SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

I am looking for some discussion and feedback on best practices for managing a firewall with HTTPS Inspection/URL and Application Filtering and dealing with a consistent issue with CDN's resources somehow not being successfully pulled down and resulting in a page not loading. This could be due to any of the blades of the firewall affecting the ability for it to load including the inspection, a particular CDN not already being white listed or an ASK for verification of use policy not showing because its being pulled down as a .js resource.

In a nutshell, i want to hear how other firewall admins are managing the constant need to allow CDN's resources to sites for user bases with no real streamline way to proactively plan for it or even sometimes resolve it in a reasonable about of time.

For example - I am experiencing an issue where a user can not access a certification site. The site is pulling down resources from Cloudflaressl, cloudfront and facebook. The domains addresses are very specific and i dont think bypassing https inspection, if thats the issue for these domains is a good call. What do you do short of turning the firewall off? : )

Thanks in advance.
0
Cloud Class® Course: Certified Penetration Testing
LVL 12
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Attempting to setup Microsoft Direct access, but it does not see my wildcard SSL cert from godaddy. It will allow me to use a self signed cert, but we would rather use our wildcard cert that matches our domain. I've read setup guides that say a wildcard can be used. Any ideas as to why its not showing up?
0
Hi Everyone

These events are on my exchange server 2010 with windows server 2012 standard. How can i resolve this? The following KB has been installed already KB2975331. Thanking you in advance for your assistance

I have already gone through
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/schannel-error-id-36874-and-36888/ae41effc-1b0a-4d55-be23-24835cd7a32e
https://blogs.technet.microsoft.com/silvana/2014/03/14/schannel-errors-on-scom-agent/
https://www.microsoft.com/en-us/download/details.aspx?id=44053
https://support.microsoft.com/en-us/help/2975331/august-2014-update-rollup-for-windows-rt-windows-8-and-windows-server

  I am getting  event id 36888 "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205."

event id 36874 "An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."

event id 36874"An TLS 1.1 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed."
0
I am attempting to recover a Token from an HTTPS server.
There is a  correctly installed Certificaton my PC that when used via a web page returns a Token

Code is in VBA  WinhttpRequest

When the code is run it returns an error  on the send line

Error 800700b7
"Cannot create file when that file already exists."
The same error is returned regardless of the contents of the strSource xml file.

I cannot understand what file it is trying to create.

<Code>
Dim HttpReq1 As WinHttpRequest
   
  Set HttpReq1 = New WinHttpRequest
 
  HttpReq1.Open "GET", "https://secure.authentxxxxx.com/Authenticator/Token.asmx", False
  HttpReq1.setRequestHeader "Content-Type", "application/soap+xml; charset=UTF-8" '
 
  HttpReq1.SetClientCertificate "CURRENT_USER\My\AurtxxxUAT01"
  HttpReq1.setRequestHeader "Content-Type", "text/xml; charset=UTF-8"
  HttpReq1.setRequestHeader "SOAPAction", "http://www.uk.experian.com/WASP/STS"
  HttpReq1.send strSource   'strSource is an XML string with SOAP headers etc.

<Code end>
0
Hello,
is there any way to redirect a user for a login page in main internet getaway and check if the user have a certificate on his pc then redirect him to the requested site ?
thanks.
0
I have Dedicated server on Hetzner. Server is located in Germany.

Server has 256GB RAM 6 CPUs (12 Threads)... In coclusion, it is quite good one. I have CENTOS 7.5. EA4.

Problem is with SSL. Every day for about 2 hours we have 40 requests in one second and at that moment finishing requests takes about 20 seconds sometimes.

While Non SSL takes 0.5 and lower mostly.

There is some exapmle page

http://viber.ge/index.php


After few second you will see responce time and it varies a lot.

From 13:00 to 15:30 (UTC+4) SSL requests take the msot time.

Even if u open this link with SSL and without u might see the difference.

I have WHM available and I've noticed ModSecurity and wonder if it might be the problem.

I have already applied most of the setting provided here but they are not much about SSL.

Could anyone point out where should I look to resolve this issue?
0
Hi All,

We have a wireless network that is secured by SSL. However, we’re having many domain member laptops unable to connect to the wireless network due to an unknown SSL certificate that is appearing on all domain machines, including domain servers.

The certificate presents itself published to an alpha numeric-ID, by another alpha numeric ID.  There is no additional information that indicates the certificates purpose or origin.

I have uploaded a screenshot of the local computer personal cert. store.

Rogue_Certificate.png
We have checked Group Policy and confirmed that the certificate is not being deployed using policy. Instead, it appears to be installed automatically on all domain member computers and servers.

If the certificate is removed, it appears again after the computer/server is restarted.



We believe it might be related to ADFS or Azure ADsync although we haven’t been able to locate those roles on any servers. We’ve seen a similar certificate on other client sites that use those services.

