Cannot enroll client to server

44 views
Skip to first unread message

mariano kabakian

unread,
May 10, 2021, 9:43:41 AM5/10/21
to velociraptor-discuss

hi Velocigurus!

I'm not able to enrol my client to server. I have aVM running velociratpro server and I can access to web mgmt without any problem. The thing is I cannot enrol my pc to the server.
This is the log
INFO] 2021-05-10T10:31:38-03:00 Ring Buffer: Creation {"filename":"C:\\Program Files\\Velociraptor\\Tools/Velociraptor_Buffer.bin","max_size":1073741874}
[INFO] 2021-05-10T10:31:38-03:00 Starting HTTPCommunicator: HTTP Connector to [https://192.168.232.15/velociraptor/]
[INFO] 2021-05-10T10:31:38-03:00 While getting https://192.168.232.15/velociraptor/: Get "https://192.168.232.15/velociraptor/server.pem": x509: certificate is valid for securityonion, not VelociraptorServer
[INFO] 2021-05-10T10:31:38-03:00 Waiting for a reachable server: 1m28s
[INFO] 2021-05-10T10:31:38-03:00 Compiled all artifacts.
[INFO] 2021-05-10T10:33:06-03:00 While getting https://192.168.232.15/velociraptor/
 
Any idea or help is welcome
Thanks

Mike Cohen

unread,
May 10, 2021, 9:55:29 AM5/10/21
to mariano kabakian, velociraptor-discuss
How did you generate the certificate? It looks like your server's certificate is created for the wrong name (securityonion).  Did you use the wizard with `velociraptor config generate -i`? Did you select the self signed option? Do you have another SSL server in front of the Velociraptor server?

When Velociraptor is configured in self signed mode, it expects the server to present a self signed cert with the SAN of "VelociraptorServer" which is exactly signed by the Velociraptor CA. This is a way of pinning the server cert. You can not present a different certificate or MITM proxy the connection or the client will not trust it.

Thanks
Mike

Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
M  ‭+61 470 238 491‬ 
mi...@velocidex.com 


--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/394222c3-b085-4275-94f1-a4018bc2eacan%40googlegroups.com.

mariano kabakian

unread,
May 10, 2021, 10:14:54 AM5/10/21
to velociraptor-discuss
Hi Mike
Velociraptor is running into securityOnion server behind a nginx.the CA is the one that securityonion server generates. What shoud I do? generate a new cert?

Mike Cohen

unread,
May 10, 2021, 11:14:54 AM5/10/21
to mariano kabakian, velociraptor-discuss
Velociraptor clients support two modes of communication:
1. Self signed SSL means the certificate is generated by Velociraptor's internal CA and this is pinned so the clients will refuse to talk to anyone else
2. Non self signed mode requires the certificate to be issued by a proper public CA which chains through the SSL root store to the global root CAs. 

Those are the only safe modes of deploying SSL - specifically it is not supported to have a non-velociraptor self signed SSL certificate because the clients can not verify it. If you are trying to serve the Velociraptor clients through a self signed SSL proxy this is not going to work because the clients can not guarantee that the SSL communication is not being intercepted.

You can serve the Velociraptor SSL connections on a separate port (i.e. not go through the security onion server).

Technically you can switch SSL off completely but this is not a recommended setting because then you rely on Velociraptor's built in encryption for transport encryption.

Here is more information about encryption and communications

Thanks
Mike



Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
M  ‭+61 470 238 491‬ 
mi...@velocidex.com 

Wes Lambert

unread,
May 10, 2021, 11:18:28 AM5/10/21
to Mike Cohen, mariano kabakian, velociraptor-discuss
Reply all
Reply to author
Forward
0 new messages