SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi

We have Exchange 2007 server onsite and now planning to move to office 365 and I would like to go with the Hybrid Environment.

I ran the Exchange Deployment Assistant and on the document it says I need to configure Outlook Anywhere on our on- premises Exchange Server (because the email migration service uses RPC over HTTP)

Currently staff use OWA 2007 from outside through https://mail.myorg.co.uk. For this I procured the SSL from Trustico
The document says that I must use a certificate issued by a trusted certification authority (CA) with your Outlook Anywhere configuration.

So do I need to procure another SSL certificate to setup Outlook Anywhere. Bit confused here.
Please let me know how to go about.

Any help will be great.
Thanks
0
Bringing Advanced Authentication to the SMB Market
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

I have a unique situation. The legal department from my employer is requiring that I get a signed "Attestation of Compliance" document from my service provider.  I have a dedicated server in which my host is basically providing me the hardware, but all set up, security, user accounts, etc. are under my control.

The host is saying they won't sign an AOC because the only thing they control is the physical access to the machine (Items 7-10 of requirements). That makes sense to me. Why should they put themselves at risk for compliance when I have most of the control of vulnerabilities on the server.

Does anybody know of a hosting provider that would in fact provide an AOC for a service provider? Or of a work around for this?

Thanks.
0
I recently upgraded to a new SSL certificate. My old used to include both the www and naked domains (e.g. https://www.chloedog.org and https://chloedog.org).  But the new certificate only includes the naked domain.  

I'm trying to use a .htaccess redirect so that both are accomplished in one pass.  I've tried a few different things and none work.

The most recent was:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.
RewriteRule ^(.*)$ https://chloedog.org/$1 [R=301,L]
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Open in new window


With the above, the following happens:

http://www.chloedog.org?129  - Works Fine
http://chloedog.org?129 - works fine
https://chloedog.org?129 - works fine
https://www.chloedog.org?129 - I get an "insecure connection" message.

Can you tell me what I'm doing wrong? It is like it looks for the certificate before doing the redirect.
0
This is the first time I'm setting up a domain that doesn't have a .local extension internally. The reason behind it is that I need SSL certificates for several internal applications to communicate to each other and they don't support self-signed certificates. Also I figured I would get with the times and stop using depreciated namespaces...


So here is what I did:

1) Purchased a regular .com TLD
2) Purchased a wildcard certificate from the provider so i can configure as many subdomains as I need
3) Set up the internal domain as subdomain.topleveldomain.com
4) Installed the certificate in IIS on one of the internal servers
5) Exported the certificate and imported it into the DC (https://technet.microsoft.com/en-us/library/dd941846(ws.10).aspx)
 5.1) I tried putting it in the local computer personal store and that didn't work
 5.2) Tried placing the certificate into the NTDS\Personal and that doesn't work

The way I'm testing is simply by launching LDP.EXE and trying to connect using ssl on port 636 just like this:
AD SSL Install

I'm testing on the same local domain controller and tried a fqdn, as well as just the name, and even tried localhost, but I always get this:

ld = ldap_sslinit("servername.topleveldomain.com", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connection(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to servername.topleveldomain.com
0
Hello,

Trying to create a Site to Site between our TZ215 and Azure:
VNET1 - Address Space     = 10.1.0.0/16
               Subnet  range      = 10.1.0.0/24

GatewaySubnet                  = 10.1.1.0/24

Virtual Net Gateway           = VPN
                                               = Policy-based
                                               = VNET1
                                               = VNET1GWIP  (created Public IP)

Local Net Gateway             = RP_OFFICE
                                              = Public IP address of SonicWALL
                                              = 192.168.250.0/24 (LAN network on SonicWALL)

Connection                          = Site-to-Site (IPsec)
                                               = Virtual Net Gateway
                                               = RP_OFFICE
                                               = Shared key that matches what's configured in the SonicWALL

SonicWALL:
 General Tab                         = Site to Site, IKE using Preshared , IPsec Primary = Public IP of Azure, IPsec Secondary = 0.0.0.0, Local & 
                                                   Peer IKE ID = IPv4 address
Network Tab                         = LAN Subnets, Azure LAN network
Proposals Tab                       = Main Mode, Group 2, AES-256, SHA1, 28800, ESP, AES-256, SHA1, 3600
             
Seeing the following in the SonicWALL log:
  SENDING>>>> ISAKMP OAK INFO …
0
Windows 2008 R2
Tomcat 8.0.33

Trying to create SSL and install from a CA:
Step 1.
"%JAVA_HOME%\bin\keytool" -genkey -alias ecwinttomcat -keyalg RSA -keystore c:\ecwint.keystore
NO Password, hit enter.  
Step 2.
 
