[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi guys

We have an application on our work premises that people externally use VPN to access. The port has been set to 'ANY'. However, if I wanted to lock this port down, I have some issues as there is no documentation on what the ports are. When I look at the firewall logs, I can see that the source port always changes but the destination port stays the same. What does this mean if the source port changes but the destination port is the same? I assume the destination port is the port on the application on our side and therefore we can lock the VPN ports down to this destination port?

Thanks for helping
Yashy
0
Why Diversity in Tech Matters
LVL 12
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Hi guys

I've just recently installed a new SSL certificate for our Exchange 2010 server. People can access the site. However, nobody is able to open attachments. When they try, they are getting what I have attached. Have a look and see. All of the browsers that are trying to open are using IE8 (sadly) as they are our stores and are locked down, but they were able to do all of this before.

Is this DNS related? Is it SSL related?

Thank you for helping
Yash
Picture.jpg
0
I have a client with a SBS 2011 server who changed the email domain from mail.XXX-uk.com to remote.XXX.com. The internet domain name wizard was run reflecting the new domain and hence the new remote domain name of remote.XXX.com and a new verified SSL certificate was installed. Outlook Web Access and Remote Web Workplace work fine. All the internal clients appear to be connecting fine but the 2 remote clients which are Outlook 2016 are not connecting when using Outlook Anywhere and they get an error message "there is a problem with the proxy server's security certificate. The name on the certificate is invalid or does not match the name of the target site mail.XXX-uk.com." The actual target should be remote.XXX,com.
I did have a problem with the mail.XXX being stuck on the Exchange 2010 smtp service but it appears to be cleared now.
0
Hi folks

i have an issue with MS Exchange 2013, that i cant seem to resolve, the issue is with security certs, i purchased one for our external domain "mail.comany.com" installed it and it works fine, the issue is that when users are on the internal network using Outlook 2013/2016, i keep getting a security alert for "server01.domain.local" saying the name on the security cert in invalid or does not match the name of the site

Where do i need to start to fix this

My experience level with exchange is at at a novice level, so any help much appreciated

thanks

Cian
0
On an SBS 2011 standard server, I was having problems getting a new user working on ios (but outlook 2016 worked fine and other existing users set up fine on the phone)..

I started playing with the microsoft connectivity tester and it was failing with certificate errors.

Troubleshooting some error numbers, I see pages talking about checking the certificates.

Looking in the certificate snap in, there's this user and this machine choices.  looking in there, there's LOADS of certs. some expired. some YEARS away from expiration (affirm Trust Premium ECC with exp 12/31/2040 is the farthest out in trusted root certs), there's trusted root cert authories, third party trusted root certs.  'all' we use the server for is exchange and file server.  Yeah, I use server/remote and server/owa...  the users don't.

Can I blindly delete the expired certs (some I think are self signed) we do have a comodo cert that expires in 1 1/2 years.  There were godaddy certs - I think we had that before the comodo.  and other certs from companies I don't know about.  They come with the server? (again it's  SBS 2011).

And there's untrusted certs like diginotar Root CA G2 expiring in 2029).

Is there a list of what I can / should delete or keep?  Just to reduce clutter? I just know about the comodo cert we bought.  these others? No clue.

THere's a */EFGO.GOV.TR cert expiring in 2021.  We are a US based company / don't do anything with other countries... ok, I see something about google …
0
Our server (running win server 2008 R2) has been plagued with two errors in Event Viewer-->System:
First:
Event 36888, Schannel
"The following fatal alert was generated: 40.  The internal error state is 1205."

Second:
Event 36874, Schannel
"An TLS 1.2 connect request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server.  The SSL connection request has failed."

Not sure what's causing these errors.
0
understand how ADFS & Web Proxy servers work. I'm having an issue getting a standard SSL issued to work for the configuration of the ADFS and then the Web Proxy. I'm assuming I need to generate a CSR from the ADFS server at
a minimum of 2048.

