[Last Call] Learn how to a build a cloud-first strategyRegister Now

x

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi:

I am a web developer, not a server administrator. Due to unfortunate circumstances at my office, we no longer have staff that manages our servers, and I have been asked to get our server PCI compliant. Good times. The server is running Windows 2008 R2 64 Bit. There were 9 issues and I have resolved 7 of them. I am having a hard time with the last two. I have been reading for the last two days and I am still unclear how to resolve the issues. Hopefully someone here has the missing pieces I am looking for.

The two issues are:

1. SSL/TLS Weak Encryption Algorithms
2. Reflected Cross-Site Scripting Vulnerability

I don't want to over simplify the solution, but if there's anyone out there who can help me resolve these two items I'd appreciate it. I've included a screenshot of IIS Crypto 2.0 below.

http://awesomescreenshot.com/0046ess867

Thanks for any guidance.
0
Hire Technology Freelancers with Gigs
LVL 11
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

can someone help me to install vsftp Server on Debian with SSL certification?

I followed many guiedes but no success.

my Server can connect locally but after certification install no 21 port from externally.

thanks
0
I have installed ssl certificates on WebServers using IIS since 6.0 and I need to install one on a server now before going live and although users type a URL into a browser to access the webpage and sign in to perform several types of financial transactions,  The first thing I looked for was the inet pub folder and there was none.  Needless to say there was no IIS of any version and no CSR to submit and no self installation application to install the cert for me.
Now I'm not sure whether or not the ssl certs I use for our web servers are used for this type of application server and I have no clue as how to go about installing an SSL cert without IIS.  Testing is starting and so far I find that  I can't connect with the reason returned being there is no Cert installed in the Root CA Authority store. Can anyone shed some light on this subject for me or at least point me in the right direction so I can get this server secure before going live with it.      Any tips on what the dfferences are between this type of app server and a web server and how to install them on servers without IIS.  Thanks.
0
Hello Experts,

Our organization has two separate Active Directory domains (separate forests):
1.      company.local
2.      youthed.local

We have recently implemented a PKI infrastructure using AD CS.  The infrastructure consists of an offline CA (named Company-RootCA).  This CA is not part of any domain or forest.  We have an intermediate CA in the company.local domain that is issuing certificates as expected in that domain.  We would like to implement a PKI solution in the youthed.local domain.  Can my offline CA be the root CA for both the company.local intermediate CA and a youthed.local intermediate CA?

Thanks,
Nick
0
Dear experts, we are building a domain environment for 1 Head quarter and several branch offices. We are in HQ, have Firewall Sophos XG which can create both IPSec and SSL VPN connection. But which one is better in terms of security, deployment, maintenance for active directory environment? Could you please suggest?

Note: the main aims of VPN are joining domain in HQ and access Shared file server
0
I have a virtual Debian web server running apache 2.2.22 with an ssl enabled vhost.  I am trying to disable SSLv3 and no matter what I do there seems to be no change when I rescan the website with Comodo or SSL labs.  I have tried editing:

/etc/apache2/mods-available/ssl.conf
/etc/apache2/sites-available/default-ssl

... by either adding or changing the existing parameters for:

SSLCipherSuite
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -SSLv2

And after every change I run service apache2 restart

I also grep'd the /etc/apache2 directory for those ssl variables thinking they were coming from somewhere else but they are not.

Ultimately I am trying to switch the site over to TLS and dump SSLv3 but I just can't make an impact...
0
Hi All

I am in the process having exchange 2003 and  and exchange 2010 in co existence. All configurations have been done. After testing connections i found the error below
Your connection is not private ERR_CERT_AUTHORITY_INVALID
What do i have to do tpo get it to work

We will use the following
outlook anywhere
exchange web services
active sync
outlook web app
ecp
owa directory

Do i have to buy a certificate? If so which one. We will be adding a new domain to our exchange server as well

Appreciate a feedback
0
Hello Experts,

One of my customers is facing a challenge with their security team who is pushing them to patch all PKI servers in a monthly basis.