"%JAVA_HOME%\bin\keytool" -certreg -keyalg RSA -alias ecwinttomcat -file c:\ecwint.csr -keystore c:\ecwint.keystore

Get Error about -certreg illegal operation.
Cannot convert to a csr.
0
Hi, I'm doing an HOA site for a friend. (home owners association, for a condo).

I'm using wordpress so that they can update the site easily.  He wants a section where owners log in and can see content that others can't see. I have an SSL certificate, but I'm not sure how to go about this.

We don't need the whole site secured, We just want an Owners Only Login that leads to the secure pages. Thanks for your experience!
0
I am trying to access a website through proxy server.I am using httpclient.

This is the code which is working fine:

import org.apache.commons.httpclient.Credentials;
import org.apache.commons.httpclient.HostConfiguration;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.HttpStatus;
import org.apache.commons.httpclient.UsernamePasswordCredentials;
import org.apache.commons.httpclient.auth.AuthScope;
import org.apache.commons.httpclient.methods.GetMethod;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.ProxySelector;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Properties;

public class Working {
private static  String PROXY_HOST = "proxy.test.org";
private static  int PROXY_PORT = 80;

    public static void main(String[] args) {
    HttpClient client = new HttpClient();
    HttpMethod method = new GetMethod("https://www.example.org");
    HostConfiguration config = client.getHostConfiguration();
    config.setProxy(PROXY_HOST, PROXY_PORT);

    try {
          client.executeMethod(method);
            if (method.getStatusCode() == HttpStatus.SC_OK) {
           String response = method.getResponseBodyAsString();
           System.out.println("Response = " + response);
                        }
    } catch (IOException e) {
        e.printStackTrace();
    } finally {
  …
0
Hi guys,

we were using netcat from our server to make connections to client machines but ever since we have upgraded to HTTPS it doesnt seem to work, any ideas?
0
Hello, we are setting up a certificate for our mail server through goDaddy. We have gone through a name re-branding and I am setting up he new name.  I was wondering If activesync.mycompany.com is necessary. I was also wondering if I should match the old SAN;s with the new or if something was redundant or un-necessary and could be removed. Thanks

Current Certificate.........
mail.mycompany.com
www.mail.mycompany.com
autodiscover.mycompany.com
activesync.mycompany.com

New Certificate............
mail.mycompany.com
www.mail.mycompany.com
autodiscover.mycompany.com
mycompany.com
0
Ransomware Attacks Keeping You Up at Night?
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

The issue is as follows, I am running an centos 7 server with a  PHP Plesk Panel 12.5 running my subscribers and their sites. I just recently installed the Ipad site builder module and the site builder module to test each for a potential site building solution for my clients. Well after i installed both,  I was forwarded to a third party website where the actual website is created for each client. Well, after the site is created, on their site i have the option to publish it to a domain on my server.  At 50% install i get the following error  fsockopen failed No route to host (113). Now this same thing happens when i use the site builder module as well.  I am running  PROFTPD on the system, so i do have an ftp server running.  What i need to find out is how to resolve this issue. I am sending you a screenshot us running filezilla  as ftp on port 21, i get the following error. I know this is a minor issue , i just need help narrowing down the cause or misconfiguration.

My firewall and router are open for port 21.
ftpd-error-message.PNG
0
i am bit new to PKI certificates , is it  related to X 509 certifcate
0
We have a small java program that connects to an Oracle (11.2.0.4 Windows) DB. There is a jks file that has the certs in it (4096 key size). When we try to connect we get:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA

If I make changes to entries below in the java.security file in Java:

jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms

and remove MD5 and MD5withRSA parameters it works. From what I've read this is supposed to be an issue in JRE 7.4 and above but it is only supposed to happen when they key length is 1024 or less. Not sure why it's happening with a 4096 key length cert.
0
Hi

My website is setup to run over http or https, I assumed everything was working until recently.

