# SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

We have a small java program that connects to an Oracle (11.2.0.4 Windows) DB. There is a jks file that has the certs in it (4096 key size). When we try to connect we get:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA

If I make changes to entries below in the java.security file in Java:

jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms

and remove MD5 and MD5withRSA parameters it works. From what I've read this is supposed to be an issue in JRE 7.4 and above but it is only supposed to happen when they key length is 1024 or less. Not sure why it's happening with a 4096 key length cert.
0
All

We have a requirement where we need to build a WCF service which can make outbound calls (as client) to backend services which requires 2-way SSL (mutual-authentication).

We have been trying this with no luck. It works with 1-way SSL (WCF as client), but when we set the backend services to require 2-way SSL, the handshake failed at the point where WCF is supposed to send its certificate to the backend service, but it doesn't.

Any one has experience doing this? Any clues of what the problem could be will be much appreciated.

Best Regards
Charles
0
Hi

My website is setup to run over http or https, I assumed everything was working until recently.

On my mac in Safari and Firefox the following two URL's work fine
http://www.petenetlive.com
or
https://www.petenetlive.com

HOWEVER in IE it does not load the CSS and bleats about mixed content, Now I can view the source and see that the css is being loaded from http URLs so that's probably causing the problem, (why Firefox and Safari works I don't know?)

I've tried various Wordpress plugins that claim to fix SSL problems - none of them worked. I've set the site in Wordpress to use the https URL, I've also set this in the wp-config file.

HOW DO I FIX THIS?

Note: In running NGINX and don't have a .htaccess file

Pete
0
I have a 2012 R2 IIS 8.5 Server that is running a web site for the application Kaseya.  I am trying to lock it down so depreciated ciphers are disabled and I would like to reorder them in a more secure fasion.  I have attempted to make the changes to the schannel key in the registry (didnt Work).  I have used Narcos IISCrypto and I have ran Powershell scripts to try and recreate all my keys.  I also used group policy to decide the cipher order.  Nothing has worked.  No matter if I have every cipher disabled or even protocol, they still show that they are in use.  I am scanning the server using Qulays ssl scan.  Has anyone ever ran in to this issue?  I have had no problem doing this on other application web servers in my organization, but this one seems as if the protocol and ciphers settings are hard coded somewhere other than the registry.  Any ideas would be greatly appreciated.  I'm wondering if the web application is forcing it somehow and my registry settings have no effect.  I just have never seen this happen, nor can I find any reference on the internet.    Just so everyone is aware, I have restarted after making the reg changes.  Unfortunately, the same protocols and ciphers are always enabled.
0
I'm trying to configure SSL(https) for tomcat 8 and have done below steps but still its not working

1) Create the keystore file using

keytool -genkey -alias myservername -keyalg RSA


2) Generated CSR as below

keytool -certreq -alias myservername -file C:\tomcat_ssl\local_machine\test.csr -keystore C:\tomcat_ssl\local_machine\test.keystore


3) Then we had Generated the Certificate and then imported the chain certificate and certificate as below

keytool -import -alias root -keystore C:\tomcat_ssl\local_machine\test.keystore -trustcacerts -file C:\tomcat_ssl\local_machine\srv_chain.cer


keytool -import -alias myservername -keystore C:\tomcat_ssl\local_machine\test.keystore -file C:\tomcat_ssl\local_machine\srv_main.cer


4) Finally Did the changes in tomcat server.xml as below

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\tomcat_ssl\local_machine\test.keystore" keystorePass="123" keystoreAlias="myservername"/>


Restarted the tomcat and its not working and showing below screen

In tomcat logs it's not showing any errors and also i have tried other options like keeping cipher tag in connection, Enabled TLS 1,2,3 , changing https port etc no avail.

Also i have tested the https port 443 and it's showing as listening when i netstat. Any idea why this is not working
0
Hello,

I had tomcat configured to redirect any requests to HTTP to redirect to HTTPS. This was functioning well until we had to do a DR restore of the DEV application. Now, HTTP does not redirect, but HTTPS works fine. I have compared the web.xml and server.xml configurations between our DEV and PROD installations, and found no differences. Below are the sanitized versions of the config:

Server.XML
<Connector port="80"
connectionTimeout="20000"
enableLookups="false"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="443"
acceptCount="100"
bindOnInit="false"/>

<Connector port="443"
enableLookups="false"
acceptCount="100"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
keyAlias="DEV_ALIAS"
keystoreFile="L:\ocation\to\keystore.jks"
keystorePass="supersecretkey"/>


Web.XML (this code is entered after all of the servlet-mapping, and before filter-mapping)
security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


Any idea why this might be failing?
0
This issue only happens on Android phones.
We have an internal website which uses self-signed user certificates for authentication.
When a user connects to the website for the first time, chrome prompts them which certificate they want to use. Even though there is only one certificate to choose from.
Usually, just choosing once is enough until the user either turns off the phone or ends the chrome process. But some users say they still get prompted multiple times.

Is there a way that Chrome can be set to automatically use the user certificate installed on the phone so the user does not see this prompt?

We have an MDM solution that automatically installs the certificate on the phones - that part is not a problems. I asked them if they had a solution but their only response was to use their MDM browser instead of Chrome.
0
Dear Team,

We are planning to purchase a wildcard SSL certificate for our domain (for ex: abc.xyz) but have this situation. Can you please assist?

We have several sub-domains located in one physical server, then purchasing a wildcard SSL cert should be a good choice, right? However if we have another server (the different from the former one) which will hosts Mail server (such as mail.abc.xyz), can we continue using a wildcard SSL which we purchased before?

If not, can we purchase an additional cert for that new sub-domain: mail.abc.xyz? And is there any other option?
0
I have a Debian server with about 15 websites running fine. I added a new website and that is too running fine. However, I also want to add a ssl connection for this website, but whatever I try Apache refuses to show the website. It just shows the default debian page. I allready tried replacing the default ssl file with the file for the website, but then I get a ssl protocol error. Apachectl shows no errors, so do the logs. If I make an error in the config file apachectl gives an error, so the conf file is read by Apache. I've been figuring this out for hours, but I am completely stumped now.
0
In trying to get scan to email working I was changing settings in the kyocera cs400ci printer and now locked myself out of the GUI as the SSL settings I set it to are wrong and browsers dont trust it.

I checked SSL and DES only (no 3DES or AES) and now all browsers say invalid/bad/unsupported ssl/tls etc.

Any ideas on how I can ignore any/all ssl warnings and still get to the gui?  force ssl is on so I cant use port80.
0
Hi everyone,

I have a vCenter 6.5 linux appliance that I need to install an SSL certificate into. The problem is that I have very little knowledge about the workings of this, so most articles I find on internets aren't very helpful. Mainly because they expect to have a lot of pre-requisites in place that we do not seem to have.

The vCenter server is in an AD domain environment and uses an AD authentication (LDAP server identity source) for SSO. To my knowledge, some of our web servers are certified with a 3rd party issued wildcard certificate, that covers both the tld "mycompany.com" and the AD local subdomain "ad.mycompany.com". There is no internal CA installed on our Domain Controllers and I am unsure whether that is something that's required to be in place in order to certify the vCenter.

The wildcard certificate I have is in a format of a "pfx" file with a password authentication.

What is the easiest / quickest way to go about it?
0
I'm trying to enable certificate authentication in ADFS 3.0. I've deployed a client authentication certificate. I've enabled certificate authentication as a primary method of authentication for both extranet and intranet. When I attempt to log on, I click on the "sign in using an X.509 certificate link"  but I do not get a prompt to select a certificate and nothing happens. There is no firewall between the client and ADFS server.
0
Hi Folks,

Can anyone explain what is the Difference between the above 3 method of certificates, let me explain my understanding first.

Self-Signed:
Issued by : Webserver1
Issued to : Webserver1

Certificate Authority signed :
Issued to: Websever1
Issued by: Microsoft CA Server

3rd Party CA Cert:
Issued to: Websever1
Issued by: Comodo or Symantec or Verisign

Now the question is what is the difference between using self signed for my Web server and using certificate authority signed for web server. I'm not asking about 3rd party certificate.
0
This TLS issue will belongs to SSL certificate or any changes we need to update on our server. Please assist me on this on high priority .

Regards
Rajesh
0
Hi all,

Being doing some work around tightening security on internal and external communications with stronger certificates and removing weak ciphers. All though this fairly straight forward I had a problem yesterday that has raised questions mainly around my understanding.

We have a web server in the DMZ 2008 R2 IIS. It has an external signed certificate (SHA256). scanning the website shows a number of weaknesses around Ciphers that are part of TLS 1.0, 1.1 and 1,2.

We have to keep TLS 1.0 enabled because of application compatibility.

Is it possible to disable specific ciphers that are weak rather than disabling the tls protocol?
0
Hello,

I have a question regarding ROOT CA ?  What do they mean by root CA ?  If I have domain like abc.com and if I have SSL certificate for abc.com,  is abc.com  ROOT CA ?
0
I would like to setup redirection from a server that host a site to a different server that host a landing page in IIS.

How do I setup a redirection in DNS and on the new site?

OLD URL: https://abc.domain.com
NEW URL: https://portal.domain.com/Test/Landing
0
I wish I had the screen shot to explain this problem better, but it does not come up on my machine, so I don't. OK: here is the issue. We had an SSL certificate: remote.whistlerbuilder.com because we used to remotely access our email and files. However, we changed servers and no longer use that SSL certificate. The time came to renew from GoDaddy and we did not renew it because we did not need it. Ever since then every time some of the people from our office log in to Outlook 365 (desktop), they get a Security Alert message that comes up with regards to an error in the SSL certificate. I do not know how to get rid of this message. I am not comfortable go into root files, etc. Isn't there an easy way to get rid of the error message?

Kind Regards,

Tina
0
Hello,

We have trusted certificate for our ROOT domain and needs to setup few subdomain.  What exactly we need to do, in to subdomains to work properly?
0
Hello,

The vendor who does our security audit express concern about SSL certificate we are using on our websites.  They mention version 3 and TLS v1 are not secured.

I check the version of the cert we purchase is SHA-2.

I usually purchase the latest version cert and apply it to my IIS website.  Are there additional things I need to do?

Thanks.
0
Hi all,

We have recently upgraded our internal CA to SHA256. We have a number of internal webservers that have sha1 certificates that are still valid. We are looking to upgrade each other certificates through controlled process. My question is, if we are to renew the certificates on the servers with the new SHA256 if there any issues are we able to recreate a new cert using a SHA1 cert?
0
When my site are in development I have always gotten the IP address from AWS, then accessed them from my browser. But here's an article I would read if there is a secret exposure...

https://www.imore.com/how-edit-your-macs-hosts-file-and-why-you-would-want

I do not take lightly to changing my Hosts file because I do not want to put myself into an unstable condition, if I missed something in the directions.

Is there risk to using an IP address to directly access my PC? I assume the biggest benefit is that the site can be kept private from public view, but is there any way in the world that someone cold guess that address?

Are the scrapers out there pinging billions of IP addresses?

As far as keeping it private, it is mainly that I can use my real domain name and keep that private? That's nt important to me since I can buy the SSL cert and do that before launch. AT the moment, I just need to look at the sire and test it, so by adding my IP into the browser, does that expose my IP to scrapers?

Thanks.
0
Hi.
Have a SBS 2011 , with Exchange 2010.
Setting up new pc's with Office 2016 that only support autodiscover set-up.
Have a certificate mail.domainname.com.
Made a DNS cname record ; autodiscover.domainname.com -> mail.domainname.com

Autodiscover setup i Outlook now works but gives waring on every startup (of Outlook).
Stating that there is a missmatch between the certificate (mail.domainname.com) and the server it connects to (autodiscover.domainname.com) Which I understand. There is a missmatch..

So, was hoping to get around this without buying a new multi-sub-domain certificate.

Found a workaround:

#
HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook\AutoDiscover\RedirectServers

4.      Click the Edit menu, point to New, and then click String Value.
5.      Type the name of the HTTPS server to which AutoDiscover can be connect without warning for the user, and then press ENTER. For example, to allow a connection to https://contoso.com, the first String Value (REG_SZ) name would be as follows:

contoso.com
#

here I added autodiscover.domainname.com (and mail.domainname.com + domainname.com, when it didn't work) without any luck.

Outlook works (send and recive mail) even if I let the warning stay open, but would like to get rid of it.

- Only 3 pc's connected to domain.
0
Hi all,
I have just installed a Thawte SSL certificate on my server for one of my websites. Its seems et up correctly, however, now the site does not work correctly. It is not a Joomla or WordPress site but does make use of some external assets such as fonts etc. Is this causing the issue?
http://www.jonbysoft.com/   << None secure

https://www.jonbysoft.com/  << Secure SSL

New to this. Any help of advice appreciated.

Kind regards
Abiel M de Groot Sanders
0
i have used

openssl pkcs7 -inform der -in YourFile.p7b -out YourFile.pem

and i have ,pem file, i tried using openssl pkcs7 -in Yourfile.p7b -text -out Yourfile.pem -print_certs

it is giving error.

i opened the ,pem file and i saw

----BEGIN PKCS7-----
XXXXXXXXXXXXXXXXXX0SOBLcJPK6QFYY/5KggxAA==
-----END PKCS7-----

what more should i do.

thanks
0

# SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.