William1
Hello Everyone,
I have in my website a (Marketwatch) streaming prices, But when I started using HTTPS the (MarketWatch) stopped and No streaming prices.
I think the (LightStreamer) need some changes, or something else..
Please I need your help to enable the HTTPS in (LightStreamer 5.1.1).
Best Regards
Giuseppe Corti
Hi William1,
In order to enable https in your Lightstreamer server you have to configure one (or more) <https_server> section in the lightstreamer_conf.xml configuration file.
Please go through the inline comment of the section (
https://lightstreamer.com/repo/distros/Lightstreamer_Allegro-Presto-Vivace_5_1_2_Colosseo_20140722.zip%23/Lightstreamer/conf/lightstreamer_conf.xml) for detailed instructions.
Please also take a look at this documentation (
https://lightstreamer.com/docs/ls-server/latest/SSL%20Certificates.pdf) with instructions on how to get and deploy a working TLS certificate in your Lightstreamer server.
Also make sure that the license you are using is compatible with the TLS/SSL feature.
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your informative and valuable reply.
Kindly, I have attached to you my "lightstreamer_conf.xml", please is it compatible with the TLS/SSL feature?
Could you Please help me to make some editing in this file to make it working with SSL.
Please I would like to be the https port: 8443
Thank you so much in advance.
Giuseppe Corti
Hi *William1,
As I said in my previous mail, you need to copy the <https_server> section from here (
https://lightstreamer.com/repo/distros/Lightstreamer_Allegro-Presto-Vivace_5_1_2_Colosseo_20140722.zip%23/Lightstreamer/conf/lightstreamer_conf.xml) in your lightstreamer_conf.xml file, just below the <http_server> section.
Then you need to uncomment the section itself, and the following parameters:
<port>8443</port>
this is the port the server will accept https requests;
<keystore>
<keystore_file>myserver.keystore</keystore_file>
<keystore_password>mypassword</keystore_password>
</keystore>
This is the keystore containing the TLS certificate of your domain, please refer to this documentation (
https://lightstreamer.com/docs/ls-server/latest/SSL%20Certificates.pdf) for detailed instructions in order to create your keystore and then copy it under /conf folder.
All other parameters of the section are optional and you can decide how to set them, especially pay attention to <remove_cipher_suites>.
However, please consider that version 5.1.1 is very old, and there have been many updates up to now, also regarding the https management.
So my advice is to schedule an upgrade to a newer version at your earlier convenience.
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your explanation and valuable reply.
I did everything as you said very well, But i got this error in Lightstreamer.log
21-Oct-21 17:30:20,585|ERROR|ghtstreamerLogger.connections.ssl|L HANDSHAKE POOLED THREAD 1|Handshake error on Lightstreamer HTTPS Server: no cipher suites in common on 51.223.4.198:57642.
Please help me to solve the error.
Thank you so much in advance.
Giuseppe Corti
Hi William1,
The error message about ssl/tls means that you have configured your Lightstreamer server with a security policy which may be too restrictive for some clients.
This generally happens when your server-side configuration only enables the latest and strongest protocols and cipher suites, disabling all the weaker and deprecated ones, while some clients that try a connection only support the older ones.
The available protocols and cipher suites are reported in the log at server startup, so you can verify if your configuration lacks any important cipher suite.
Note also that the set of protocols and cipher suites allowed depends on the configuration of the <https_server> but also from your java installation.
In the server log you should also find other messages that better specify the type of request that was rejected, in case you could also set to DEBUG the LightstreamerLogger.connections.ssl category, it should give us more information. But please be aware that it is quite verbose.
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your valuable reply.
- Kindly, as you mentioned; In "lightstreamer_log_conf.xml" I set the LightstreamerLogger.connections.ssl category to DEBUG, and I got more details information in logs, I have attached the logs file for you "Lightstreamer.log" and "LS.out" file.
- Kindly, help me to configure my Lightstreamer server with a lower security policy and remove the restrictive for some clients to make Lightstreamer work.
Thank you so much in advance.
Giuseppe Corti
Hi William1,
Unfortunately the additional log didn't give us enough information to figure out what is going on with the TLS/SSL handshake.
At this point, the log that could be useful is the Java SSL debug logging, to dissect the details of the TLS handshake algorithm TLS, not of the competence of Lightstreamer.
You could launch a Lightstreamer server after adding the -Djavax.net.debug=ssl:handshake:verbose parameter to the java call (editing the LS.bat file in the bin folder).
