SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

A client has many domains registered at GoDaddy. They also are starting to use Azure web Apps and have outside creative agencies developing websites, etc. for them. They also do in-house development.

For SSL purposes, we purchased a GoDaddy UCC SSL cert for up to 100 SANs.

Not being an SSL expert, I need guidance on how this UCC cert should be created and used for outside serivces (Azure / outside agencies).

I know we can create our own CSR in IIS, key the cert at GoDaddy and then install it in IIS on our own server (to secure, say, something.ourdomain.com). But what about for Azure and the outside agencies?

In Azure it seems like we create the CSR, export the cert in PFX format and upload to Azure.

What about the outside agencies? Do they create a CSR for us to then create a cert to export as PFX for them to install?

Not an SSL expert (as may be obvious from the above :^)
0
OWASP: Forgery and Phishing
LVL 12
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

I have an aging SBS 2003 server which I use solely for Exchange.  I have a number of clients that connect various devices for email comms.  Some just use Outlook 2010 using Outlook over VPN and some use OWA and some use Exchange push mail for hand-held devices.  Just before Christmas I renewed my Go Daddy SSL cert which secures my mail domain and now all services apart from Outlook over VPN have fallen over with SSL issues.  I need someone with SBS 2003 experience to help me through the minefield.
0
We have an internal program that uses a public certificate for security. We need to lock down the application on devices so they do not have any access outside of the program (client connects to a server using several ports) and Logmein (for remote support).

I am using the Windows Firewall to block outbound traffic except for traffic we will allow for the program. The problem I am having is that the application will not run because the public certificate will not verify the certificate chain (for security on the user login). I have tried to turn off settings for revocation in Internet Options, but that is not what the problem is. It seems the app needs access to the internet to verify the certificate. So in Windows Firewall, I need to know what exactly do I need to open outbound?
1
When I type my domain name (e.g. "example.com") into Safari on my iPhone, I am directed to the unsecured version (http://example.com).

Same behavior with Edge on desktop: if I type example.com in the URL bar, I am directed to the unsecured version.

On Chrome however if I type example.com https://www.example.com is loaded.

My site is hosted on Heroku with DNS by Google domains:

Heroku Config
Google Config

Open in new window


How do I ensure the encrypted version of the site is always loaded?
0
I have a domain name that is used to connect Cisco Anyconnect clients to a Cisco ASA 5516.  I just renewed my SSL cert and GoDaddy sent me 2 x .CRT files.   When I called cisco for help installing this SSL CERT they said I need to have it in .PFX format.   Godaddy only gives out CRT files.   How do I get the PFX format that Cisco is requesting?  I dont recall having to do this last year.
0
I have a Centos Server 7.0 which has wordpress installed with multiple sites (directories) under /etc/www/html/. I managed to install one certificate on one of those sites however, I have to install another certificate for another 4 sites hosted on the same server under the same directory.

I know this is done but I am not really that familiar with Centos and Wordpress.

I would appreciate any help or recommendation.

Thank you
0
Client is beginning to use Azure to develop sites for customers. They need SSL certs for security. I'm a bit confused as to what SSL(s) would be needed to cover the domains.

All of the subdomains will end in one root domain. Example:
rootdomain.com

The subdomains will go several levels deep. Examples:
Name1.rootdomain.com
Name2.rootdomain.com

AnotherName.Name1.rootdomain.com
YetAnotherName.AnotherName.Name1.rootdomain.com

Can one 'multi sub-domain' SSL cert secure every level in front of rootdomain.com?
Or do you need another cert every time you do add a period into the structure (ie, one cert for *.rootdomain.com, another for *.Name1.rootdomain.com, etc.)