The IT department is looking for some sort of documentation on best practices to patch PKI servers[Root Offline, Enteprise sub CAs, NDES, OCSP, and web servers holding the CDP locations].

The idea is to push back their requirements, and come with an agreement to patch each PKI server role only when is really required or a few times a year without compromising the integrity of the infrastructure and security.

What are best practices to patch PKI servers per role?

What is the impact if one of the servers becomes available after patching?  Please, elaborate your answer

Is there a business case or doc that can be used a justification to push back this requirement?

Please, provide as much information as you can per server role and service impact

thanks
0
I have a setup with 2 Checkpoint gateways (appliances) in a cluster and a virtual management. I have tried the below both with R77.30 and after upgrading to R80.10 with the same result.

I want to enable the https inspection blad. I have licenses and everything. My computers trusts an internal PKI root CA certificate and I have issued an issuing certificate to the gateways without any issues.

When I activate the https blade everything around https on the clients start to behave strange. It is very confusing. The moment I turn the blade off again everything works as a charm.

I am fully aware that https inspection takes a lot of fine tuning but I haven´t come to that stage yet. Right now, even when I have created a https decryption policy that bypasses *everything* the clients have issues.

In an earlier stage I created a decryption policy only to decrypt traffic from one test-client but the users started to scream instantly. And now I am at a stage where the configuration looks like no https should ever be touched but enabling the blade still breaks user traffic.

As I said above, this is tried both on R77.30 and R80.10.

One thing I have noticed is that the trusted root cert list seems a bit old. The newest trusted root cert is issued 2010! However, the dialogue below the cert list where an automatic update of certs should take place is empty. There never shows up any new trusted root certificates.

At one place in the gui there is a dialoge with three …
0
Hi,

I have enabled SSL for tomcat 8 and my website is working fine in Internet Explorer,but in chrome it is giving me certificate error.

I am running on updated chrome version,may i know if am missing anything.

Thanks,
Vikram
0
New Tabletop Appliances Blow Competitors Away!
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Hi All,

I have a web server that needs to host 2 SSL certs that will use 1 public IP address

I have added the certs to the server and added a new entry to the ssl.conf file

<VirtualHost *:443>
 #ServerName www.XXXXXXXX.com
 #DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /etc/httpd/conf/ssl.crt/XXXXXXXXX.crt
 SSLCertificateKeyFile /etc/httpd/conf/ssl.key/XXXXXXXXkey
 SSLCACertificateFile /etc/httpd/conf/ssl.crt/XXXXXXXX.crt
</VirtualHost>  

When I restart httpd.conf I get the following message.

Starting httpd: [Wed Nov 15 09:25:05 2017] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Obviously, it is looking at both certs and as both use Port 443 it goes with the first cert it sees and not the second. What am I missing?

CentOS 6.9
Apache with mod_ssl installed
0
Hi,
i am using this code display Response in new link...
i want Response in string

My Code is :-

void PostMe(Object sender,EventArgs e){
		RemotePost myremotepost =  new RemotePost();
        myremotepost.Url = "http://www.xyz.in/abcd.aspx";
        myremotepost.Add("txtuu", "15470038610");
		
		myremotepost.Post();
	}


public class RemotePost{
			private System.Collections.Specialized.NameValueCollection Inputs = new System.Collections.Specialized.NameValueCollection();


			public string Url = "";
			public string Method = "post";
			public string FormName = "form1";
			
			public void Add(string name,string value){
				Inputs.Add(name,value);
			}
			
			public void Post(){

                System.Web.HttpContext.Current.Response.Clear();

                System.Web.HttpContext.Current.Response.Write("<html><head>");

                System.Web.HttpContext.Current.Response.Write(string.Format("</head><body onload=\"document.{0}.submit()\">", FormName));
                System.Web.HttpContext.Current.Response.Write(string.Format("<form name=\"{0}\" method=\"{1}\" action=\"{2}\" >", FormName, Method, Url));
                for (int i = 0; i < Inputs.Keys.Count; i++)
                {
                    System.Web.HttpContext.Current.Response.Write(string.Format("<input name=\"{0}\" type=\"hidden\" value=\"{1}\">", Inputs.Keys[i], Inputs[Inputs.Keys[i]]));
                }
                System.Web.HttpContext.Current.Response.Write("</form>");
            

