Menu
  • HOME
  • TAGS

Self-signed Certificate and Client Keystore for SSL Authentication

java,ssl,certificate,keystore,keytool

Not an answer yet, but getting too complicated for comments so I'll give a start and edit later. Should (SSL/TLS) server(s) and client(s) share a key (and cert)? Okay for development and maybe test, varies for production. As a general rule every independent system that needs to be authenticated should...

Roundcube - Nginx does not redirect to .php file automatically

php,ssl,nginx,roundcube

Solved. Here's the configuration that works for me: server { listen 80; server_name example.org; return 301 https://$server_name$request_uri; } server { listen 80; server_name www.example.org; return 301 https://$server_name$request_uri; } server { listen 443 ssl; ssl on; server_name example.org; root /var/www/soon; server_tokens off; ssl_certificate /etc/ssl/certs/example.org.certchain.crt; ssl_certificate_key /etc/ssl/private/example.org.key; ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols...

Nodejs https request UNABLE_TO_GET_ISSUER_CERT_LOCALLY

node.js,ssl,https

There is a reason for SSL. Besides other features, it authenticates that you are really communicating with the server identified by private.service.com hostname. Otherwise your client software can be cheated by a Man-in-the-Middle attack. First when anyone encounters this issue, they should update system root SSL certificates. In Debian they...

Enabling SSL on an AWS EC2 instance

apache,ssl,amazon-web-services,amazon-ec2

Great. The error messages helped. You're missing two lines: SSLCertificateFile /directory/to/file.crt SSLCertificateKeyFile /directory/to//file.key Here's a howto on configuring SSL on Apache....

How SignedXml.CheckSignature verify the certificate

windows,ssl,certificate

It uses windows certificate store to build a certificate chain up to trusted root authority. When it is building the chain the method also verifies revocation status of the certificates (usually from CRLs of all authorities in the chain) to check if any of the certificates in the chain are...

.htaccess not redirecting web site to https

.htaccess,ssl,centos

It doesn't appear that your .htaccess file is being read. So make sure you have AllowOverride All in your config. Also for your rules, I wouldn't use SERVER_NAME, that isn't always set and sometimes is not correct. I would either use HTTP_HOST variable or your actual domain name. You also...

How can we improve SSL handshake to increase the security?

security,ssl,encryption,server,cl

I'm not sure that you quite have this right. The connection is supposed to be: client <--> server The client knows that it's talking to the server due to the SSL handshake and validation of the server certificate. Your question is what would happen if: client // MiTM <--> server...

How to disable common name check in SSLContext in java?

java,ssl,jersey,jax-rs,ssl-certificate

If I'm understanding you correctly, I think you can accomplish what you are trying to do by implementing a HostnameVerifier, and just returning true in the verify method. You can set up the verifier on the ClientBuilder. For example Client client = ClientBuilder.newBuilder() .sslContext(sslContext) .hostnameVerifier(hostnameVerifier) .build(); ...

Failing mutual auth on Android w/ javax.net.ssl.SSLHandshakeException: Handshake failed

java,android,ssl,openssl,mutual-authentication

I never put the client cert in the KeyManager: KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509"); kmf.init(keystore, "password".toCharArray()); sslContext.init(kmf.getKeyManagers(), new TrustManager[]{tm}, null); ...

MaxCDN - shared ssl - invalid certificate?

ssl,resources,certificate

Nevermind I solved it myself. It turned out that the A-Record change (after disabling the full-site-cache) took time to be updated everywhere in the world (as usual) and people that were unfortunate to have still the old DNS-record ended up with a route over the CDN which caused the SSL-Certificate...

Java - Standalone SSL Web Service - JAX-WS, JRE, no web server

java,ssl,web,jks,wsgen

Try SSLContext ssl = SSLContext.getInstance("TLSv1.2"); SSLv3 is known to be vulnerable nowerdays and your browser probably won't accept a server configured like this. Another option try curl with -koption to connect to the server....

Nginx redirect http subdomains to https

ubuntu,redirect,ssl,nginx,rewrite

Your web server is setup with Strict-Transport-Security max-age=16070400; includeSubdomains. This will tell the web browser to request your domain using https only. If you want the subdomain blog to be accessed through insecure http, you will need to remove includeSubdomains from the HTTP Strict Transport Security (HSTS) and use a...