Does any one know a way in which we might be able to remove this certificate from being published / installed on the domain computer members?
0
How to upgrade TLS 1.01 to TLS 1.1 in window 2008 server?
0
I'm trying to configure Pound Reverse Proxy with a HTTPS connection to a Webserver in the backend. Unfortunately it does not work. If I use unencrypted HTTP, it works. Syslog says:
Jun  8 11:11:39 transfer pound: BIO_do_handshake with XXX.XXX.XXX.XXX:443 failed: error:00000000:lib(0):func(0):reason(0)
openssl s_client -connect example.com:443 says "CONNECTION OK".

The used config part of Pound:

 ListenHTTPS
        HeadRemove "X-Forwarded-Proto"
        AddHeader "X-Forwarded-Proto: https"
        Address YYY.YYY.YYY.YYY
        Port    443
        Cert    "/etc/ssl/pound/server.pem"

        ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
        xHTTP           1

        Service
                BackEnd
                        Address XXX.XXX.XXX.XXX
                        Port    443
                        HTTPS
                End
        End

I've been surfing the net for several hours with no solution, so I thought "maybe experts exchange can help"?


****** edit #1 a few hours later ******

I sniffed the traffic between the reverse proxy and the https-backend-server. I added a screen capture. It seems that the web server just does not answer, then pound runs into a timeout and closes the connection, but I'm not an expert. I've tried to put pound in front of several web servers, with the same effect. I assume that they dislike something in the "handshake-request-packet", but I have no clue what, because I get no …
0
When Using WinHTTP with setClientCertificate I cannot locate the certificate to use in Windows 10 using Access 2016 VBA.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa384055(v=vs.85).aspx  provides an example

// Select a client certificate.
HttpReq.SetClientCertificate(
            "LOCAL_MACHINE\\Personal\\My Middle-Tier Certificate");


If I go into mmc I can see the certificate with the "Issued to" and "serial No".  Searching the registry finds neither of those values.

The Certificate is installed correctly as I am able to access the https website manually clicking the certificate when requested.
0
WEBINAR: 10 Easy Ways to Lose a Password
LVL 1
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

I'm trying to download Magento v.1 when i reached to download phase this error appeared to me about the SSL certificate.

CONNECT ERROR: SSL certificate problem: unable to get local issuer certificate
How can i fix this ??
0
I have a user that visited our site from a Samsung Phone browser.  I have also verified using a browser test the same experience where our site comes back as unsafe even though we have a valid SSL cert that works on every other browser tested.

the site is http://faithfamilyshiloh.org

can you give me some direction on how to find any necessary chain certificates I might add to fix the experience from Samsung phones?
0
Go Daddy UCC SAN CERT "You entered an invalid subject alt name. You must use a fully-qualified subject alt name."
There are no .local names:

X autodiscover.DOMAIN.com
X autodiscover.DOMAIN.corp
X DOMAIN.com
X mail.DOMAIN.corp
X mail2.DOMAIN.com
X mail2.DOMAIN.corp
X exhcangeservername.DOMAIN.corp

Wants me to "Add Subject Alternative Name (SAN)"   ?
0
Hi all,
PKI Certificate issue. 2-tier PKI. I need to add O and OU info to Sub CA certificate (because of Firefox). For sure I can create custom request to to put O, OU, DNS and other info but I need to renew CA certificate. But how can I add that info? certutil perhaps?
0
Hello - I have SharePoint 2016 installed and have setup all. I am able to access our site from my APPSERVER1 via port 80. I have recently obtained a SSL cert and followed the instructions on assigning and binding to my APPSEVER1 SP Site.

Site Bindings settings
Authentication settings
Application Pool Settings
SSL Settings
I have imported cert successfully into SharePoint Trust Relationship and I have also configured Alternate Access Mappings.

AAM: Internal URL http://APPSERVER1                          Zone: Default                        Public URL for Zone: http://APPSERVER1

I added this...https://sharepoint.server.org                  Zone: Intranet                      Public URL for Zone: https://sharepoint.server.org 

Now the Web Application set is setup for URL: APPSERVER1 on Port 80 so not sure if this is my issue.

I can access the website https://sharepoint.server.org, however I have to put in my credentials for every piece of webpart to come up. If I navigate to another sub-site I have to enter my credentials all over. Another thing is I get a Pad lock on URL, however it states that parts of the web content is not secure upon me putting in my credentials.

I appreciate your help.
0
Hi Experts,

I am looking for a two-way authentication procedure in the attempt to protect one of our public facing website.

I would like to implement some type of two way authentication to add an additional layer of protect.


I am thing of the end users getting an email notification or some type of verification method.

Any thought or recommendations?