Hope I've explained this clearly...
0
Hi Experts ,

I have 2 Exchange servers , both running Exchange 2013 in the same domain.
1st Server is Srv3 which was the first Server setup and running Exchange 2013, the 2nd Server is Srv6 this is the 2nd Server running Exchange 2013.
I want to decommission Srv3 and make Srv6 my main and only exchange server.
I have moved my mailboxes across to Srv6 and have purchased a comodo payed cert and this is also installed on Srv6.
Srv3 has a self signed cert installed.
I am looking for some help on decommissioning Srv3 and making Srv6 my primary and only exchange Server.
if I turn off Srv3. I can access my Mailboxes and I can sent mail as now going trough Srv6, but can't receive mail or get to my e-mail remotely (owa).
if I try and setup the receive connector on Srv6 to be the same as Srv3 but  it won't let me.
Any help or advise would be greatly appreciated
Thank you.
0
I am in the process of disabling medium ciphers in order to satisfy our PCI scan.

But i am running into some discrepancy on 2 different Win 2012 R2 servers which is really weird.

Server 1
Before  - Grade B

Ciphers
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK       256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK       128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK       256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK       128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK       256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK       128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK       112
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE       128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE       128

After removing those i got grade A


Server 2
Before - Grade A even with weak ciphers


Ciphers
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK      256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK      128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK      256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK      256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK      128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK      128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK      112

After removing the same ciphers i got a Grade B complaining about this
This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B

Sure enough the scan on the 2 servers shows that Server 2 is missing these 2 ciphers

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS       256
0
Hello experts out there.
I have a question about ent root CA's private key. We have a server which issues the cert to clients.
Do we have to backup the private key ?
If so what Is the reason we have to backup?
0
CompTIA Cloud+
LVL 12
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
Yashy
0
I have a wordpress website on AWS EC2 Ubuntu Linux. I am not good in this department of coding but I get by. I just used created a Load Balancer and attached it to my EC2 instance. I am trying to force SSL (HTTPS) on anyone who visits my site. I have 90% of it correct.  if you visit:

https://www.Example.com
www.Example.com
http://www.Example.com (Redirects to https://www.Example.com)

it works perfectly with Secure. But if you go to
Example.com
http://Example.com

then it goes to a UNSECURE site. and stays on Example.com

In my ".htaccess" file at the very top I have the code below.  So what is the problem? I thank you for the help.


#Force www:
RewriteEngine on
RewriteCond %{HTTP_HOST} ^Example.com [NC]
RewriteRule ^(.*)$ https://www.Example.com/$1 [L,R=301,NC]

# Begin force ssl
<IfModule mod_rewrite.c>
# RewriteEngine On
 RewriteCond %{SERVER_PORT} 443
 RewriteRule ^(.*)$ https://Example.com/$1 [R,L]
</IfModule>

Open in new window

0
Hi guys

I've just recently installed a new SSL certificate for our Exchange 2010 server. People can access the site. However, nobody is able to open attachments. When they try, they are getting what I have attached. Have a look and see. All of the browsers that are trying to open are using IE8 (sadly) as they are our stores and are locked down, but they were able to do all of this before.

Is this DNS related? Is it SSL related?

Thank you for helping
Yash
Picture.jpg
0
I have a client with a SBS 2011 server who changed the email domain from mail.XXX-uk.com to remote.XXX.com. The internet domain name wizard was run reflecting the new domain and hence the new remote domain name of remote.XXX.com and a new verified SSL certificate was installed. Outlook Web Access and Remote Web Workplace work fine. All the internal clients appear to be connecting fine but the 2 remote clients which are Outlook 2016 are not connecting when using Outlook Anywhere and they get an error message "there is a problem with the proxy server's security certificate. The name on the certificate is invalid or does not match the name of the target site mail.XXX-uk.com." The actual target should be remote.XXX,com.
I did have a problem with the mail.XXX being stuck on the Exchange 2010 smtp service but it appears to be cleared now.
0
Hi folks

i have an issue with MS Exchange 2013, that i cant seem to resolve, the issue is with security certs, i purchased one for our external domain "mail.comany.com" installed it and it works fine, the issue is that when users are on the internal network using Outlook 2013/2016, i keep getting a security alert for "server01.domain.local" saying the name on the security cert in invalid or does not match the name of the site

Where do i need to start to fix this

My experience level with exchange is at at a novice level, so any help much appreciated

thanks

Cian
0
On an SBS 2011 standard server, I was having problems getting a new user working on ios (but outlook 2016 worked fine and other existing users set up fine on the phone)..