HTTP to HTTPS mapping using proxy servers

apache,ssl,https,proxy,squid

this should be easy with apache. in your virtual host add ProxyPass /myapp https://somehost.com/myapp ProxyPassReverse /myapp https://somehost.com/myapp then you can use yourinternalhost.company.com/myapp/ then watch your error log about SSLProxyCheck* messages (depends on the ssl certificate) see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn mod_proxy: httpd.apache.org/docs/2.4/mod/mod_proxy.html (see proxyremote for using another (corporate) proxy...

Expected Compatibility Issues with upcoming TLS/SSL Cipher Suite update on Azure WebApps?

ssl,azure-web-sites

We have repeated our tests today and IE7 and IE8 on XPSP3 now pass the client test at https://testsslclient.trafficmanager.net. We assume the implementation of the TLS/SSL cipher suit has been updated to allow for this now......

How do I accept a self-signed SSL certificate using iOS 7's NSURLSession

ios,swift,ssl,https,self-signed

Both connection:canAuthenticateAgainstProtectionSpace: and connection:didReceiveAuthenticationChallenge: are deprecated in iOS 8 anyway so you should use other methods. What I am using in my projects is a delegate method of NSURLSessionDelegate. Adhere to that protocol then add this method: func URLSession(session: NSURLSession, didReceiveChallenge challenge: NSURLAuthenticationChallenge, completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential!) -> Void) {...

wget ssl alert handshake failure

ssl,https,wget

It works from here with same OpenSSL version, but a newer version of wget (1.15). Looking at the Changelog there is the following significant change regarding your problem: 1.14: Add support for TLS Server Name Indication. Note that this site does not require SNI. But www.coursera.org requires it. And if...

How to set up a meteor server on https connection?

ssl,meteor,https

Deploy the app using Meteor Up which have built in SSL support. Or use common web server like Nginx or Apache, setup SSL and reverse proxy back to meteor app. Example: Nginx configuration server { listen 80; server_name www.example.com; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl ;...

Nginx HTTPS issue to redirect from www to non-www

ruby-on-rails,ssl,nginx

My issue has been resolved by doing modifications below, answering this as it might help someone else: Removed ssl_certificate and ssl_certificate_key from default_server block. Removed URL overwriting from SSL server block. Added ssl_protocols and ssl_ciphers to SSL server block The configuration look like below after modification: upstream unicorn { server...

Did google change/update related to vm ssl connections to Cloud SQL?

sql,ssl,cloud

Solution to openssl auto update to 11 that breaks the ssl connection to cloudssl. The following command shows the openssl updates and version change that affected the gce CentOS 6.6 vm >> cloudsql ssl connection (8 works, 11 won't connect): grep -i openssl /var/log/yum.log Apr 02 03:34:00 Updated: openssl-1.0.1e-30.el6.8.x86_64 Apr...

Problems generating a self-signed 1024-bit X509Certificate2 using the RSA AES provider

c#,.net,ssl,encryption,x509certificate2

The problem is with CryptGenKey function call. In the Algid parameter, you should pass either 0x1 (for RSA key exchange) or 0x2 (RSA digital signature). You don't need other values. And key length value should be 0x4000001 (with exportable key). Also, I noticed that you pass incorrect provider type when...

SSL Handshake in Java Servlet (HttpsURLConnection)

java,servlets,ssl

So, whenever SSL connection is established it tries to verify the server name with the host name in certificate. In this case, since it is self signed it may not be having any server name mostly. What you need to do is write a implementation of javax.net.ssl.HostnameVerifier and assign to...

Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?

android,ssl,okhttp,pkcs#12

Apparently, there are two SSLSocketFactory classes. HttpClient has its own one, and that is deprecated along with the rest of HttpClient. However, everybody else will be using the more conventional javax.net.ssl edition of SSLSocketFactory, which is not deprecated (thank $DEITY).

ArgumentError - unknown SSL method `TLSv1_2'

ssl,amazon-s3,carrierwave,fog

Instead of setting it inside the fog_credentials hash, try setting it afterwards on config itself with the following 2 lines: config.fog_authenticated_url_expiration = 600 config.fog_attributes = { ssl_version: :TLSv1_2 } ...

SMTP ports - SSL vs non-SSL

security,ssl,phpmailer

It may be possible to encrypt all traffic with SASL as they say, but the distinction is academic because PHPMailer doesn't support SASL for either authentication or any subsequent traffic, but does support SSL and TLS. So if you're using PHPMailer to send to them and you're not using SSL...

python requests SSLError

python,ssl,python-requests

Your version of python does not support SNI yet, which is needed to get the proper certificates on sites which have multiple certificates per IP address. Without SNI you get a certificate for *.google.com and others (see the error message), but none of these match the hostname android.clients.google.com because the...

