# SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

We have a small java program that connects to an Oracle (11.2.0.4 Windows) DB. There is a jks file that has the certs in it (4096 key size). When we try to connect we get:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA

If I make changes to entries below in the java.security file in Java:

jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms

and remove MD5 and MD5withRSA parameters it works. From what I've read this is supposed to be an issue in JRE 7.4 and above but it is only supposed to happen when they key length is 1024 or less. Not sure why it's happening with a 4096 key length cert.
0
All

We have a requirement where we need to build a WCF service which can make outbound calls (as client) to backend services which requires 2-way SSL (mutual-authentication).

We have been trying this with no luck. It works with 1-way SSL (WCF as client), but when we set the backend services to require 2-way SSL, the handshake failed at the point where WCF is supposed to send its certificate to the backend service, but it doesn't.

Any one has experience doing this? Any clues of what the problem could be will be much appreciated.

Best Regards
Charles
0
I have a 2012 R2 IIS 8.5 Server that is running a web site for the application Kaseya.  I am trying to lock it down so depreciated ciphers are disabled and I would like to reorder them in a more secure fasion.  I have attempted to make the changes to the schannel key in the registry (didnt Work).  I have used Narcos IISCrypto and I have ran Powershell scripts to try and recreate all my keys.  I also used group policy to decide the cipher order.  Nothing has worked.  No matter if I have every cipher disabled or even protocol, they still show that they are in use.  I am scanning the server using Qulays ssl scan.  Has anyone ever ran in to this issue?  I have had no problem doing this on other application web servers in my organization, but this one seems as if the protocol and ciphers settings are hard coded somewhere other than the registry.  Any ideas would be greatly appreciated.  I'm wondering if the web application is forcing it somehow and my registry settings have no effect.  I just have never seen this happen, nor can I find any reference on the internet.    Just so everyone is aware, I have restarted after making the reg changes.  Unfortunately, the same protocols and ciphers are always enabled.
0
I'm trying to configure SSL(https) for tomcat 8 and have done below steps but still its not working

1) Create the keystore file using

keytool -genkey -alias myservername -keyalg RSA


2) Generated CSR as below

keytool -certreq -alias myservername -file C:\tomcat_ssl\local_machine\test.csr -keystore C:\tomcat_ssl\local_machine\test.keystore


3) Then we had Generated the Certificate and then imported the chain certificate and certificate as below

keytool -import -alias root -keystore C:\tomcat_ssl\local_machine\test.keystore -trustcacerts -file C:\tomcat_ssl\local_machine\srv_chain.cer


keytool -import -alias myservername -keystore C:\tomcat_ssl\local_machine\test.keystore -file C:\tomcat_ssl\local_machine\srv_main.cer


4) Finally Did the changes in tomcat server.xml as below

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\tomcat_ssl\local_machine\test.keystore" keystorePass="123" keystoreAlias="myservername"/>


Restarted the tomcat and its not working and showing below screen

In tomcat logs it's not showing any errors and also i have tried other options like keeping cipher tag in connection, Enabled TLS 1,2,3 , changing https port etc no avail.

Also i have tested the https port 443 and it's showing as listening when i netstat. Any idea why this is not working
0
Hello,

I had tomcat configured to redirect any requests to HTTP to redirect to HTTPS. This was functioning well until we had to do a DR restore of the DEV application. Now, HTTP does not redirect, but HTTPS works fine. I have compared the web.xml and server.xml configurations between our DEV and PROD installations, and found no differences. Below are the sanitized versions of the config:

Server.XML
<Connector port="80"
connectionTimeout="20000"
enableLookups="false"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="443"
acceptCount="100"
bindOnInit="false"/>

<Connector port="443"
enableLookups="false"
acceptCount="100"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
keyAlias="DEV_ALIAS"
keystoreFile="L:\ocation\to\keystore.jks"
keystorePass="supersecretkey"/>


Web.XML (this code is entered after all of the servlet-mapping, and before filter-mapping)
security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


Any idea why this might be failing?
0
This issue only happens on Android phones.
We have an internal website which uses self-signed user certificates for authentication.
When a user connects to the website for the first time, chrome prompts them which certificate they want to use. Even though there is only one certificate to choose from.
Usually, just choosing once is enough until the user either turns off the phone or ends the chrome process. But some users say they still get prompted multiple times.