Open in new window

0
I have a .PFX file that I'd like to convert to use for Amazon Web Services (specifically in Cloudfront).

I have a pretty good process I use already, using OpenSSL on a Windows Server 2016 machine that looks like this:

C:\Users\Desktop\cert.pfx -nocerts -nodes -passin pass:quickie | openssl rsa -out C:\Users\Desktop\cert.key

Open in new window


I have four SSL's I need to generate and three of them worked perfectly. The fourth one generates the following error:

unable to load Private Key
1628:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto\pem\pem_lib.c:691:Expecting: ANY PRIVATE KEY

Open in new window


All of these PFX files are from the same vendor (GeoTrust) and from the same Server (Windows Server 2016). Anyone have a good recipe I could use to get this handled?

Thank you for your help.
0
How to set up two way ssl authentication ( mutual SSL authentication)  
 IIS to IIS.
i did IIS ssl setup , it works fine . ( made ssl settings as required).
servr1(iis) configured to use SSL
server2(IIS) configured to use SSL.

now i wan to set up two way ssl authentication between two servers( server1 and server2)
how to configure two way (mutual) ssl authentication between two servers( server1 and server2) to trust each other?
0
I have followed this guide
https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html
and I have successfully  connected to and passed Auth.
*yes i did add rule to allow vpn traffic access to local resources

When connected to VPN , I can not ping my vpn gateway (10.0.0.1), I can not ping any local resources (192.168.37.X)
Outside of the the VPN I am able to make a connection.

Any help would be appreciated
ty
0
After upgrading my security certificate i am unable to log into the server using Remote Desktop. It seems that the certificate upgrade did not go well using the "Anywhere Access" feature of Server 2012 R2 Essentials. I have tried everything that i know to fix it and not luck. I am now being asked for a PFX file, but the certificate providers doesn't provide those. I am not sure what else to do.
0
Hi,

Specs:
Server 2016
Java (32bit) Version 8 Update 151

We installed Atlassian Confluence on premises and would like to communicate to it using SSL.
Atlassian has a nice manual that we carried out.
We have a wildcard certificate (Comodo) that we wanted to use for this.

So, we created a keystore, imported the certificate (.crt) and pointed the server configfile to it:

<Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                   URIEncoding="UTF-8" keystorePass="password"
				   keystoreFile="D:\somepath\atlassian"
				   />

Open in new window


Than we downloaded the root and intermediate certificates from Comodo and imported them in the cacerts store.
After that we restarted the Atlassian Confluence service.

We connect to Confluence using this url: https://app##.domain.local:8443

When we use Chrome we get an: ERR_SSL_VERSION_OR_CIPHER_MISMATCH error
When we use Firefox we get a: …
0
We have some network equipment inside our network (on private IP's) of which we log into often enough that we wish to get rid of the SSL error warnings by way of a trusted certificate on them.

It's been years since I last did it with Windows Server 2003/AD,

I remember that a root CA needs set up and that any computers accessing the signed child certs need the trusted root CA cert installed.

For our routers and anything public we have LetsEncrypt and issued via Linux, however obviously we can't do this internally as such (too messy having a FQDN for internal IP's).

Any info pointing to what could assist us would be appreciated.
0
How to install SSL Certificate for bitbucket? Any pointers?
0
New feature and membership benefit!
LVL 11
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Hi,

I have configured SSL in tomcat,i am able to access the server using https.

But i am getting the certificate error.I have create below files to resolve the issue.
 1)keystore.jks
2)tomcat.keystore
3)xxxx.csr

From certficate authority i have created certnew.cer and certnew.p7b.