Issue with understanding keystore and ssl

java,android,ssl,encryption

Now he adds the server.cer to the clients-keystore and the clients.cer to the server's keystore. Wrong here. You should add the exported certificate to a truststore in each case. Export from server keystore to client truststore, client keystore to server truststore. That way the client can encrypt the plaintext...

How do you unblock the 993 port if your firewall settings is blocking it?

php,email,ssl

You can find the answer here which is already asked on Stackoverflow. Make sure that the mailbox you are trying to connect is IMAP. PS. It doesn't look like firewall issue to me...

GET request throws error after app implemented SSL: Mixed Content: This request has been blocked; the content must be served over HTTPS"

angularjs,http,ssl,https,flask

It was a weird case that came down to removing a forward slash from the end of a URL fixing everything. Somehow, whenever we made a GET request using $http in Angular like baseurl + inventory.id + "/", it would make a http request but as soon as remove that...

How to load SSL Certficate in Java

java,ssl

You can use Apache HttpClient (or just use the required classes from it to use SslContextBuilder, really), and then it'd be like so: SSLContextBuilder sslContextBuilder = SSLContextBuilder.create(); sslContextBuilder.loadTrustMaterial(new File("yourTrustStore.jks"), "thePassWord"); SSLContext sslContext = sslContextBuilder.build(); HttpsURLConnection httpsURLConnection = (HttpsURLConnection) (new URL("https://thesite.com").openConnection()); httpsURLConnection.setSSLSocketFactory(sslContext.getSocketFactory()); But you need to create a...

SSL/TLS: Why will the server be the only one to be able to decrypt the encrypted number if it's a public key?

ssl,encryption

Because it's public-private key encryption, not symmetric encryption. The plaintext is encrypted to cipher text with the public key and decrypted back to the plaintext with the private key. Trying to decrypt that ciphertext with the public key doesn't work.

Call to SOAP WebService using client certificate in objective c

objective-c,web-services,ssl,soap,client-certificates

I'll answer my own question because no one did and i've already found the solution. First of all, you need to save the certificate in the project's directory. Drag and drop the certificate from it's folder to the directory of the project in Xcode. Select "copy" and yes to the...

Problems connecting via HTTPS/SSL through own Java client

java,ssl,https,sslhandshakeexception

According to https://www.ssllabs.com, the server supports cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA They are listed as "unavailable cipher suite" as you can see in the debug messages. In the JRE/lib/security/local_policy.jar, we see // Some countries have import limits on crypto strength. This policy file // is worldwide importable....

zsh: no matches found: requests[security]

python,security,python-2.7,ssl,python-requests

zsh uses square brackets for globbing / pattern matching. That means that if you need to pass literal square brackets as an argument to a command, you either need to escape them or quote the argument like this: pip install 'requests[security]' If you want to disable globbing for the pip...

Getting SSLHandshakeException in java

java,eclipse,ssl,https,digital-certificate

If importing to keystore not resolving your issue.. as i was not able to resolve it. Then add following line of code. It worked for me. System.setProperty( "javax.net.ssl.keyStore", "D:\\G2B.p12" ); // The path to the .p12 file System.setProperty( "javax.net.ssl.keyStorePassword", "****" ); // The password of the p12 file System.setProperty( "javax.net.ssl.keyStoreType",...

Create OpenSSL certificates signed by myself

c++,ssl,boost,openssl,ssl-certificate

Your signing certificate has no rights to sign, because it has not the CA flag set. Signing will still work, but verification will fail. Since there are already lots of guides on the internet which will show in detail how to do it right so you might just look here...

NPM Error: self signed certificate in certificate chain

ssl,npm,tsd

One little FYI first : if you just want to learn AngularJS, maybe it's not the best way to start with TypeScript. If it's the case for you, try the tutorial on angularjs.org, which use JavaScript and angular-seed. Anyway, if you want to use tsd, you have to edit your...

Java 8 , JCE Unlimited Strength Policy and SSL Handshake over TLS

java,ssl,jvm,centos,java-8

Try limiting the protocols to just TLSv1 using: -Djdk.tls.client.protocols=TLSv1 See this page for more details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2 Hope this helps, Yuri...