Is there a way that Chrome can be set to automatically use the user certificate installed on the phone so the user does not see this prompt?

We have an MDM solution that automatically installs the certificate on the phones - that part is not a problems. I asked them if they had a solution but their only response was to use their MDM browser instead of Chrome.
0
I have a Debian server with about 15 websites running fine. I added a new website and that is too running fine. However, I also want to add a ssl connection for this website, but whatever I try Apache refuses to show the website. It just shows the default debian page. I allready tried replacing the default ssl file with the file for the website, but then I get a ssl protocol error. Apachectl shows no errors, so do the logs. If I make an error in the config file apachectl gives an error, so the conf file is read by Apache. I've been figuring this out for hours, but I am completely stumped now.
0
I'm trying to enable certificate authentication in ADFS 3.0. I've deployed a client authentication certificate. I've enabled certificate authentication as a primary method of authentication for both extranet and intranet. When I attempt to log on, I click on the "sign in using an X.509 certificate link"  but I do not get a prompt to select a certificate and nothing happens. There is no firewall between the client and ADFS server.
0
This TLS issue will belongs to SSL certificate or any changes we need to update on our server. Please assist me on this on high priority .

Regards
Rajesh
0
Hello,

I have a question regarding ROOT CA ?  What do they mean by root CA ?  If I have domain like abc.com and if I have SSL certificate for abc.com,  is abc.com  ROOT CA ?
0
I wish I had the screen shot to explain this problem better, but it does not come up on my machine, so I don't. OK: here is the issue. We had an SSL certificate: remote.whistlerbuilder.com because we used to remotely access our email and files. However, we changed servers and no longer use that SSL certificate. The time came to renew from GoDaddy and we did not renew it because we did not need it. Ever since then every time some of the people from our office log in to Outlook 365 (desktop), they get a Security Alert message that comes up with regards to an error in the SSL certificate. I do not know how to get rid of this message. I am not comfortable go into root files, etc. Isn't there an easy way to get rid of the error message?

Kind Regards,

Tina
0
Hello,

We have trusted certificate for our ROOT domain and needs to setup few subdomain.  What exactly we need to do, in to subdomains to work properly?
0
Hello,

The vendor who does our security audit express concern about SSL certificate we are using on our websites.  They mention version 3 and TLS v1 are not secured.

I check the version of the cert we purchase is SHA-2.

I usually purchase the latest version cert and apply it to my IIS website.  Are there additional things I need to do?

Thanks.
0
Hi all,

We have recently upgraded our internal CA to SHA256. We have a number of internal webservers that have sha1 certificates that are still valid. We are looking to upgrade each other certificates through controlled process. My question is, if we are to renew the certificates on the servers with the new SHA256 if there any issues are we able to recreate a new cert using a SHA1 cert?
0
i have used

openssl pkcs7 -inform der -in YourFile.p7b -out YourFile.pem

and i have ,pem file, i tried using openssl pkcs7 -in Yourfile.p7b -text -out Yourfile.pem -print_certs

it is giving error.

i opened the ,pem file and i saw

----BEGIN PKCS7-----
XXXXXXXXXXXXXXXXXX0SOBLcJPK6QFYY/5KggxAA==
-----END PKCS7-----

what more should i do.

thanks
0
I have used 3 set of codes(where I used Indy10.6.2 component), which doesn't show any errors, but i can't able to send SMS through the code. Please help me to send me the Sms through Delphi code

The code which I used is...

const
ResponseSize = 1024;
var
hSession, hURL: HInternet;
Request: String;
ResponseLength: Cardinal;
begin
hSession := InternetOpen('TEST', INTERNET_OPEN_TYPE_PRECONFIG, nil, nil, 0);
try
hURL := InternetOpenURL(hSession, PChar(Request), nil, 0,0,0);
try
SetLength(Result, ResponseSize);
SetLength(Result, ResponseLength);
finally
InternetCloseHandle(hURL)
end;
showmessage(result);
finally
InternetCloseHandle(hSession)
end