I started playing with the microsoft connectivity tester and it was failing with certificate errors.

Troubleshooting some error numbers, I see pages talking about checking the certificates.

Looking in the certificate snap in, there's this user and this machine choices.  looking in there, there's LOADS of certs. some expired. some YEARS away from expiration (affirm Trust Premium ECC with exp 12/31/2040 is the farthest out in trusted root certs), there's trusted root cert authories, third party trusted root certs.  'all' we use the server for is exchange and file server.  Yeah, I use server/remote and server/owa...  the users don't.

Can I blindly delete the expired certs (some I think are self signed) we do have a comodo cert that expires in 1 1/2 years.  There were godaddy certs - I think we had that before the comodo.  and other certs from companies I don't know about.  They come with the server? (again it's  SBS 2011).

And there's untrusted certs like diginotar Root CA G2 expiring in 2029).

Is there a list of what I can / should delete or keep?  Just to reduce clutter? I just know about the comodo cert we bought.  these others? No clue.

THere's a */EFGO.GOV.TR cert expiring in 2021.  We are a US based company / don't do anything with other countries... ok, I see something about google …
0
Our server (running win server 2008 R2) has been plagued with two errors in Event Viewer-->System:
First:
Event 36888, Schannel
"The following fatal alert was generated: 40.  The internal error state is 1205."

Second:
Event 36874, Schannel
"An TLS 1.2 connect request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server.  The SSL connection request has failed."

Not sure what's causing these errors.
0
understand how ADFS & Web Proxy servers work. I'm having an issue getting a standard SSL issued to work for the configuration of the ADFS and then the Web Proxy. I'm assuming I need to generate a CSR from the ADFS server at
a minimum of 2048.

How do I generate the CSR for the ADFS domain ss0.contoso.org?
0
I have taken over the admin responsibility of a root CA. I got some knowledge after reading several posts na experts comments to my previous question.
Our server is windows 2012 R2 and cryptographic provider is KSP. In this case,  I only need two steps below,

1- certutil -setreg ca\csp\CNGHashAlgorithm SHA256
2- Renew the CA's certificate with new key.
My understanding is that  the server will have both SHA1 and SHA256 root certs and new certificates for devices will be issued with SHA256 if any device request. And,  there will not be any issue with our  RADIUS/ NPS, Printers, WI-FI, PC etc since they are using the SHA1 certificates until their renewal period reaches next year.
My confusion is that  what would happen when i install a new PC?,
The new PC is going to have certificate with SHA256, but NPS server still has certificate with SHA1.
Does the HASH algo matter?
0
Introduction to R
LVL 12
Introduction to R

R is considered the predominant language for data scientist and statisticians. Learn how to use R for your own data science projects.

Attached is an SSL scan report (by Qualys) of 2 portals:

a) will such deficiencies flagged by Qualys be flagged by a blackbox pentest as well (tester is using Nessus Tenable)?

b) for the items highlighted in yellow, if we place a WAF & CDN in front of the portal, can the items be remediated?
    I heard F5 WAF could 'block' off SSLv3, TLS1.0 & 1.1 as a way of mitigating but what about the weak ciphers etc?

Have a Checkpoint NIDS as well if this is of any help.


We can obtain a fresh cert if needed  but concerns are:
a) we don't plan to change the A10 loadbalancer (that's used for the 2 portals): understand a number of what's flagged is due to this A10 LB
b) the applications team can't amend the codes within the short term (but we have only a couple months to remediate)
SSLabscanJ2.docx
0
Hi folks, how do I get IIS web server up & serving a page quickly. I just need it to serve up a 'restricted content' warning page for my domain users when they try to access YouTube which I have redirected to my internal IIS server using DNS. Unfortunately to do so seems to require a PhD in SSL certificates. Seems way too complicated for the benefits. Can I just disable HTTPS functionality on the IIS server or should I persevere to enable it - I'm guessing this requires the certificate from the IIS server to be installed on all domain machines via group policy?
Currently all machines are able to get through to the IIS server, but not without a 'your connection is not private' warning like the one here - https://goo.gl/images/7y8vB6
Thanks in advance.
0
Exchange 2010 HTTPS issues...communications issues started on the same day with various services we use internally and externally:

** OWA Seems to be working normally again. [OWA - login page shows secured, but after login, address bar shows only partially protected or not protected at all.]

