failure occurred with http(s) negotiation: <'Peername'
> > doesn't match 'host' or no matching entry>
> > pkgadd: ERROR: unable to download package datastream from
> > <https://testhost.domain.net/repo/subversion-1.4.2-sol10-x86>.
> > Segmentation Fault (core dumped)Can you seehttps://testhost.domain.netwith a browser?
> 
> --
> Ian Collins.

0
weathercoach
1/19/2007 5:10:19 AM
  So while I had been adding the root CA which signed the cert on the
host i ws trying to install the pkg from but I should have been adding
the web server certifcate itself.
   So I grabbed the raw cert from the https server and copied it to my
client box where I ran the following keystore command

pkgadm addcert -ty /tmp/testhost.crt

  also I was accessing the web server by it's fully qualified domain
name but the name in the certificate
is just the node portion so I had to alter my pkgadd request to this

pkgadd -d  https://testhost/repo/subversion-1.4.2-sol10-x86

  you dont need to specify the path to the keystore on the command line
as long as it's in a default location because pkgadd will look in these
paths by default (according to truss)

open("/var/sadm/security", O_RDONLY|O_NONBLOCK) = 3
open("/var/sadm/security/truststore.new", O_RDWR|O_NONBLOCK) Err#2
ENOENT
open("/var/sadm/security/certstore.new", O_RDWR|O_NONBLOCK) Err#2
ENOENT
open("/var/sadm/security/keystore.new", O_RDWR|O_NONBLOCK) Err#2 ENOENT
open("/var/sadm/security/truststore", O_RDONLY|O_NONBLOCK) = 3
open("/var/sadm/security/truststore", O_RDONLY|O_NONBLOCK) = 4


  hopefully this will guide future pkgadd travelers to safer waters!
It would be great if you could specify in the pkgadd admin file if you
wanted this level of security or not.   Now you have to push out the
web server cert to all the clients first or can this be automated
through the openssl toolkit or something?

   W.

On Jan 18, 9:10 pm, "weatherco...@gmail.com" <weatherco...@gmail.com>
wrote:
>   Ian I sure can.
>   I should have elaborated on this point.  I can use a browser or wget
> to download the package via https.
>   Thanks for the suggestion!
>
> On Jan 18, 8:47 pm, Ian Collins <ian-n...@hotmail.com> wrote:
>
> > weatherco...@gmail.com wrote:
> > >    Hello.
> > >    I'm running solaris 10 (11/06) x64.   I'm testing out some of the
> > > new (to me) functionality of pkgadd.  Namely the ability to supply a
> > > URL as the pkg name to install.
>
> > >    I am able to perform a pkgadd when using http but cannot get https
> > > to work.    The following command works just fine to pull the defined
> > > pkg down over http and install it.
>
> > > pkgadd  -dhttp://testhost.domain.net/repo/subversion-1.4.2-sol10-x86
>
> > >   Using https I get this error.
> > > pkgadd  -dhttps://testhost.domain.net/repo/subversion-1.4.2-sol10-x86
> > > pkgadd: ERROR: Failure occurred with http(s) negotiation: <'Peername'
> > > doesn't match 'host' or no matching entry>
> > > pkgadd: ERROR: unable to download package datastream from
> > > <https://testhost.domain.net/repo/subversion-1.4.2-sol10-x86>.
> > > Segmentation Fault (core dumped)Can you seehttps://testhost.domain.netwitha browser?
> 
> > --
> > Ian Collins.

0
weathercoach
1/19/2007 5:25:29 AM
Reply:

Similar Artilces:

Use URL for HTTPS request using Proxy
Hello all, Please consider this code: /***********************/ package tester; import java.io.*; import java.net.*; public class Tester { public static void dump(InputStream inp) throws IOException { BufferedReader rdr = new BufferedReader(new InputStreamReader(inp)); String str; while ((str = rdr.readLine()) != null) { System.out.println(str); } rdr.close(); } public static void main(String[] args) throws IOException { URL url = new URL("https://www.google.com"); dump(url.openConnection().getInputStream()); /* Succeeds */ P...

use this one
I have a certificate and a private key. I used keytool to create a keystore with the certificate and alias of "tomcat". keytool does not seem to provide a way to import a private key. How can you import a private key into tomcat keystore. I tried openssl using a command provided by Sudsy. openssl pkcs12 -export -in <signed_cert_filename> -inkey <private_key_filename> -name <alias> -out <keystore_filename> However, tomcat failed to negotiate ssl with the browser. I suspect there is a...