How do I generate the CSR for the ADFS domain ss0.contoso.org?
0
I have taken over the admin responsibility of a root CA. I got some knowledge after reading several posts na experts comments to my previous question.
Our server is windows 2012 R2 and cryptographic provider is KSP. In this case,  I only need two steps below,

1- certutil -setreg ca\csp\CNGHashAlgorithm SHA256
2- Renew the CA's certificate with new key.
My understanding is that  the server will have both SHA1 and SHA256 root certs and new certificates for devices will be issued with SHA256 if any device request. And,  there will not be any issue with our  RADIUS/ NPS, Printers, WI-FI, PC etc since they are using the SHA1 certificates until their renewal period reaches next year.
My confusion is that  what would happen when i install a new PC?,
The new PC is going to have certificate with SHA256, but NPS server still has certificate with SHA1.
Does the HASH algo matter?
0
Attached is an SSL scan report (by Qualys) of 2 portals:

a) will such deficiencies flagged by Qualys be flagged by a blackbox pentest as well (tester is using Nessus Tenable)?

b) for the items highlighted in yellow, if we place a WAF & CDN in front of the portal, can the items be remediated?
    I heard F5 WAF could 'block' off SSLv3, TLS1.0 & 1.1 as a way of mitigating but what about the weak ciphers etc?

Have a Checkpoint NIDS as well if this is of any help.


We can obtain a fresh cert if needed  but concerns are:
a) we don't plan to change the A10 loadbalancer (that's used for the 2 portals): understand a number of what's flagged is due to this A10 LB
b) the applications team can't amend the codes within the short term (but we have only a couple months to remediate)
SSLabscanJ2.docx
0
Exchange 2010 HTTPS issues...communications issues started on the same day with various services we use internally and externally:

** OWA Seems to be working normally again. [OWA - login page shows secured, but after login, address bar shows only partially protected or not protected at all.]

Shoretel/Mitel phone client - shows error message at bottom of client application. Cannot connect to Exchange server "email.domain.com".

Outlook 2013 client Out of Office - does not work. "Server is unavailable".

3 MAC Sierra users - cannot connect to server errors when using either Outlook 2016 or Apple Mail.

Mail archiving system - Exchange mailbox archiving jobs failing. Varying messages from logs show "The remote server returned an error: (503) Server Unavailable", "Microsoft Exchange Server returned an unexpected HTTP error code (EWS 503)", "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel",  "The remote certificate is invalid according to the validation procedure", “Unable to connect to Microsoft Exchange Server. Details: The SSL/TLS certificate verification failed.” or “While logging on to the Exchange Server, an unexpected status code (302) was returned”

Cannot ping "email.domain.com" or "autodiscover.domain.com". ICMP fails on both.

Also, Exchange server has a third party extended validation certificate that is valid until 2019 and has IMAP, POP and IIS services assigned to it. Outlook Anywhere works …
0
Defend Against the Q2 Top Security Threats
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Hello experts,

I have a 3rd party vendor and they are asking me to send them PGP public key. they want to transmit the file and encrypt it using this public key I should be providing them and they sign it with a file that is an *pgp_public.asc file, they sent me the file.

My question is how to generate PGP public key? and what do I do with this file that they are using to sign the files. what is the process of viewing this file after receiving it from the 3rd party.

Thanks,
0
Binding new SSL certificate to WServer 2012 problem.
I built the request per:
https://www.digicert.com/util/csr-creation-microsoft-servers-using-digicert-utility.htm.  Handed the request off to our infrastructure team where they purchased the new SSL.  The Team has sent me the new SSL certificates where I renamed appropriately from a .txt extension to a .cer externsion.

I have two test servers (and two prod servers)I need to update the SSL certificates for.   I have followed the steps outlined in this document for installing the SSL certificate:
https://support.comodo.com/index.php?/Knowledgebase/Article/View/1159/37/certificate-installation-microsoft-iis-8x


I can see on the server IIS where the certificate has been updated to 10/9/2020 in the Server Certificates; however, if I look under the padlock on the client's URL, the expiry date is still set for:  10/24/2018.  How do I propagate this out to the client?  This is the first time I've done this, and I have four 2012 servers to update ASAP.  Any guidance would be appreciated.
0
Summary
HTTP Error 401.2 - Unauthorized
 You are not authorized to view this page due to invalid authentication headers.

