HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

Tomcat 6 TLS1.2 enabled but still using SSL2 when opening an HTTP connection

Greetings, newbie here, so I might need help formatting the question properly.

I have a application running under Tomcat 6 that needs to run TLSv1.2.
I have install the JAVA runtime edition 6.0.181 which supports TLSv1.2.
I have configured the server.xml file to use TLSv1.2 with connections to clients and wireshark shows TLSv1.2 connections to the client when they are loading pages. But one of the pages makes an API call by opening a HttpURLConnection which also needs to use TLSv1.2 and I am unable to make that work. Wireshark shows that outgoing API call as SSLv2 and the Tomcat log show an "Connection reset" error.

This is the server.xml connector that comes so close.

                                port=”443” maxThreads=”200”
                                scheme=”https” secure=”true” SSLEnabled=”true”
                                SSLVerifyClient=”optional” sslEnabledProtocols=”TLSv1.2”/>

Here is the httpconnection code that needs to use tlsv1.2 to work:

String url = " https://www.tlsv12testsite/ ";  

            String agent = "Mozilla/4.0";
            String type = "application/x-www-form-urlencoded";
Get your problem seen by more experts
LVL 12
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

I am just wondering what this change in July 2018 is in the world wide web.  Are sites insistent on being on secure servers, using HSTS and OCSP stapleing?
heard there was a change coming in effect in June or Junly this year but I can't find any information on it.  Is it strictly based on SEO techniqures, for example?

Thanks for your help
How do I know which certificates are being used on my exchange server ?

The IT company that did install the certificates is not reachable anymore and I know that they had to use some certificates, then they dropped it and re-installed a new one...since I am managing 5 domains under my exchange box.
How do I know from this screenshot which is still used and which is not so that I know which one to renew and when ?
We have a production and staging website. Both running on IIS. The production website is running on http and staging we recently installed a SSL certificate to test https. Allw as working fine till, we hit a roadblock with one of the function giving the error 500 for type xhr.

It is an event registration form which upon submitting gives the error.
Hi all - calling all Draytek experts,

I am trying to configure a Draytek Router with an SSL certificate for SSL VPN, Wifi Radius authentication and remote access. I can generate a CSR on a different machine, have it signed by a CA, import it back to the same machine and then export it including the key, to then import to the Draytek as a PFX, no problem.

All appears to be working fine.

However, when testing the SSL security of the site/certificate at SSL Labs it says the chain is broken (most of the rest of the report is fine). Is this something I can prevent by a different approach? Am I doing something obviously wrong?

I have avoided generating the CSR from the Draytek, as, and correct me if I am wrong, the import into the client machines for Wifi Auth required the full Pfx. This approach did not work, but the former above does i.e. I can transport the Key file in the Pfx.

So does anyone have a better idea / route to achieve the best solution to what should be fairly simple, or should I not even worry about the broken change analysis when the SSL is working on browsers, SSL VPN and Wifi Radius.

Many, many thanks in advance to anyone that might be able to point me in the correct direction.

Can anyone tell me what entries I should give in godaddy DNS for site

Issue: is loading from cloudfront origin with ssl however, is loading directly from server without ssl. Looks like synchronization problem between cloudfront and origin.

There should be only 1 site and only 1 origin. Everything should redirect to it only.

Cloudfront distribution with custom wildcard ACM certificate installed. Server ip address in A record. Cloudfront domain name in cname record.
I had this problem with Google Chrome before, but now I have it with Firefox as well:

I'm running Ubuntu 17.10 on my laptop, with apache2. This is a development machine so I have numerous php sites defined as virtual hosts. This used to work perfectly on both chrome and firefox. But a couple of weeks (?) ago Chrome refused service, and now Firefox thinks it has to protect me from my own code.  I don't know if the problem is caused by a recent updat of Chrome or Firefox, or if this is caused by an apache update.

Now I can't access any of these virtual hosts anymore. I get some crap message about "Your connection is not secure" and some stuff about HSTS.
The thing is : I don't use https for these sites, and I don't want to use it.  All I'm developing are intranet applications NOT even accessible outside our company network, so I don't need HTTPS, and I couldn't even get certificates if I tried since there is no "official" domainname linked to these sites (they're all .lan, or .dev names)

I wasted a full day on this crap and nothing seems to work. How do I disable HSTS completely on my locally installed apache2 on MY OWN laptop? These sites on my laptop are development versions not accessible outside my laptop, so I don't need this.
Disabling HSTS for any .dev website would also be a solution.

Or alternatively does anyone know of a recent step by step "how to"  on using self-signed certificates that does work? I've tried several today but none of them seem to work…
Hi, I just found out that one of our cloud service vendors is dropping LDAP support very soon and rightfully so.