Problem connecting to https using ZSI (openssl problem)
Hello, I'm having problems trying to use ZSI to connect to a https url. I give the command and I get prompted for my X509 cert pass-phrase, but the program dies with an openssl error. Here's my code: from ZSI import * u='' n='https://shahzad.fnal.gov/edg-voms-admin/uscms/services/VOMSAdmin' b = Binding(url=u,ns=n, ssl=1, \ host='shahzad.fnal.gov',port=8080, \ cert_file='/home/hasan/.globus/usercert.pem', \ key_file='/home/hasan/.globus/userkey.pem') b.listCAs() The traceback I get is: Ent...

Problem using https://
For the first time I'm trying to connect to an https server. However, when I try require 'net/https' site = Net::HTTP.new(HOST, PORT) site.use_ssl = true http_resp, = site.get2(SCRIPT + arg, 'Authorization' => 'Basic ' + ["xxxx:yyyy"].pack('m').strip ) I get: warning: peer certificate won't be verified in this SSL session. /usr/lib/ruby/1.9/net/protocols.rb:49:in `connect': unknown protocol (OpenSSL::SSL::SSLError) from /usr/lib/ruby/1.9/net/protocols.rb:49:in `ssl_connect&#...

Problems using FTP URL
I've been banging my head against this one for a couple of days now and need some help. We recenly started using the URL class to transfer files via FTP. Our code works well with all servers we've run into, except Solaris. When we try to FTP a file, we get the following error: 501 EPRT not allowed after EPSV ALL I pulled the Java sourcs for the associated classes and moved them into my own packages so I could modify and debug the code. I haven't been using the URL class, however, instead I've been using my own FtpURLConnection classes and a few other classes that lay be...

pkgadd problem in solaris 10
i have been trying to install the sunpci2.3 packages from sun to drive a sunpci II card. i can install sunpci2.3, because it is in cdrom form. but both 2.3.1 qnd 2.3.2 are tarballs. when i get a .pkg form, pkgadd -d ./ works just fine. when i get a .tar form. i do tar -xvf ./....tar and the full pakage is extracted. i can look inside it and everything is there which should be there. howver, to pkgadd -d ./SUNWspci2 i get the response that pkgadd:ERROR: no packages were found in </var/tmp/SUNWspci2> this holds for both 2.3.1 and 2.3.2. i am working in /var/tmp. before solaris ...

pkgadd problem solaris 9
I am trying to insall GCC on a solaris 9 machine. When I try to install the package with pkgadd I have the problem that i do not have enough space left on / to store the spool files. I like to use a other spool dir to store the temp files..... Is this possible? Johan Louwers <suntacNOSPAMPLEASE@dds.nl> writes: >I am trying to insall GCC on a solaris 9 machine. When I try to >install the package with pkgadd I have the problem that i do not have >enough space left on / to store the spool files. I like to use a other >spool dir to store the temp files..... > >Is this pos...

problem using enterprise URL
i have just install oracle 10g (personal edition) release 2 in my window xp sp2. I successfully install the product. When i run enterprise URL for the frist time, the databse is in the state Status: Status Pending Status Pending since: Unavilable I tried startup and shutdown, defining host credential and database credentials but it generate error Error Message was Couldnot contact the agent . Verify that the url for agent is null. Similarly i could not access any other links it reflect the error Io exception: Unknown host specified but i could log in using sqlplus, i have start and shut...

Problem using SSHserver in Solaris
Hi I have two servers A and B. From A i want to Login to B as "root" through ssh. In A i generate keys using ssh-keygen -t dsa. I put the public keys of A in the authorized-key file of B. Now when i do ssh B -l root it gives me following error Connection closed by 0.0.0.0 But if i remove the authorized files and do the login with password authentications, it allows me to login. Can any one give a solution for it. TIA Ankit Ankit ankit@yahoogroups.com (insouciant) wrote in message news:<fa907ff0.0408160334.6d293691@posting.google.com>... > I have two servers A and...