Some new users to my web site cannot log on due to 401.2 and 401.1 errors. Other new users connect without any issue. Users have the DoD CAC smartcard and they are valid for logging into their workstations. All the certificates point to the same root authority, DOD Root 3, but have different intermediate certificates which are DOD CA 38 to DOD CA 51. Users with intermediate certificates numbered 48 or higher get the 401.2 error and cannot log in.

I assume the problem is the more recent intermediate certificates are not installed or configured correctly. I installed the most recent certs from the cert authority using their tool, InstallRoot.exe. MMC confirmed the intermediate certs are in the Certificates (Local Computer) -> Intermediate Certification Authorities -> Certificates.

The server uses the Axway tool to validate certificates. In the Application Event Log for the attempt, it said "Revocation Status: Good" so I assume my OCSP and its cache are set up correctly.

After every 401.2 error is a 401.1 error. The sc-win32-status for the 401.1 error is -1073741715. Is that number significant?  

The detailed configuration description:


I am using IIS 7.5 on Windows Server 2008 R2. I set up the web server and the web site to require a smartcard to open the web site. To that end I set up iisClientCertificateMappingAuthentication …
0
3rd party SSL install on Windows server 2012 to enable LDAPS

Hello experts,

So I need to install an godaddy  SSL cert on my Windows server to enable LDAPS. I was about to purchase the cert when the godaddy rep told me that SSL certs can't be installed on .local domain (mycompany.local) anymore, apparently it was possible years ago.

He told me the work around is to bind teh fqdn to the DC by creating a .local sub domain in a public domain... From what I understood I need to create a .local subdomain in my companies public domain (local.publicdomain.com). I get that part, what I'm confused with is the binding of the DC to the subdomain. Does it mean creating a dns zone for the subdomain and creating a record?

The other solution would've been to have my internal domain with something other than .local but it's a production environment and can't change that.

So can anyone please shed some light on the binding part? Also, I am correct on my assumption of creating a .local sub-domain in my public domain?

Thanks in advanced.
0
What are the steps required to change an IIS hosted website from HTTP to HTTPS?
0
security scan finding: "SSL Medium Strength Cipher Suites Supported (42873)" error on 2012 R2 / Win10 seems to be port 3389/TCP.

I've seen a solution using https://www.nartac.com/Products/IISCrypto/ but I have a secure environment and I'm not sure about using this product.
I've enabled the GPO 'SSL Cipher Suite Order' setting in admin templates / network which doesn't seem to have anything below 112bits and I've removed DES and 3DES.
is there a another or manual fix for this?

thanks
0
we have a security certificate to cover our domain name, which we have added to our mail server.

however, we also have a website which is hosted by a third party, and it cannot be accessed using https://www.domainname.co.uk

can we use the same certificate that we use for our microsoft server to cover our website too, or do we need to purchase another one?

how do we add the certificate to our website?

if anyone can offer any guidance, we would be much obliged.

many thanks
0
Does trusted email domain require its own ssl cert on the exchange server?

- Domain A has been set up and working for years
- Domain B as a re-brand effort was added to Exchange 2010.
- All emails still route to the server name for Domain A [mail.domaina.com]
- Receiving certificate issues and warnings when loading Outlook into the new email address for Domain B.
- A portion of Sent emails are being bounced or captured in external recipient's junk/ spam.
- I'm assuming a certificate needs to be installed.

Can I add a certificate for the trusted domain to this server to resolve the cert warnings?
0
I am hosting a couple of web sites on couple Linux boxes and OWA on a Windows box in my office. Currently http is forwarded to Host_W and https is forwarded to Host_M.  Host_W serves pages for www.site-m.biz, www.site-d.net, and www.site-f.com while it forwards requests for host_l.site-s.org and www.site-s.org to Host_L. The current structure looks like this:
 
Current Config
What I want to do is forward both http and https to Host_W while serving the same three sites and forward https requests for mail.site-m.biz to Host_M and requests for site-s.org to Host_L. The structure would look something like:

Disired Config
 I have attached sanitized copies of what I think are the relevant config files.
 
The port forward is not a problem, simple change on the firewall. Installing Let's Encrypt certificate on both Nginx and Apache2 are heavily documented and a Godaddy certificate for mail.site-m.biz is already installed on Host-M.

