SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.

Share tech news, updates, or what's on your mind.

Sign up to Post

Entering www.felixstowerotaryclub.org successfully redirects to https://www.rotary-ribi.org/clubs/homepage.php?ClubID=469 and you can see the green padlock on the browser bar.

Similarly entering felixstowerotaryclub.org also does the same.

However entering https://www.felixstowerotaryclub.org and https://felixstowerotaryclub.org get certificate errors.

Is it actually possible to get an https URL to redirect to a different website with its own certificate?

One issue is that if someone googles "Felixstowe Rotary Club" one of the search results (for me it is the second one in the list) is https://www.felixstowerotaryclub.org so potentially someone might use this link.
0
Rowby Goren Makes an Impact on Screen and Online
LVL 13
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

HI, I am new to CORS. I have a question about it.
I have a js post call to web service API , but got an error in my local:
"Access to XMLHttpRequest at 'https://xyz.com/X/gettoken' from origin 'http://localhost:8080' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:8080, *', but only one is allowed. "

I see in my java code, there are some code  which add "resp.header("Access-Control-Allow-Origin", "*")". I removed it, and compiled and run, still get the same result.
Any inputs will be appreciated!
0
I'm experiencing issues importing a newly purchased SSL certificate on my app server. I've already imported the intermediate certificate to my local intermediate cert authority store. I'm performing the following:

Access server certificate list => complete certificate request => browse to crt file => input a friendly name => choosing personal (as opposed to web hosting) for store location => ok
Navigate to website => edit bindings => the certificate I just added is not listed in dropdown of available SSL certs
Navigate back to server certs => the certificate that I added is no longer there

Open mmc => certificate => local computer => personal store => I’m able to view the certificate in question there
0
Entering http://www.felixstowerotaryclub.org correctly routes to the correct website and sets up a secure connection.

Entering http://felixstowerotaryclub.org routes back to the old website.

Entering https://www.felixstowerotaryclub.org connects correctly

Entering https://felixstowerotaryclub.org gives an invalid certificate error.

How can I get http://felixstowerotaryclub.org to route to the new website and https://felixstowerotaryclub.org to not give an invalid certificate error?
0
Hi Guys,

We ran a Nessus scan on our DC and Exchange server,
It is picking up;  SSL Certificate Cannot be Trusted, Certificate Signed Using Weak Hashing Algorithm, Self-Signed Certificate, etc from the Exchange server.
5 x entries of each.

The Exchange server does have a valid public certificate, and SSL labs gives this certificate an A rating.
I gathered that the findings reported is most likely linked to the Exchange self-signed certificates installed by default.

When I check in MMC, certificates, I am only able to identify 3 x self-signed certificates under the Personal\Certificates container
There is nothing listed under the "Untrusted Certificates" folder

My Questions,
Where does Nessus find the other two "self-signed" certificates?
Why does it complain about valid self-signed certificates, if a SHA256RSA public certificate has been installed?
0
hi guys

I have an EC2 AWS instance running apache. We previously bought SSL certificates and had them installed. They have now expired. We renewed them with Godaddy.

I want to install them on the server, but I can't seem to find the location where they need to go. One of our techies who has left may have played with the http.conf file but I am unable to work this out.

Can someone give advice on how to work on this?

Thank you
Yash
0
Hi Guys,

We have a couple of "internal" servers with self-signed certificates.  An IT audit raised concerns about the self-signed certificates as some are using SSL 2 & SSL 3 encryption methods.  Services and applications running on these servers are only accessible internally.

A second scenario is a server which has external access, but do have a proper SH2 2048 public certificate installed.  However, the report still picks up an issue with another self-signed certificate on the same server.

My question, does these self-signed certificates pose any security risks, or can it be safely ignored?
0
Setting up Cerberus FTP server.
We have a user who wants a ftp server in his network.

I have created 4 or 5 CSR requests for a ssl certificates and all it creates is a domain.com cert.
I need it to create a ftp.domain.com cert.

No matter what I put in for the name of the cert it is always the same. domain.com

I created a DNS setting on my server to point ftp.domain.com to the ftp server and it does connect externally.
But when I connect it shows certificate error.