Problem with using the unix() command under linux
I have some issues with a program (.m) that has a call to grep (via unix('grep')). I run tcsh and had some echo lines in my .cshrc that would output information when I log in. Due to the design of the program, having any output when the unix command is called would cause an error. I removed all the echo commands in my .cshrc and that fixed the problem. This issue I have is that I can understand why it happened, as when the unix command is called, it uses your shell environment (in my case, tcsh), but this doesn't happen to others using tcsh. As a test, I call unix('grep t...

problem with using solaris as smb client
When I try to use Solaris as a SMB client I get the following error message: The filename "NewFolder" indicates that this file is of type "Folder". The contents of the file indicate that the file is of type "Unknown type". If you open this file, the file might present a security risk to your system. Do not open the file unless you created the file yourself, or received the file from a trusted source. To open the file, rename the file to the correct extension for "Unknown type", then open the file normally. Alternatively, use the Open With menu to...

example of using urllib2 with https urls
Can somebody provide an example of how to retrieve a https url, given username and password? I don't find it in the standard documentation. TIA, Michele Simionato <snipped from working code to upload a file to https: site---WARNING not tested after snipping> import httplib import base64 import sys import random # # Get the length of the file from os.stat # username='<username>' password='<password>' file='<path to file to be uploaded>' size=os.stat(file)[6] # # file contains the entire path, split off the name # WebSafe. # name...

Problems Solaris ghosting using dd
I am currently in need of "ghosting" some solaris SPARC machines and after some searching, I have found http://www.digitalissues.co.uk/html/hardware/bw/ir110-dd-backup.html The key command that is being used in his meathod is: dd if=/dev/rdsk/c0t0d0s2 bs=1024k | bzip2 > /a-network-mounded-drive/file.bzip Obviously this needs a little tweeking to work on the V210's and V440's I have in house and I admit i am a little shakey on hard drive referencing in solaris. On the v210's I believe this would be /dev/rdsk/c1t0d0s2, is this correct and what would the V440's hav...

problems using cURL to access https
I'm just starting to use cURL and having trouble accessing https pages. All I want to do at this stage is get an https page and display it, just to test the https get is working. However, I always get either a CURLE_OPERATION_TIMEOUTED (28) or CURLE_COULDNT_CONNECT (7) error. I can see from phpinfo() that cURL and SSL are installed, as follows: CURL support enabled CURL Information libcurl/7.12.0 OpenSSL/0.9.6b zlib/1.1.4 but my code that works fine for an http call doesn't work for an https call. Any suggestions on what I might be doing wrong or what might be stopping the...

Web resources about - pkgadd using https URL (problems with keystore?) - comp.unix.solaris

Bug in Android KeyStore that leaks credentials fixed only in KitKat.
Dan Goodin / Ars Technica : Bug in Android KeyStore that leaks credentials fixed only in KitKat. — Researchers have warned of a vulnerability ...

KeyStore vulnerability exposes non-KitKat Android devices to malware
... IBM Security researcher. The flaw, which the author Roee Hay describes as a "classic stack-based buffer overflow", affects the Android KeyStore ...

Frequent 'jms' Questions - Stack Overflow
Q&A for professional and enthusiast programmers

Secusmart puts its BlackBerry encryption chip to work on the desktop - telephony, SecuSmart, telecommunication ...
At around €2,000 (US$2800) each, the secure smartphones that SecuSmart showed at Cebit last year were out of reach of many businesses although ...

Secusmart puts its BlackBerry encryption chip to work on the desktop
At around €2,000 (US$2800) each, the secure smartphones that SecuSmart showed at Cebit last year were out of reach of many businesses although ...

Unifying Key Store Access in ICS
[This post is a group effort by Tony Chan, Fred Chung, Brian Carlstrom, and Kenny Root. — Tim Bray] Android 4.0 (ICS) comes with a number of ...

How to Publish to the Amazon Appstore for Android with Corona SDK
Carlos M. Icaza is our guest blogger for this post. Carlos is the co-founder of Ansca, Inc., the maker of the Corona SDK. Whether you're brand ...

Android crypto key vulnerability affecting 86% of all devices Fixed
A new Crypto Key vulnerability is currently affecting more then 86% of all Android device which allows hackers to acquire confidential information ...

Security Tips - Android Developers
files because they do not providethe ability to limit data access to particular applications, nor do theyprovide any control on data format. ...

Developing Android Apps without Eclipse
At the AndroidPIT Wiki youʼll find questions,answers, and help with everything Android: Apps, Devices, Development, and Hardware.

Resources last updated: 1/24/2016 4:52:52 PM