Skip to content

Trusting the Nexpose web server certificate for TLS connections

Jump to bottom Edit New page
Gavin Schneider edited this page Feb 14, 2017 · 2 revisions

Overview

With the release of nexpose-client 5.3.0 the Nexpose::Connection class now supports loading a PEM-formatted certificate to validate the TLS connection to the Nexpose web server. If none is provided, then TLS validation is disabled (an insecure configuration) which is consistent with previous versions of the Nexpose gem.

Note that the common name (CN) on the certificate must match the IP address or hostname used to connect to the Nexpose web server. Using the wrong name will result in a connection failure.

Getting the certificate

Using your web browser

TODO

Using openssl

TODO

Using Ruby

Using Ruby's socket and openssl libraries, connect to the Nexpose web server and capture the certificate in PEM format:

require 'socket'
require 'openssl'

host = 'nexpose.fqdn.tld'
port = 3780

# get the cert from the host and hold as string
socket = TCPSocket.open(host,port)
ssl_context = OpenSSL::SSL::SSLContext.new()
ssl_context.ssl_version = :TLSv1
ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
ssl_socket.sync_close = true
ssl_socket.connect

cert = OpenSSL::X509::Certificate.new(ssl_socket.peer_cert)
ssl_socket.close
trust_cert = cert.to_pem

Optionally, the certificate can be stored to a file for convenient re-use later:

# Write a file named cert.pem in the current working directory
::File.open('cert.pem', 'wb') { |file| file.write(trust_cert) }

Using the certificate to connect to Nexpose

If you have saved the certificate to a file, you can load it first:

# Read the file named cert.pem from the current working directory
trust_cert = ::File.read('cert.pem')

Whether you read from file or already have the certificate in a variable, pass it to the Nexpose::Connection constructor:

require 'nexpose'

# use the loaded cert string to create a "trusted" connection
puts "Connecting to Nexpose instance at #{host}:#{port} with username #{user}..."
nsc = Nexpose::Connection.new(host, user, pass, port, nil, nil, trust_cert)
nsc.login
# do some work
nsc.logout

In this example we are passing nil for the silo_id and token parameters since they are unused on a default Nexpose console.

Project Home 🔹 Release Notes 🔹 Wiki 🔹 Issues 🔹 Pull Requests

Add a custom sidebar
Clone this wiki locally