What I don't have a handle on is the changes needed on the Apache2 on Host_W. I think it would be just to add something to the site-m.biz.conf like (and something similar to site-l.org.conf):

<VirtualHost *:443>
        ServerName mail.site-m.biz

        SSLEngine On
        SSLProxyEngine On
        ProxyRequests Off
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLInsecureRenegotiation on
        SSLProxyVerify none
        SSLVerifyClient none
     

Open in new window

0
OWASP Proactive Controls
LVL 12
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Hi guys

How do you give someone the private key for the SSL certificate but un-encrypted? I don't get what they are saying.

I've got a Windows 2008 R2 web server that I created the CSR onto. Then I got the certificate from the provider and have applied the certificate to this to complete the request.

My colleague needs the private key. I exported it as a .PFX file, but when you do that, it is password protected. He needs it un-encrypted.

Do you use the MMC console to do this and then export it as a .CER file? Will that be correct?

Cheers
Yashy
0
I need straightforward information on SSL Off-loading and Visibility.  Vendor documents and white papers lean too much to their product.  I have F5 10350v-f load balancers that have SSL and trying to decide between Local Traffic Manger (LTM) and SSL Orchestration which is more money.  My client is not sure what they want so I have to come up with something.  The 10350s sit in front of a DLP, with only two feeds coming to them so I don't think it should be complicated.  So the question with F5 10350 is which level of SSL decryption I should use.

On a separate program I am dealing with a Gigamon and Ixia packet brokers that will be routing to SSL decryption services as well.

Bottom line I just need objective definitions and comparisons when it come to SSL offloading vs ssl visibility vs ssl orchestration, etc. And in other SSL applications

Thanks
0
Hi guys

I am going to be buying a multi-EV domain SSL certificate. This domain will have quite a few sub-domains. When i want to create the certificate request on the server, in the common name section, do I just put in the domain name only? So would I put 'contoso.com'? And not '*.contoso.com'. I assume i would only put an asterisk if it was going to be a wildcard ssl right?

Thanks for helping
Yash
0
For Citrix NetScaler, I need .pfx SSL certificate. But I received .cer SSL file. To convert this CER file to PFX, I have followed below process.
Opened Certificate MMC --> Imported the CER file in PERSONAL\Certificate --> Export
When I try to export from with the CA, I don't get an option " yes, export the private key"  and on the export file format " Personal Information Exchange - PKCS#12(.PFX)" is greyed out".
Please suggest.
0
I guess I really don't know what I am doing.

Working on an SBS 2011 Standard machine on subnet 192.168.1.0.

There's a vpn to a remote location 192.168.2.0

A new laptop at the remote site with windows 10 / office 2016 keeps getting an error about the autodiscover.domain.com certificate.  It says the name on the security cert is invalid or does not batch the name of the site.

Clicking on view cert, it says it's issued to: domain.com   issued by let's encrypt authority x3 with valid date of 8/14/18 to 11/12/18

WE DO have a certifficate for the domain issued by comodo.  From a browser, if you type remote.domain.com/owa, you get to the owa page and it says it's secured with the comodo cert.

anyone know where the lets encrypt certificate is coming from?

Other laptops at that remote location are working fine for email.
0
Dear Experts

We have hosted web based application which runs on linux, apache, mysql and php. data security is top most priority, we have installed ssl certificate and also deployed two factor authentication, when used the online ssl checker by going to https://ssltools.digicert.com/checker/views/checkInstallation.jsp  after the scan following shows up

1. Vulnerabilities checked
Heartbleed, Poodle (TLS), Poodle (SSLv3), FREAK, BEAST, CRIME, DROWN
Non-critical issues found
BEAST
Not mitigated server-side BEAST.

2. Secure Renegotiation: Enabled
Downgrade attack prevention:Enabled
Next Protocol Negotiation: Not Enabled
Session resumption (caching): Enabled
Session resumption (tickets): Enabled
Strict Transport Security (HSTS):Not Enabled
SSL/TLS compression:Not Enabled
Heartbeat (extension):Enabled
RC4:Not Enabled
OCSP stapling:Not Enabled

---------
Please help me to understand on above 1 and 2  and let me know the steps correct as per the best practice. thank you.
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.