Thank you
0
I am using a VCL WEBSockets component from IPWorks to write a WebSocket server application.
I am initially using the Demo server application source code that was provided with the product (a trial version).
The code compiles with C++ Builder XE10.2 and runs. At run-time  you have to supply a TCP port number upon which the server will be listening.
There is also the option at run-time to select or de-select the use of SSL. When SSL is selected the demo program displays the key that it is using as follows which includes an RSA public key:

Issuer: CN=Token Signing Public Key
Subject: CN=d96a8295f11e5dfd
Version: V3
Serial Number: f1c56f5305f258ed5ac99ee94dea627efc92481a
Signature Algorithm: DATA_STRUCTURE
Effective Date: 20-Dec-2016 02:15:23
Expiration Date: 27-Dec-2016 02:15:23
Public Key Algorithm: RSA_RSA
Public Key Length: 1024
Public Key: -----BEGIN RSA PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGBHHSwSweChfdD/EqXR2QkBs5
vB4iRs1oWEmjLlE9DwY37oT0o3Wa2OpXOp+KOgxxq8f0yJ0+qTDWYPd3fVLx1nO4
vRiRX4R6yDPl4JwhdOE0jCK7CTWgNNj/EVEBP2d1putJDdsc2rINRytUf9Z5OpBc
nTfQ+hlSwkasoKWQfwIDAQAB
-----END RSA PUBLIC KEY-----

Where and how do I register this public key on the Windows 10 Professional PC from which a connection with the server will be made?

I know very little about technicalities of SSL or TLS.
0
Hi,
My client has wildcard certificate(comodo)on multiple servers. Mostly AFAIK IIS 8 and cisco asa.
I need to renew wildcard comodo cert on multiple servers.
Do I need to create cert request on IIS but not with renew option?
https://weblog.west-wind.com/posts/2014/May/08/IIS-SSL-Certificate-Renewal-Pain


Do I need to mark old cert and than create cert request

or do I need mark IIS server and than create cert request option?

https://www.youtube.com/watch?v=ji0-HgB4wek
So,to sumarize.Create cert request on one server,import cert and  then export(pfx) and move it and import to another IIS server?
When I create cert request does this information(organizational unit,organization…)must match with old cert and if so how can I find those information on old cert?IT engineer who has purchase cert last year doesnt work here anymore.

0
Please provide me steps to configure ssl in obiee 12c with restart sequences and any change in any file to be made. I implemented using self signed certificate by keytool. Stored those keystores at some path and mentioned those details at adminserver and biserver using console keystores and ssl tabs.i also modified nodemanager.properties as described in google.i shutdown and started biserver.but I had to force shut down adminserver.after that I could not bring up weblogic and hence obiee server.
Any help would be appreciated.
Regards,Kapil Porwal
0
Cloud Class® Course: SQL Server Core 2016
LVL 12
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Hi Experts,

I want to run this file in openssl.
Can you help me please ?

Where to enter what ?

cat > csr_details.txt <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=New York
L=Rochester
O=End Point
OU=Testing Domain
emailAddress=your-administrative-address@your-awesome-existing-domain.com
CN = www.your-new-domain.com

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = your-new-domain.com
DNS.2 = www.your-new-domain.com
EOF

# Let’s call openssl now by piping the newly created file in
openssl req -new -sha256 -nodes -out \*.your-new-domain.com.csr -newkey rsa:2048 -keyout \*.your-new-domain.com.key -config <( cat csr_details.txt )

Open in new window

0
We have a Windows Server 2016 ADCS server and I am recently trying to get it to generate certificates that work with Chrome extra. But no matter what I do when creating the CSR and adding the SAN names to the CSR, they do not appear in the certificate. It

Chrome gives this error:

You connection is not private
Attackers might be trying to steal your information from xxx
NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is nagios.hud.ac.uk; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.

What do I need to do on the ADCS server to ensure SAN names are properly added to certificates?
0
We have an own PKI.
I have created a new certificate for some web services.
I just want to get rid of the cert warnings when I open the site.

When I open the site with IE all is fine and no warnings.
But with CHROME I still have this warnings.

Do you know what I can do ?
0
Looking for any assistance in updating or installing a wildcard SSL in Artifactory v 4.15
Our wildcard SSL needs to be updated before the current cert expires.
0
I am following the directions to retrieve my CSR key for my site certificate from a Linux box form the site below. After following the instructions, nothing happens and I do not get a private key. As you can see from the screenshot, I follow the instructions but it goes back to the root prompt.  

What am I doing wrong? Where does Linux store the key?

https://medium.com/@sslsecurity/how-to-generate-csr-certificate-signing-request-in-linux-ee4d9bc52837
Capture.PNG
0
CENTOS 6.5 Server running Apache 2.2.15

We are running a Secure Site on this server and thus have a SSL cert from GoDaddy. The Cert from Godaddy is current but recently the Server-Cert expired.

Followed the instructions here to generate a new Server-Cert
https://serverfault.com/questions/578069/ssl-library-error-8181-certificate-has-expired

Then here to generate a new CSR
https://tecadmin.net/simple-steps-to-generate-csr-on-centos/#
 

Then we went and Re-Keyed our SSL cert with Godaddy, plugged in the new cert details and restarted HTTPD.

When I run : nmap -sT xxxxx.xxxxxxx.com
Get this
Host is up (0.00044s latency).
Not shown: 993 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
3306/tcp  open  mysql
8443/tcp  open  https-alt
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

It appears that it is not listening on 443. If I add a "Listen 443" directive to the HTTPD Conf though it resolves to the Centos Apache default screen versus the site root.

In the SSL_ERROR Log I am seeing the following
[Tue May 22 15:09:11 2018] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue May 22 15:09:11 2018] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue May 22 15:09:42 2018] [warn] RSA server certificate is a CA certificate
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.