Shoretel/Mitel phone client - shows error message at bottom of client application. Cannot connect to Exchange server "email.domain.com".

Outlook 2013 client Out of Office - does not work. "Server is unavailable".

3 MAC Sierra users - cannot connect to server errors when using either Outlook 2016 or Apple Mail.

Mail archiving system - Exchange mailbox archiving jobs failing. Varying messages from logs show "The remote server returned an error: (503) Server Unavailable", "Microsoft Exchange Server returned an unexpected HTTP error code (EWS 503)", "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel",  "The remote certificate is invalid according to the validation procedure", “Unable to connect to Microsoft Exchange Server. Details: The SSL/TLS certificate verification failed.” or “While logging on to the Exchange Server, an unexpected status code (302) was returned”

Cannot ping "email.domain.com" or "autodiscover.domain.com". ICMP fails on both.

Also, Exchange server has a third party extended validation certificate that is valid until 2019 and has IMAP, POP and IIS services assigned to it. Outlook Anywhere works …
0
Hello experts,

I have a 3rd party vendor and they are asking me to send them PGP public key. they want to transmit the file and encrypt it using this public key I should be providing them and they sign it with a file that is an *pgp_public.asc file, they sent me the file.

My question is how to generate PGP public key? and what do I do with this file that they are using to sign the files. what is the process of viewing this file after receiving it from the 3rd party.

Thanks,
0
Binding new SSL certificate to WServer 2012 problem.
I built the request per:
https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm.  Handed the request off to our infrastructure team where they purchased the new SSL.  The Team has sent me the new SSL certificates where I renamed appropriately from a .txt extension to a .cer externsion.

I have two test servers (and two prod servers)I need to update the SSL certificates for.   I have followed the steps outlined in this document for installing the SSL certificate:
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1159/37/certificate-installation-microsoft-iis-8x


I can see on the server IIS where the certificate has been updated to 10/9/2020 in the Server Certificates; however, if I look under the padlock on the client's URL, the expiry date is still set for:  10/24/2018.  How do I propagate this out to the client?  This is the first time I've done this, and I have four 2012 servers to update ASAP.  Any guidance would be appreciated.
0
Summary
HTTP Error 401.2 - Unauthorized
 You are not authorized to view this page due to invalid authentication headers.

Some new users to my web site cannot log on due to 401.2 and 401.1 errors. Other new users connect without any issue. Users have the DoD CAC smartcard and they are valid for logging into their workstations. All the certificates point to the same root authority, DOD Root 3, but have different intermediate certificates which are DOD CA 38 to DOD CA 51. Users with intermediate certificates numbered 48 or higher get the 401.2 error and cannot log in.

I assume the problem is the more recent intermediate certificates are not installed or configured correctly. I installed the most recent certs from the cert authority using their tool, InstallRoot.exe. MMC confirmed the intermediate certs are in the Certificates (Local Computer) -> Intermediate Certification Authorities -> Certificates.

The server uses the Axway tool to validate certificates. In the Application Event Log for the attempt, it said "Revocation Status: Good" so I assume my OCSP and its cache are set up correctly.

After every 401.2 error is a 401.1 error. The sc-win32-status for the 401.1 error is -1073741715. Is that number significant?  

The detailed configuration description:


I am using IIS 7.5 on Windows Server 2008 R2. I set up the web server and the web site to require a smartcard to open the web site. To that end I set up iisClientCertificateMappingAuthentication …
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.