On my mac in Safari and Firefox the following two URL's work fine
http://www.petenetlive.com
or
https://www.petenetlive.com

HOWEVER in IE it does not load the CSS and bleats about mixed content, Now I can view the source and see that the css is being loaded from http URLs so that's probably causing the problem, (why Firefox and Safari works I don't know?)

I've tried various Wordpress plugins that claim to fix SSL problems - none of them worked. I've set the site in Wordpress to use the https URL, I've also set this in the wp-config file.

HOW DO I FIX THIS?

Note: In running NGINX and don't have a .htaccess file

Pete
0
I have a 2012 R2 IIS 8.5 Server that is running a web site for the application Kaseya.  I am trying to lock it down so depreciated ciphers are disabled and I would like to reorder them in a more secure fasion.  I have attempted to make the changes to the schannel key in the registry (didnt Work).  I have used Narcos IISCrypto and I have ran Powershell scripts to try and recreate all my keys.  I also used group policy to decide the cipher order.  Nothing has worked.  No matter if I have every cipher disabled or even protocol, they still show that they are in use.  I am scanning the server using Qulays ssl scan.  Has anyone ever ran in to this issue?  I have had no problem doing this on other application web servers in my organization, but this one seems as if the protocol and ciphers settings are hard coded somewhere other than the registry.  Any ideas would be greatly appreciated.  I'm wondering if the web application is forcing it somehow and my registry settings have no effect.  I just have never seen this happen, nor can I find any reference on the internet.    Just so everyone is aware, I have restarted after making the reg changes.  Unfortunately, the same protocols and ciphers are always enabled.
0
I'm trying to configure SSL(https) for tomcat 8 and have done below steps but still its not working

1) Create the keystore file using

keytool -genkey -alias myservername -keyalg RSA

Open in new window


2) Generated CSR as below

keytool -certreq -alias myservername -file C:\tomcat_ssl\local_machine\test.csr -keystore C:\tomcat_ssl\local_machine\test.keystore

Open in new window


3) Then we had Generated the Certificate and then imported the chain certificate and certificate as below

keytool -import -alias root -keystore C:\tomcat_ssl\local_machine\test.keystore -trustcacerts -file C:\tomcat_ssl\local_machine\srv_chain.cer

Open in new window


keytool -import -alias myservername -keystore C:\tomcat_ssl\local_machine\test.keystore -file C:\tomcat_ssl\local_machine\srv_main.cer

Open in new window


4) Finally Did the changes in tomcat server.xml as below

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\tomcat_ssl\local_machine\test.keystore" keystorePass="123" keystoreAlias="myservername"/>

Open in new window


Restarted the tomcat and its not working and showing below screen

Tomcat Error Screen for SSL
In tomcat logs it's not showing any errors and also i have tried other options like keeping cipher tag in connection, Enabled TLS 1,2,3 , changing https port etc no avail.

Also i have tested the https port 443 and it's showing as listening when i netstat. Any idea why this is not working
0
Hello,

I had tomcat configured to redirect any requests to HTTP to redirect to HTTPS. This was functioning well until we had to do a DR restore of the DEV application. Now, HTTP does not redirect, but HTTPS works fine. I have compared the web.xml and server.xml configurations between our DEV and PROD installations, and found no differences. Below are the sanitized versions of the config:

Server.XML
<Connector port="80"
                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="443"
                   acceptCount="100"
                   disableUploadTimeout="true"
                   bindOnInit="false"/>


<Connector port="443"
				   maxHttpHeaderSize="8192"
				   maxThreads="150"
				   minSpareThreads="25"
				   maxSpareThreads="75"
				   enableLookups="false"
				   disableUploadTimeout="true"
				   acceptCount="100"
				   scheme="https"
				   secure="true"
				   SSLEnabled="true"
				   clientAuth="false"
				   sslProtocol="TLS"
				   keyAlias="DEV_ALIAS"
				   keystoreFile="L:\ocation\to\keystore.jks"
				   keystorePass="supersecretkey"/>

Open in new window



Web.XML (this code is entered after all of the servlet-mapping, and before filter-mapping)
security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Open in new window



Any idea why this might be failing?
0
This issue only happens on Android phones.
We have an internal website which uses self-signed user certificates for authentication.
When a user connects to the website for the first time, chrome prompts them which certificate they want to use. Even though there is only one certificate to choose from.
Usually, just choosing once is enough until the user either turns off the phone or ends the chrome process. But some users say they still get prompted multiple times.