The log of the outcome of TLS handshake will be printed in the Server console log.
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your valuable reply.
Please help me,
1- How could I view the "Java SSL debug logging"?
2- How could I view the "Server console log" to check the log of the outcome of TLS handshake?
My VPS Specs:
Windows server 2016
jdk1.8.0_201
Thank you so much in advance.
Giuseppe Corti
Hi William1,
1. Once the javax.net.debug log is activated the debug output is printed in the standard output defined for the application that should be the console
2. From the factory launch script the console log is redirected to %LS_HOME%\logs\LS.out
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your nice reply.
Is the correct way to add the parameter to "LS.bat" at anywhere in the file just like that?:
"-Djavax.net.debug=ssl:handshake:verbose"
Thank you so much in advance.
Giuseppe Corti
Hi William1,
No, the -Djavax.net.debug=ssl:handshake:verbose options must be added to the JAVA_OPTS parameter.
Referring to the factory LS.bat of version 5 just append to the line
set JAVA_OPTS=-server
that will become
set JAVA_OPTS=-server -Djavax.net.debug=ssl:handshake:verbose
I'm sorry I didn't provide more detailed instructions in previous posts.
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your nice reply and clear information.
I have add the parameter in "LS.bat" file, and I have attached to you the logs from "LS.out" after launch a Lightstreamer server.
I appreciate you for your nice help.
Thank you so much in advance.
Giuseppe Corti
Hi William1,
The ssl debug output does not report any handshake operation, but only the initialization phase where the root certificates are loaded and the cipher suites set.
Could you collect the log only after having performed a connection test with the client?
Furthermore, please could you comment out this configuration in the lightstreamer_conf.xml file:
<!-- <remove_cipher_suites>_DHE_</remove_cipher_suites> -->
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much, I appreciate your kind help..
- I have comment out "<!-- <remove_cipher_suites>_DHE_</remove_cipher_suites> -->" from the lightstreamer_conf.xml file.
- I have collect the log after having performed a connection with the client and I have attached the "LS.out" for you.
I appreciate you for your nice help.
Thank you so much in advance.
Giuseppe Corti
Hi William1,
From the log it seems that among all the cipher suites available on the server side there is none supported also by the client.
So it is no Lightstreamer configuration that precludes the success of the handshake operation.
Maybe your java 8 installation has a problem, please could you upgrade to the latest Java 8 build number.
Hope that helps.
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your kind help..
Kindly, I have just upgrade java 8 to the latest build number "8u311"
Please I have attached to you the "LS.out" after upgrade and performed a connection with the client.
I appreciate you for your nice help.
Thank you so much in advance.
Giuseppe Corti
Hi William1,
Unfortunately the result has not changed, but actually the log shows differences from the previous test which seem to indicate the problem in the certificate.
Indeed, the error is due to the authentication scheme that should depend on the type of algorithm used for the generation of the certificate key.
Can you recover the type of algorithm used in that phase?
Anyway, you could verify your certificate using this tool:
https://www.ssllabs.com/ssltest/
You have to indicate the url of your Lightstreamer server and in the results you should see all the connection tests from various types of clients.
Regards,
Giuseppe
William1
Dear Mr. Giuseppe,
Thank you so much for your nice reply and clarification.
How could I recover the type of algorithm?
if you mean via keytool;
Could you please help me with the correct command to convert my "certificate.crt" to "mykeystore.jks" with RSA via keytool.
then to insert it in Lightstreamer server.
I appreciate you for your nice help.
Thank you so much in advance.
Giuseppe Corti
Hi William1,
Yes, if you started the process of generation of the certificate from the key pair creation, the algorithm is specified in the keytool command; referring to the instructions from our documentation (
https://lightstreamer.com/docs/ls-server/latest/SSL%20Certificates.pdf):
keytool -genkeypair -alias LS -keystore myserver.keystore -keypass
mypassword -storepass mypassword -storetype JKS -keyalg "RSA"
-keysize 2048 -validity 365 -dname "CN=push.mycompany.com,
O=MYCOMPANY INC., L=MyCity, ST=MyState, C=MyCountry" -ext
SAN=dns:push.mycompany.com
But if you have converted an already existing certificate, obviously the algorithm is derived from the existing cert.
Please also remember to test your server url with ssllabs, as already suggested in my previous post, so you can get detailed information about your certificate.
Regards,
Giuseppe