I opened certnew.p7b and used sub and root certficate to create root.cer and root1.cer.bacically i converted the root certificates format to base 64 encoded x.509

Then i used below commands to sent the two certificates to keystore.

keytool -import -trustcacerts -alias Root -file "D:\XXXXXXX\root.cer" -keystore "D:\xxxxxxxx\tomcat.keystore"

keytool -import -trustcacerts -alias Root1 -file "D:\XXXXXXX\root1.cer" -keystore "D:\xxxxxxxx\tomcat.keystore"

then i merged the server certificate by using below command

keytool -import -trustcacerts -alias biuser -file "D:\XXXXX\certnew.cer" -keystore "D:\xxxxxx\tomcat.keystore"

I have modified my server.xml file in tomcat as attached. (PFA)


i got a message that certificate key was installed to keystore,but still iam getting certificate error.
0
Hello everyone,

Been beating my head against the wall about this for a little bit, and other venues I've tried weren't able to provide a lot, partly due to my lack of knowledge.

We have internal DNS for ourcompany.com hosted on a Server 2012 machine, as well as public DNS for ourcompany.com hosted at GoDaddy. It seems that in the last couple months people have been having issues getting to some of our subdomains pointing to external parties, for example mail.ourcompany.com points to outlook.office365.com. Chrome seems to be the biggest offender when having issues. It seems the browser is looking for the cert for outlook.office365.com, but recognizes that it's coming from mail.ourcompany.com and obviously sees that they're not the same thing.

We only recently added the ourcompany.com forward lookup zone to our internal DNS, and it works fine off-network, so I don't know what I'm doing wrong with our internal DNS to get it to work properly.

Some have suggested pointing the DNS record(s) to an IIS box and do http redirect, rather than having DNS just point straight to the 3rd party.

It also seems that clearing Cached Images and Files in the browser clears up the problem for a few days, but I feel like there's gotta be a better solution than clearing cache via GPO.

Does anyone have any suggestions?

Thanks so much!
0
We have web server hosted Certsrv (ADCS Role)... Delegations has been made for FQDN, SERVER name(NetBios name) and now it is working fine with https://FQDN/certsrv 

However by calling IP Address ie, https://1.2.3.4/CertSrv it is not working. So i just want to know can we delegate IP address for GMSA?

after some googling i found this article which clearly shows kerberos does not support IP address as it is a normal behavior
https://support.microsoft.com/en-ca/help/322979/kerberos-is-not-used-when-you-connect-to-smb-shares-by-using-ip-addres
0
currently we are having sts.federationdomain.com client asking to setup adfs.federationdomain.com

is there any chance to add this?? or i need to reconfigure it from the scratch with the new name.???
0
Many Google results on the topic but haven't found an explanation that works for me.  Default ssl.conf has a reference to the server's self signed cert  - SSLCertificateFile /etc/pki/tls/certs/localhost.crt.  Vhost conf has a similar references for the vhost specific cert.  This vhost cert has the alternate names for mydomain.com, www.mydomain.com and subdomain.mydomain.com.  

The server and ssl appear to work without the ssl.conf file.  However, that seems like a good place to set up cyphers so that my subdomain can inherit from a common configuration.  If I comment out the localhost cert, apache won't restart.  Assuming my vhosts are set up something like the following, how do I get apache use the vhost cert instead of the localhost cert?  

<VirtualHost mydomain.com:443>
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/mydomain.crt
    SSLCertificateKeyFile /etc/pki/tls/private/mydomain.key
    SSLCACertificateFile /etc/pki/tls/certs/mycadomain.crt

    ServerName mydomain.com
    ServerAdmin admin@mydomain.com
    DocumentRoot /var/www/mydomain/public_html
    ErrorLog /var/www/mydomain/error.log
    CustomLog /var/www/mydomain/requests.log combined
</VirtualHost>
0
I had this question after viewing Replacing certificate on Exchange 2010 with wildcard cert.

Team, I have a cert to expire in the coming days, I was given a new Wildcard cert, but I am not sure how to renew or replace the one that is set to expire soon...

Question - Do I simply highlight the Cert that is expiring and Select Renew Exchange Cert? or do I Import the new Cert and then assign the Services that the old Cert had to the new one?  The new Certs I was given are end in CRT...Thanks for any help you can provide
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.