Is there a way that Chrome can be set to automatically use the user certificate installed on the phone so the user does not see this prompt?

We have an MDM solution that automatically installs the certificate on the phones - that part is not a problems. I asked them if they had a solution but their only response was to use their MDM browser instead of Chrome.
0
Dear Team,

We are planning to purchase a wildcard SSL certificate for our domain (for ex: abc.xyz) but have this situation. Can you please assist?

We have several sub-domains located in one physical server, then purchasing a wildcard SSL cert should be a good choice, right? However if we have another server (the different from the former one) which will hosts Mail server (such as mail.abc.xyz), can we continue using a wildcard SSL which we purchased before?

If not, can we purchase an additional cert for that new sub-domain: mail.abc.xyz? And is there any other option?
0
Four New Appliances. Same Industry-leading Speeds.
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

In trying to get scan to email working I was changing settings in the kyocera cs400ci printer and now locked myself out of the GUI as the SSL settings I set it to are wrong and browsers dont trust it.

I checked SSL and DES only (no 3DES or AES) and now all browsers say invalid/bad/unsupported ssl/tls etc.

Any ideas on how I can ignore any/all ssl warnings and still get to the gui?  force ssl is on so I cant use port80.
0
Hi everyone,

I have a vCenter 6.5 linux appliance that I need to install an SSL certificate into. The problem is that I have very little knowledge about the workings of this, so most articles I find on internets aren't very helpful. Mainly because they expect to have a lot of pre-requisites in place that we do not seem to have.

The vCenter server is in an AD domain environment and uses an AD authentication (LDAP server identity source) for SSO. To my knowledge, some of our web servers are certified with a 3rd party issued wildcard certificate, that covers both the tld "mycompany.com" and the AD local subdomain "ad.mycompany.com". There is no internal CA installed on our Domain Controllers and I am unsure whether that is something that's required to be in place in order to certify the vCenter.

The wildcard certificate I have is in a format of a "pfx" file with a password authentication.

What is the easiest / quickest way to go about it?
0
Hi Folks,

Can anyone explain what is the Difference between the above 3 method of certificates, let me explain my understanding first.

Self-Signed:
Issued by : Webserver1
Issued to : Webserver1

Certificate Authority signed :
Issued to: Websever1
Issued by: Microsoft CA Server

3rd Party CA Cert:
Issued to: Websever1
Issued by: Comodo or Symantec or Verisign

Now the question is what is the difference between using self signed for my Web server and using certificate authority signed for web server. I'm not asking about 3rd party certificate.
0
Hi all,

Being doing some work around tightening security on internal and external communications with stronger certificates and removing weak ciphers. All though this fairly straight forward I had a problem yesterday that has raised questions mainly around my understanding.

We have a web server in the DMZ 2008 R2 IIS. It has an external signed certificate (SHA256). scanning the website shows a number of weaknesses around Ciphers that are part of TLS 1.0, 1.1 and 1,2.

We have to keep TLS 1.0 enabled because of application compatibility.

Is it possible to disable specific ciphers that are weak rather than disabling the tls protocol?
0
I would like to setup redirection from a server that host a site to a different server that host a landing page in IIS.  

How do I setup a redirection in DNS and on the new site?

OLD URL: https://abc.domain.com
NEW URL: https://portal.domain.com/Test/Landing
0
Hello,

The vendor who does our security audit express concern about SSL certificate we are using on our websites.  They mention version 3 and TLS v1 are not secured.  

I check the version of the cert we purchase is SHA-2.  

I usually purchase the latest version cert and apply it to my IIS website.  Are there additional things I need to do?

Please advise.  

Thanks.
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.