But when I connect to the ftp server it does show that im connecting with the ssl connection using TLSv1.2.
So the ssl sertificate is doing used but the cert name is only domain.com.

I'm guessing since the names don't match. That's why I'm receiving this error.

IS there a way to create a certificate with another name.

Would I have to create a wildcard or San Cert?
0
I am understanding that a DAG is recommended but not required for an ON-prem deployment of exchange 2016. This I presume because if the 1 and only exchange server goes down no email can route.  
When a person puts in there email and password into Outlook program its supposed to automatically get the data needed to setup the email however it fails, because the exchange server has been setup incorrectly.
If we deploy a DAG will that in a step fix this issue/resolve the Auto config settings problem.

Thank you for your help in advance
0
I am trying to develop some software for a company. This company has at IT department with active directory. I would like to talk with IT, about getting Active Directory Certificate services setup so I can be issues with a Internal Cert to sign my app.
What documentation does Microsoft release regarding if they recommend AD CS. Is there any documentation that says if a domain doesn’t have a AD CS its not complete or its not whole?
Im sort of looking for historical document too. I want to be able to demonstrate to management the importance of AD CS for signing encryption and use of TPM on our laptops.
Thank you in advance for your help.
0
Python 3 Fundamentals
LVL 13
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

What is the best way to create a CA Sign Cert Request with multiple SAN's in Powershell?

I need to request a cert with about 120 SAN's in it. Obviously, I know that can be done in the GUI but I'd rather not go through the pain of that.

I know Powershell has the cmdlet: New-SelfSignedCertificate. I am not creating or attempting to create a selfassigned. I need to create a CA signed request so that I can send to the CA..

Any information on this would be greatly appreciated. If possible, an example with SAN creations would be great.

Thanks!
0
We have provisioned a HTTPS web server using windows server 2012. An valid SSL certificate with valid CN (Common Name) has been installed on the web server.

However, due to DNS issue some Web client use IP Address (e.g. https://10.x.x.x) on the browser to access our HTTPS server and prompt for warning.  The user will proceed with the warning anyway in order to access the Web service. We are going to have an internal auditing session soon and our question is:

When the end user using IP address to visit our HTTPS site instead of host / CN (Common name) that match with the installed SSL certificate name, we understand a warning will be prompted before connected to the https server but will the HTTPS traffic still encrypted over the transmission during the network communication as we need to get back to our audit department ?

Thanks for your prompt advice in advance.

Regards
Patrick
0
I am running Server 2012 datacenter, IIS 8.  SSLabs.com says that I have SSL 3.0 enabled on the server and i do not believe i do. I have used IIS Crypto to disable it. I also followed https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html and verified registry. I rebooted as well.

Any thoughts?
0
The web application in my organizations uses Apache web server that load balance across Application servers (Tomcat instance). There are two Apache (Web server) instances that route the traffic to 4 Application server instance.

The HTTPS traffic coming to the application terminates at the Web server layer, and then communication between Web server and App server is over HTTP. My assumption is that Web server and App-server communicates over HTTP and not over HTTPS.

However lately in a discussion with my IS team I came to know that Web server communication to App server over HTTP is not considered secure, and Web server should instead communicate to App server over HTTPS.

I would like to know your views on how generally this works in your organization?
0
I have a SPA in angular that is hosted at https;//mysite.example.com and it has a *.example.com lets encrypt certificate issued to it.

I have an API in ,net core that services this web app as well as a mobile iOS app and it has a default SSL certificate give to us by out cloud host ( https://myapp.my-cloudhost-service.com/api).

Because these services are operating independently, i do not need to worry about any issues with SSL certificates correct? Like no CORS issues or warnings for XSS stuff in the browser?

Its all working fine on dev but of course i want to make sure i have all my basis covered before we push to production.

Thanks
0
I have a development nginx system that is requiring https to login. Is there a switch or variable that will make admin to default to http instead?