So, they are requesting we use LDAP with TLS or LDAP with SSL.

I am researching these options and LDAP with SSL (aka LDAPS) seems to be the better choice.

However, couldn't I use ADFS instead?

Just wondering.

Thanks in advance.
Hi All,

We have an issue with our remote devices not talking to the SCCM cloud management gateway. A device that is on the internet will not connect to the gateway. The LocationServices.LOG will return entries like WINHTTP_SECURE_FAILURE. When the device starts up a VPN connection with the company network, it connects properly to the on premise SCCM MP. Oddly enough, when deconnecting the VPN, the device switches over to the cloud gateway without any problem and stays connected. After a reboot, for instance, the same story starts all over again.
Could there be an issue with the SSL certificate on the cloud gateway? I believe it has been configured correctly. Below is included an excerpt of the locationservices.log. Any help would be very much appreciated!!

]LOG]!><time="08:26:06.909-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="event.cpp:840">
<![LOG[Failed to send request to /CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT at host ABCDEFG.CLOUDAPP.NET, error 0x2f8f]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="ccmhttpget.cpp:1599">
<![LOG[[CCMHTTP] ERROR: URL=https://ABCDEFG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=480, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" …
HI, i am configuring an ADFS 4.0 server with an additional WAP Proxy Server to allow SSO with things such as facebook workplace and Egress Switch

we have  our primary domain which is and a load of additional UPN suffixes which users can be configured with for  example, and

the FQDN of the ADFS box will be


do we need to have a Multi-domain SAN certificate configured to allow external 3rd party applications such as office365, or facebook workspace to be able to authenticate users with usernames that contain one of the other UPN suffixes. or do we simply need a single domain certificate for


Free Tool: Site Down Detector
LVL 12
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

My system admin configured the SSL certificate (wildcard) but when I am going through the ADFS configuration, I don't see any SSL Certificate in the drop down below.  There is an Import button next to the drop down but I cant find the .cer file.

ADFS Configuration Wizard
This organization's certificate has been revoked.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
We recommend that you close this webpage and do not continue to this website.  
Click here to close this webpage.
Not recommended icon.
I have an existing installation of Dell Netextender on my home computer and need to know how to change the DNS setting.  

dns settings
Hi guys,

I am having a problem with my Wordpress install not being able to load in assets.

It seems like its a problem with the SSL certificate I have installed? I have a lets encrypt SSL and it says that its blocking the content for some reason.

Please see screenshots below of the console errors, Any help would be highly appreciated.


I've supported SSL certs and configured servers for years, so no newb here.

Had an interesting issue on CentOS 7.  
Let's call my SSL domain, we'll say IP is setup in the virtual host directive (Apache 2.4.6 / OpenSSL 1.0.2k-fips
And the server hosting it linux.domain.local, a CentOS 7.4.1708 box.

Cert is installed, and answering to, everything is good.

Here's where the issue rears it's ugly head -
For some local software, ansible + jenkins, we have to make a host file entry back to the machine's IP itself, so in my etc/host file, I placed:

When I restart apache / openssl, I then get a domain mismatch warning in a browser when visiting the site. If I go to, it gives the mismatch , and when viewing the cert via the browser (view cert), it says the servername is actually linux.domain.local.

If I REM out the /etc/hosts file entry, and restart apache, SSL works as expected.

When the entry is in /etc/hosts, it appears to grab the rDNS name of the machine rather than serving up what I have specified in the <Virtualhost> directive.
To pre-answer, Yes, the directive ServerName is, and the virtual host is setup specifically with the IP:port (

Never seen this on any other Linux / RMP based flavor. One workaround seems to be setting the rDNS, but I don't want to rely on that for our production server(s).
I'd rather know WHY CentOS 7 …
Looking for a cost effective appliance based VPN solutions (Preferably clientless), for small business.

We have a number of small clients that we have been using the Netgear fVS-336s with a lot of success but they are no longer supporting it.
Some users remain on as much as 8-10 hours per day.

If you have for exampe an image with max-age=31536000, when using HTTPS what is the best to do:

Cache-Control: public, max-age=31536000

Open in new window

Cache-Control: private, max-age=31536000

Open in new window

Cache-Control: max-age=31536000

Open in new window

Which one and why?

I also did some own research, but I'm not sure yet what the answer has to be. I think this is true:

By default web browsers should cache content over HTTPS the same as over HTTP, unless explicitly told otherwise via the HTTP Headers received.

This is about the cache of the browser. For shared caches I think this is true:

If the request is authenticated or secure (i.e., HTTPS), it won’t be cached by shared caches.

