Hi all, I have a noob question:
I just installed ntopNG, but every time I get this error:
This site can’t provide a secure connection
10.10.0.254 sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
- installed HAproxy and ACME package, but removed them
- changed the HTTPS port to 5555
The installation output mentioned this and I don’t remember changing anything the last time I installed it:
Message from redis-7.4.1:
--
To setup "redis" you need to edit the configuration file:
/usr/local/etc/redis.conf
To run redis from startup, add redis_enable="YES"
in your /etc/rc.conf.
Can anybody point me in the right direction ?
[SOLVED:]
Under Server Options in the settings, I had IPv6 checked, but server has only an IPv4 address. Unchecked it and I got the login page.
I had some changes since the last time I installed ntopNG:
IF you use openssh s_client and probe the server, what does it return?
This appears to possibly be getting a cert but refusing to use it?
This is the output on windows cli:
WIN>openssl s_client -connect x.x.x.x:3000
Connecting to x.x.x.x
CONNECTED(000001A4)
80460000:error:0A0000C6:SSL routines:tls_get_more_records:packet length too long:ssl\record\methods\tls_common.c:663:
80460000:error:0A000139:SSL routines::record layer failure:ssl\record\rec_layer_s3.c:693:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
This is kind of chinese for me, can you walk me through it ?
Ow! Got it working, disabled ‘Server IPv6’. Had it checked, dunno why. Got a login page.
Going to read up on ‘openssl’. First time I heard about it. Thank you for the reply !
Glad to hear, openssl is the Swiss army knife to creating, converting, testing, etc all things ssl.
But that one little s_client command is gold.
Example, when you have things that use certificate negotiation you do not associate as such because it is not a web server.
Like I scanned that system’s IP, it has RDP open, but I am not sure what the computer name is…
It is a definite good thing to have in your toolkit for those times when you just need it.
error@unknown:~$ openssl s_client -connect 192.168.0.101:3389
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = A1-Sheep-01
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = A1-Sheep-01
verify return:1
---
Certificate chain
0 s:CN = A1-Sheep-01
i:CN = A1-Sheep-01
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 8 17:10:42 2025 GMT; NotAfter: Jul 10 17:10:42 2025 GMT
---
BTW, if you do not have openssl handy, nmap can do similar.
error@unknown:~$ nmap -p 3389 --script ssl-cert 192.168.0.101
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-07 12:34 CDT
Nmap scan report for 192.168.0.101
Host is up (0.021s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| ssl-cert: Subject: commonName=A1-Sheep-01
| Issuer: commonName=A1-Sheep-01
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-08T17:10:42
| Not valid after: 2025-07-10T17:10:42
| MD5: 4587:c275:2b68:11b8:0517:6402:9f73:3306
|_SHA-1: 8f50:d800:d3af:b3f6:4f9d:55c4:7693:3dbd:f2c4:6be3
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds