[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

Attached is an SSL scan report (by Qualys) of 2 portals:

a) will such deficiencies flagged by Qualys be flagged by a blackbox pentest as well (tester is using Nessus Tenable)?

b) for the items highlighted in yellow, if we place a WAF & CDN in front of the portal, can the items be remediated?
    I heard F5 WAF could 'block' off SSLv3, TLS1.0 & 1.1 as a way of mitigating but what about the weak ciphers etc?

Have a Checkpoint NIDS as well if this is of any help.


We can obtain a fresh cert if needed  but concerns are:
a) we don't plan to change the A10 loadbalancer (that's used for the 2 portals): understand a number of what's flagged is due to this A10 LB
b) the applications team can't amend the codes within the short term (but we have only a couple months to remediate)
SSLabscanJ2.docx
0
Defend Against the Q2 Top Security Threats
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Hi folks, how do I get IIS web server up & serving a page quickly. I just need it to serve up a 'restricted content' warning page for my domain users when they try to access YouTube which I have redirected to my internal IIS server using DNS. Unfortunately to do so seems to require a PhD in SSL certificates. Seems way too complicated for the benefits. Can I just disable HTTPS functionality on the IIS server or should I persevere to enable it - I'm guessing this requires the certificate from the IIS server to be installed on all domain machines via group policy?
Currently all machines are able to get through to the IIS server, but not without a 'your connection is not private' warning like the one here - https://goo.gl/images/7y8vB6
Thanks in advance.
0
Exchange 2010 HTTPS issues...communications issues started on the same day with various services we use internally and externally:

** OWA Seems to be working normally again. [OWA - login page shows secured, but after login, address bar shows only partially protected or not protected at all.]

Shoretel/Mitel phone client - shows error message at bottom of client application. Cannot connect to Exchange server "email.domain.com".

Outlook 2013 client Out of Office - does not work. "Server is unavailable".

3 MAC Sierra users - cannot connect to server errors when using either Outlook 2016 or Apple Mail.

Mail archiving system - Exchange mailbox archiving jobs failing. Varying messages from logs show "The remote server returned an error: (503) Server Unavailable", "Microsoft Exchange Server returned an unexpected HTTP error code (EWS 503)", "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel",  "The remote certificate is invalid according to the validation procedure", “Unable to connect to Microsoft Exchange Server. Details: The SSL/TLS certificate verification failed.” or “While logging on to the Exchange Server, an unexpected status code (302) was returned”

Cannot ping "email.domain.com" or "autodiscover.domain.com". ICMP fails on both.

Also, Exchange server has a third party extended validation certificate that is valid until 2019 and has IMAP, POP and IIS services assigned to it. Outlook Anywhere works …
0
Hello experts,

I have a 3rd party vendor and they are asking me to send them PGP public key. they want to transmit the file and encrypt it using this public key I should be providing them and they sign it with a file that is an *pgp_public.asc file, they sent me the file.

My question is how to generate PGP public key? and what do I do with this file that they are using to sign the files. what is the process of viewing this file after receiving it from the 3rd party.

Thanks,
0
Binding new SSL certificate to WServer 2012 problem.
I built the request per:
https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm.  Handed the request off to our infrastructure team where they purchased the new SSL.  The Team has sent me the new SSL certificates where I renamed appropriately from a .txt extension to a .cer externsion.

I have two test servers (and two prod servers)I need to update the SSL certificates for.   I have followed the steps outlined in this document for installing the SSL certificate:
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1159/37/certificate-installation-microsoft-iis-8x


I can see on the server IIS where the certificate has been updated to 10/9/2020 in the Server Certificates; however, if I look under the padlock on the client's URL, the expiry date is still set for:  10/24/2018.  How do I propagate this out to the client?  This is the first time I've done this, and I have four 2012 servers to update ASAP.  Any guidance would be appreciated.
0
Recent PCI standards require that TLS 1.0 no longer be used to secure data communications. PCI standards ensure that customer payment details are secure. This article will help to disable TLS 1.0 and enable newer versions that meet PCI standards and website compatibility.
5
set up plesk with ssl but won't automatically  display https:
0
Summary
HTTP Error 401.2 - Unauthorized
 You are not authorized to view this page due to invalid authentication headers.

Some new users to my web site cannot log on due to 401.2 and 401.1 errors. Other new users connect without any issue. Users have the DoD CAC smartcard and they are valid for logging into their workstations. All the certificates point to the same root authority, DOD Root 3, but have different intermediate certificates which are DOD CA 38 to DOD CA 51. Users with intermediate certificates numbered 48 or higher get the 401.2 error and cannot log in.

I assume the problem is the more recent intermediate certificates are not installed or configured correctly. I installed the most recent certs from the cert authority using their tool, InstallRoot.exe. MMC confirmed the intermediate certs are in the Certificates (Local Computer) -> Intermediate Certification Authorities -> Certificates.

The server uses the Axway tool to validate certificates. In the Application Event Log for the attempt, it said "Revocation Status: Good" so I assume my OCSP and its cache are set up correctly.

After every 401.2 error is a 401.1 error. The sc-win32-status for the 401.1 error is -1073741715. Is that number significant?  

The detailed configuration description:


I am using IIS 7.5 on Windows Server 2008 R2. I set up the web server and the web site to require a smartcard to open the web site. To that end I set up iisClientCertificateMappingAuthentication …
0
3rd party SSL install on Windows server 2012 to enable LDAPS

Hello experts,

So I need to install an godaddy  SSL cert on my Windows server to enable LDAPS. I was about to purchase the cert when the godaddy rep told me that SSL certs can't be installed on .local domain (mycompany.local) anymore, apparently it was possible years ago.

He told me the work around is to bind teh fqdn to the DC by creating a .local sub domain in a public domain... From what I understood I need to create a .local subdomain in my companies public domain (local.publicdomain.com). I get that part, what I'm confused with is the binding of the DC to the subdomain. Does it mean creating a dns zone for the subdomain and creating a record?

The other solution would've been to have my internal domain with something other than .local but it's a production environment and can't change that.

So can anyone please shed some light on the binding part? Also, I am correct on my assumption of creating a .local sub-domain in my public domain?

Thanks in advanced.
0
Website not accessible. I have a website hosted on Godaddy.com and working, but the site is not accessible from Internally. nslookup find ip of the server and resolved the name and I am able to ping the server. No problem externally. I checked DNS and seems working.  Refreshed the DNS server and clear the cache on DNS. local domain is domain.local and the website is domain.com. DNS forwarder set to ISP and resolved it correctly.  Any idea?
0
Learn Ruby Fundamentals
LVL 12
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

What are the steps required to change an IIS hosted website from HTTP to HTTPS?
0
security scan finding: "SSL Medium Strength Cipher Suites Supported (42873)" error on 2012 R2 / Win10 seems to be port 3389/TCP.

I've seen a solution using https://www.nartac.com/Products/IISCrypto/ but I have a secure environment and I'm not sure about using this product.
I've enabled the GPO 'SSL Cipher Suite Order' setting in admin templates / network which doesn't seem to have anything below 112bits and I've removed DES and 3DES.
is there a another or manual fix for this?

thanks
0
we have a security certificate to cover our domain name, which we have added to our mail server.

however, we also have a website which is hosted by a third party, and it cannot be accessed using https://www.domainname.co.uk

can we use the same certificate that we use for our microsoft server to cover our website too, or do we need to purchase another one?

how do we add the certificate to our website?

if anyone can offer any guidance, we would be much obliged.

many thanks
0
Does trusted email domain require its own ssl cert on the exchange server?

- Domain A has been set up and working for years
- Domain B as a re-brand effort was added to Exchange 2010.
- All emails still route to the server name for Domain A [mail.domaina.com]
- Receiving certificate issues and warnings when loading Outlook into the new email address for Domain B.
- A portion of Sent emails are being bounced or captured in external recipient's junk/ spam.
- I'm assuming a certificate needs to be installed.

Can I add a certificate for the trusted domain to this server to resolve the cert warnings?
0
NEED HELP!  We have an email address of bshoward@contoso.com but all our emails resolve to contosoexc.us.  Thus we are trying to get autodiscover to work and have SSL certificate for all of contosoexc.us.  How do I set this up to work... trying to implement MS Dynamics CRM and it will not sync.  We have tried all the help options and also contacted a local exchange expert and no solution.  What do I need to do to get this working?  The impersonation is working for the account we setup, but this is a DNS or certificate error. Not sure...
0
I am hosting a couple of web sites on couple Linux boxes and OWA on a Windows box in my office. Currently http is forwarded to Host_W and https is forwarded to Host_M.  Host_W serves pages for www.site-m.biz, www.site-d.net, and www.site-f.com while it forwards requests for host_l.site-s.org and www.site-s.org to Host_L. The current structure looks like this:
 
Current Config
What I want to do is forward both http and https to Host_W while serving the same three sites and forward https requests for mail.site-m.biz to Host_M and requests for site-s.org to Host_L. The structure would look something like:

Disired Config
 I have attached sanitized copies of what I think are the relevant config files.
 
The port forward is not a problem, simple change on the firewall. Installing Let's Encrypt certificate on both Nginx and Apache2 are heavily documented and a Godaddy certificate for mail.site-m.biz is already installed on Host-M.

What I don't have a handle on is the changes needed on the Apache2 on Host_W. I think it would be just to add something to the site-m.biz.conf like (and something similar to site-l.org.conf):

<VirtualHost *:443>
        ServerName mail.site-m.biz

        SSLEngine On
        SSLProxyEngine On
        ProxyRequests Off
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLInsecureRenegotiation on
        SSLProxyVerify none
        SSLVerifyClient none
     

Open in new window

0
hello,
I have pfsense it's work as firewall and ids,ips with snort,
is there any way to check the url that the clients are visited ? I want the https links.
thanks.
0
Hi guys

How do you give someone the private key for the SSL certificate but un-encrypted? I don't get what they are saying.

I've got a Windows 2008 R2 web server that I created the CSR onto. Then I got the certificate from the provider and have applied the certificate to this to complete the request.

My colleague needs the private key. I exported it as a .PFX file, but when you do that, it is password protected. He needs it un-encrypted.

Do you use the MMC console to do this and then export it as a .CER file? Will that be correct?

Cheers
Yashy
0
I need straightforward information on SSL Off-loading and Visibility.  Vendor documents and white papers lean too much to their product.  I have F5 10350v-f load balancers that have SSL and trying to decide between Local Traffic Manger (LTM) and SSL Orchestration which is more money.  My client is not sure what they want so I have to come up with something.  The 10350s sit in front of a DLP, with only two feeds coming to them so I don't think it should be complicated.  So the question with F5 10350 is which level of SSL decryption I should use.

On a separate program I am dealing with a Gigamon and Ixia packet brokers that will be routing to SSL decryption services as well.

Bottom line I just need objective definitions and comparisons when it come to SSL offloading vs ssl visibility vs ssl orchestration, etc. And in other SSL applications

Thanks
0
Amazon Web Services
LVL 12
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Dear Sir,

My company have a weblogic 11g installed on Windows Server 2008 R2. The SSL certificate on the web application will be expired on October. I have the renewed SSL certificate on hands. I don't know how to import the SSL certificate into the JKS keystore and apply it on the web application. PLEASE HELP>

Thank you.

With regards,
Wataw
0
Hi guys

I am going to be buying a multi-EV domain SSL certificate. This domain will have quite a few sub-domains. When i want to create the certificate request on the server, in the common name section, do I just put in the domain name only? So would I put 'contoso.com'? And not '*.contoso.com'. I assume i would only put an asterisk if it was going to be a wildcard ssl right?

Thanks for helping
Yash
0
I had this question after viewing Locating ClientCertificate to use in WinHTTP.

Similar question, when using the SetClientCertificate property on a WinHttpRequest, I receive a "Certifcate is required to complete client authentication". The certificate has been created successfully, and appears in the Certifcate Store under Console Root -> Certificates (Local Machine) -> Personal -> Certificates.

The Issued to is ABC Certificate, the Friendly name is ABC

The parameters I am using are as follows:

myMSXML.SetClientCertificate "LOCAL_MACHINE\\Personal\\ABC"

I've tried ABC Certificate etc... tried putting the certificate in different stores, tried a number of other things, but still getting same message returned.

How did you go with your problem referencing a certificate in the Cert Store?
0
Dear Experts, I'm testing the Sharepoint 2016 on-premises, I tried to share the document like these screenshots but the user who was shared COULD NOT receive any notification email of this sharing. I was loggin as Sharepoint Admin and it has functional mailboxa account. How can  we fix it?

sp1.png
sp2.PNG
I also CANNOT share it with external user???

sp4.PNG
One more thing, I'd like to redirect the http: site to https: site in Sharepoint but I could not configure it. I tried 2 methods but they both did not work!

1. Add both http and https links in default zone of mapping site

2. Add redirect http in IIS management


 sp3.PNG
0
For Citrix NetScaler, I need .pfx SSL certificate. But I received .cer SSL file. To convert this CER file to PFX, I have followed below process.
Opened Certificate MMC --> Imported the CER file in PERSONAL\Certificate --> Export
When I try to export from with the CA, I don't get an option " yes, export the private key"  and on the export file format " Personal Information Exchange - PKCS#12(.PFX)" is greyed out".
Please suggest.
0
Windows Server 2008R2 Standard running Exchange 2010.

Error message "certificate authority is invalid or incorrect". This has happened a few times now. This particular message came up when running a downloaded file from Ninite.

Can access the site no problem, and then download the installer. When we run the installer we get the above message.

Our monitoring software has also stopped communicating with the server. When we look at the logs we can see:
error code 0x00002f8f - ERROR_WINHTTP_SECURE_FAILURE 12175

We have updated Windows, and checked the certificate which looks OK.

We recently installed a wildcard certificate, which is showing in IIS with the correct expiration date. Date and Time on the server is also correct.

Any ideas what I can look at as so far what I have checked appears to match up to the other servers the client has onsite.
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.