Google is saying here, see:

If the response is marked as "public", then it can be cached, even if it has HTTP authentication associated with it, and even when the response status code isn't normally cacheable. Most of the time, "public" isn't necessary, because explicit caching information (like "max-age") indicates that the response is cacheable anyway.

That's what Google is saying, but I also checked what they are doing. See:

cache-control:private, max-age=31536000

Open in new window

cache-control:public, max-age=31536000

Open in new window

When I use The Microsoft Connectivity Analyzer for Skype for business connectivity I get an error when it is attempting to obtain the SSL certificate from remote server. please see attached.
We have a installation with one
TFS2015 for building a webapplikation.
the deployment ist on a seperate webserver.
Now we have the problem that the TFS can't deploy because the Certificat of the webserver are expired.
We never deploy a certificat and we don't now who is the authority for the certificate
as workaround we are now using http for deploying the application.
Free Tool: ZipGrep
LVL 12
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

We are in a hybrid environment with office365. Recently we had an issue with migrating a mailbox to office365. When I logged on to our onprem exchange 2010 server the management console showed some expired certs. I have two servers set up under server config. See attached screenshots. I used the management console to generate a new cert req for the off365 server. I used the console to complete the cert install but where do I install the intermediate cert? I see a couple of certs are self signed, How do I renew those. Email is working as are migration but I can't ping the off365 server from the outside.OFF365EXCH2010
I received a warning of RDP as following,

The following certificates were part of the certificate chain sent by
the remote host, but contain hashes that are considered to be weak.
|-Subject             : CN=PBVA01
|-Signature Algorithm : SHA-1 With RSA Encryption

I want to confirm the signature algorithm used by RDP, so where can I check the certificate and the signature algorithm of RDP? Thanks.
Hi Experts,

This is a  weird issue. I have been developing a small PHP App on my Dev Server (IIS7) with Google Calendar API, then launched it on my live Server (IIS8). At that time, the connection to the API worked from both servers, which was a month back.

While the connection from my Live Server continues to work, on my Dev Server I get
PHP Fatal error:  Uncaught GuzzleHttp\Ring\Exception\RingException: Error creating resource: [message] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[file] C:\inetpub\wwwroot\CRM_COR\utilities\google_calendar\vendor\guzzlehttp\ringphp\src\Client\StreamHandler.php
[line] 406
[message] fopen(): Failed to enable crypto
[file] C:\inetpub\wwwroot\CRM_COR\utilities\google_calendar\vendor\guzzlehttp\ringphp\src\Client\StreamHandler.php
[line] 406
[message] fopen( failed to open stream: operation failed
[file] C:\inetpub\wwwroot\CRM_COR\utilities\google_calendar\vendor\guzzlehttp\ringphp\src\Client\StreamHandler.php
[line] 406
[message] Undefined variable: http_response_header
[file] C:\inetpub\wwwroot\CRM_COR\utilities\google_calendar\vendor\guzzlehttp\ringphp\src\Client\StreamHandler.php
[line] 407 in C:\inetpub\wwwroot\CRM_COR\utilities\google_calendar\vendor\guzzlehttp\ringph in 

Open in new window

Please provide me with the steps necessary to create & purchase a .PFX certificate file for Microsoft Azure Active Directory Connect.

How can this certificate request be created and what type of certificate needs to be purchased from a public certification company such as Go Daddy?

I would prefer to use Go Daddy to purchase this certificate from and need the exact steps on how to complete this entire process.

Clicking on the Learn about SSL certificates and PFX files link takes you to the SSL Certificate Requirements section of this webpage (click the Link to visit this page).

Running the following CURL command:

Open in new window

I am faced with an error to do with the  SSL certificate:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[#### ~]$ curl --tlsv1.2
curl: option --tlsv1.2: is unknown
curl: try 'curl --help' for more information
[#### ~]$ curl --tlsv1
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA)
I have recently configured rpc over http with NTLM auth in our staging env with exchange 2013 (enterprise) and AD 2012R2, by setting MapiHttpEnable $false at the exchange org level,  to have it match our production.

From an internal env (within the datacenter network -same network as the exchange servers using virtual desktop) outlook profiles are able to be created successfully, and outlook connects using rpc over http with ntlm.

however, when connecting to the env on a physical machine through vpn to the staging env, and creating an outlook profile using auto discover, with outlook 2013 and outlook 2016, the following message displays: 'an encrypted connection to your mail server is not available, click next to attemp an unencrypted connection'. Tried this on multiple machines, and same issue.

When i click next, it fails. Autodiscover is setup correct, because before when mapi over https was enabled on exchange servers, outlook was fine on physical machine connected via vpn. Outlook was able to successfully make a connection via autodiscover. However now it is not. In between we have load balancer, and firewall.

Please assist to troubleshoot this issue.
Thanks in advance.






HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.