This site isn't propagated so no ssl on site.
0
I have an nginx development site that I can't get into because it keeps auto-populating to https. This is because I the copied files and database from an existing https enabled site.  Is there a way to force a browser to only use http for this site?

This site hasn't been propogated so there is no dns.  Thus, no way to have an ssl cert.

Because it keeps filling in the https I get a message the site can't be reached.  I have tried filling it in manually and deleting the history but it still keeps accessing https.

Thanks
0
Google Chrome Browser: 75.0.3770.142 (Official Build) (32-bit)
Windows OS (10 & 8.1)

BACKGROUND
The speed of loading web pages in my Google Chrome Browser had become slow. While looking through the advanced settings of the Google Chrome Browser, I clicked on the selection titled: "Manage Certificates". I noticed there are a large number of certificates.

QUESTION
(see Title of this post)
When, if ever, does it become (a) necessary or (b) advisable to remove (delete) one or more SSL certificates?
Is there a method that allows you to easily find "expired" certificates?
What would be the expected result if one were to remove ALL certificates? Could this cause problems, or would they simply reinstall themselves as needed, when those sites were visited again?
0
I  am running my site on IIS 6.  Have installed SSL and when I call it on https I get the following error.

ERR_TOO_MANY_REDIRECTS
Tried clearing the cookies on browser but no luck.
Untitled.png
0
OWASP Proactive Controls
LVL 13
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

I have a site which is sitting on an IIS 6 server.

I have setup SSL on IIS server.

The normal http call brings up the site. e.g. (http://www.example.com)

However, I get "403 - Forbidden: Access is denied." when I try to load the site through https. e.g. (https://www.example.com)

I have searched everywhere and have already tried the following,

Unticked the "Require SSL" and selected the Ignore option as the Client Certificate.
0
Hello Experts,

I'm seeing a strange issue on some of our PCs.  Basically users are certificate related errors when they are browsing to different sites.  When I look at the certificates on their computers via the Certificates MMC, I see the root certificate authorities folder is populated as expected.  However when I look at the intermediate certificate authorities folder, the only intermediate CA in there is our internal intermediate CA.  Does anyone have any ideas on what may have caused this?  I have read that MS maintains a list of root CAs.  Does it maintain a list of intermediate CAs?  If so, how can I use this list to update the intermediate CA folder on the PCs having issues?

As always, thanks for your help.

Nick
0
Hello!
I have this Mixed Content error in some browsers. Like index.php calls for css:style.css file which is over HTTP. I found that my template in a file template.config.php has such a line in a load CSS section:

 
$this['asset']->addFile('css', 'css:style.css');

Open in new window


URL of the site is: apostasia.ru
0
Site certificate says "Not Secure / Invalid" when I have already applied certificate settings matching it.

I'm current using port 443 (default port) and using Starfield certification. Applied the certificates to the local computer and user certificate registry generated from the keystore file. I couldn't seem to grasp what is still missing? Please help.

https site invalid certificate
keystore file with certificates added
0
Remote Outlook clients cannot connect to Exchange 2010 - 2013 in coexisting configuration while performing upgrade.  I believe this may be an Autodiscover issue as the MRCA errors while trying to test & contact the Autodiscover service.

I can reconnect existing external Outlook clients by setting the proxy connections,  however if they disconnect and try to reconnect the proxy settings are removed and need to be reset in order to connect again.
An external Outlook client can not setup a new mailbox in Outlook as they get the "Something went wrong" message while doing so.

Thanks for your assistance!
0
Can somebody please explain on the IIS SSL with the creation of the port 443 with the cert making the https for the web site yet there is on the SSL Settings a "Require SSL" checkbox.

What is the significance of the "Require SSL" when the there is already the port 443 (https)?

Any information on this would be greatly appreciated.

This is under Windows 2016 Server with IIS 10.

Thanks
0

SSL / HTTPS

8K

Solutions

10K

Contributors

HTTPS is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL). The main motivation for HTTPS is authentication of the visited website and to protect the privacy and integrity of the exchanged data. HTTPS is widely used for protecting page authenticity on all types of websites, securing accounts and keeping user communications, identity and web browsing private.