var
http : TIdHTTP;
IdSSL : TIdSSLIOHandlerSocketOpenSSL;
begin
http := TIdHTTP.Create(nil);
IdSSL := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
try
Http.IOHandler := IdSSL;
IdSSL.SSLOptions.Method := sslvTLSv1;
Http.Request.BasicAuthentication := True;
// IdSSL.SSLOptions.Method := sslvTLSv1;
…
0
Hello, I'm using this component to make my system and I came across a problem when sending a post to a certain form where I have to post a captcha code, simply by sending the post to that url, the html returned is like a one GET, because the error message does not come informing the wrong code, it simply does not post the information, I only have a problem on this page, all the others managed to work, get it and posts, I need help in this part!
0
I have to write a Node.JS application that connects to a remote server.  The remote server has a login manager that authenticates my session then spawns a separate process to handle the rest of my session.  The way that works is that I have to make a non-SSL network connection to the login manager and do an initial unprotected handshake.  The lets the client and server negotiate if they will be doing SSL or plain text communications.  If SSL then I need to elevate my socket to an SSL socket, send my login and password along with some other initial information, then get a success of failure message back from the login manager.  If success then I know the login manager is starting a new process and handing off my open socket connection to that new process.  Since the server can't pass the SSL context it de-elevates the SSL connection and runs a program passing it the non-SSL open socket.  Then the new program creates it's own SSL context on the open socket. So in my Node.JS code I need to close the SSL socket but leave the raw socket open.  The new program will send me a success message when it is up and running at which time I need to re-elevate my open socket to SSL again.

My question is how can I close an SSL socket leaving the raw socket open so I can continue to use the raw socket and then re-elevate it to SSL again?
0
I need to see the DNS resolution requests of my applications audited and if necessary modified before being sent. I suppose the easiest would be a local resolver that would review my requests before forwarding them to the resolver of my ISP? Another way would be to monitor and be able to override UDP/53 traffi (something I have no clue about). Is there an open source I could use?
Also, I would need this on all OS.
How would you do that? Or would there be a free solution that exists?
Need: support of iDNs as per RFC 5895 for the wole machine (transparent to applications), management of variants, parental control, typos correction. Etc.
Thank you!
0
I am attempting to load new SSL certs into my Tomcat Server. I was successful in creating a new KeyStore and CSR. before I import the certs I was able to browse to my site internally via the correct port. However, after successfully importing the certs in the Keystore I am unable to browse to the site. I am new to Tomcat and would appreciate any assistance.

Thanks.
2017-05-23--1-.png
2017-05-23.png
0
I have 1 website with 1 IP in IIS using both port 80 and port 443. I own 2 wild card certs, one for the external address (@mycompany.com) and one of the internal address (@inside.mycompany.com)

Current SSL certificate that's tied to port 443 is using the external Cert. And the website is reachable external via SSL without issues.
Internally we can reach the website using http on port 80 with the FQDN and that works fine

Management wants SSL applied to the internal web site instead of using http. One method I thought of was to add an additional IP to the website. In Local DNS add a new host name pointed to that IP. Bind the internal Cert to the IP on Port 443. Everyone goes to the website using the new FQDN. To get to the internal Site they using the new FQDN. The concern I have with this approach is that the server still has 2 IP's and local DNS will reflect that. If anything anywhere references the FQDN of the server they could end up getting an error or the wrong item displayed. I

what other options are there?
0
I have setup an Apache web-server to request client certificates and I need to revoke some of the client certificates. Removing them from the client machine is not an option so I need to revoke them from the server so it does not see them as valid.

I'm trying to use the command :

openssl ca -revoke /etc/ssl/certs/client123.pem

where client123.pem was a certificate validated by the web-server (where the ca was configured).

Thanks
0
Does any one know how to disable sslv3 and activate TLS1,2 for a cisco switch catalyst

I searched for a very long time but i found nothing
0
Just renewed a standard ucc SSL.  I want to add it to our on premise Exchange 2010.

Question:

1. What are the steps to remove the old SSL in our Exchange (still in use as of now) and add the new SSL?
0
Hi all,

Since Apple decided to stop allowing PPTP, we had to reset our VPN server to use SSL / SSTP. I have set up the server as per the guidelines from Microsoft, however I am unable to connect to the server. I get the following error message: The revocation function was unable to check revocation because the revocation server is offline. I have checked all the services on the server and everything seems to be up and running. In the event viewer I get error 18:

The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again.

The system cannot find the file specified.

I do not know which file it is looking for.
0

# SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.