Java client certificates and keystores

java,ssl,https,ssl-certificate

My understanding is that if you have to store a certificate with an alias matching the target domain name (in our case i.domain.io or r.domain.io) so java can provide the associated certificate as a client certificate when you are attempting a SSL connection to that domain e.g. https://r.domain.io That's...

How to create a private certificate for connecting to a website

apache,ssl,privatekey,digital-certificate,self-signed

It sounds like you want to use client-side SSL certificates for authentication. The Apache documentation covers this use case in some detail (that's for version 2.4; see here for version 2.2).

Java does not accept 2 methods with same name

java,sockets,ssl

Your issue seems to be that createSocket(Socket, String, int, boolean) already exists in the super class you are extending (SSLSocketFactory). When extending a class in Java the methods in that super class become methods in the subclass (unless a method's scope does not allow it). Therefore when you add the...

Starting a tls communication with python asyncio

python,ssl

Unfortunately, up to python 3.5 there is not standard way to do it! As of python 3.5, there is a new thing called MemoryBIO within ssl module with which you can wrap your socket for TLS. You have a couple of options here: Use Python traditional (sync) socket and loop.executor...

Do I need an SSL certificate when using Paypal IPN on my site?

wordpress,ssl

If you are not collecting credit/debit card info on your site, then no... you don't need SSL. It sounds like you are sending people to PayPal, who collects payment information, and PayPal then sends the user back to your site. If this is so... you don't need SSL.

How can i get Certificate issuer information in python?

python,ssl,certificate

Updated answer If you can establish a connection to the remote server you can use the ssl standard library module: import ssl, socket hostname = 'google.com' ctx = ssl.create_default_context() s = ctx.wrap_socket(socket.socket(), server_hostname=hostname) s.connect((hostname, 443)) cert = s.getpeercert() subject = dict(x[0] for x in cert['subject']) issued_to = subject['commonName'] issuer =...

Meteor force-ssl on a staging system without ssl cert?

ssl,meteor

Found a solution. Someone wrote a force-ssl package for exactly this problem: https://atmospherejs.com/keyvan/my-force-ssl...

How does DNS server know the IP address of an SSL's URL?

ssl,https,dns

When you enter an URL in your browser the DNS server is asked for the URL's IP first by your system, before even connecting to the server. So SSL is not even in the game at this point. SSL encrypts between the client (e.g. your browser) and the server, but...

Subject Alternative Name not present in certificate

ssl,openssl,ssl-certificate

You can use: copy_extensions = copy under your CA_default section in your openssl.cnf. but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?...

HibernateException: Could not instantiate dialect class when using HTTPS for GWT

hibernate,ssl,gwt

When you use -server :ssl then you no longer use the AppEngineLauncher, so class loading is different; with a parent class loader using the classpath (AppEngine only uses WEB-INF/{classes,lib}); this is what causes the ClassCastException. Try removing your server dependencies from the DevMode classpath as a starting point; leaving them...

Connecting via mutual SSL fails reading incoming changeCipherSpec

ssl,ssl-certificate,jscript,chilkat,mutual-authentication

So it turns out that despite the sender insisting several times that the certificate was correct, and despite them insisting (when asked) that the email encoding had not stripped any characters, it turns out the certificate was incorrect and the email encoding had stripped some characters from the body text....

SecKeyRawVerify verifies on mac but fails with -9809 on iOS

ios,osx,ssl,cryptography,commoncrypto

Well after some experimenting with sign/verify, I've found out that changing padding agreement to SecKeyRawVerify/SecKeyRawSign from kSecPaddingPKCS1SHA1 to kSecPaddingPKCS1, solves my problem. Don't know why it doesn't work with kSecPaddingPKCS1SHA1, there is not deprecations described in Apple's documentation. Also I didn't try this code on iOS different from 8.3 so...

Openshift trustwave intermediate ssl cert issue

ssl,https,ssl-certificate,openshift

Ok solve it after lots of searching, and Trustwave still reports it as wrong but all browsers seem to accept it. So I got the main cert file (I was using my-domain.com.pem) copy and paste the contents into a new file (something like combined.pem) then open your intermediate file (chain.cer...

Client certificate authentication

authentication,ssl,https,ssl-certificate,x509

I've to break down your question into two parts. Part one: Let's say a hacker X sends a CA issued certified to the server as part of handshake. Then server would automatically trust it and grant access. If X aquires the client certificate of an authentic client then that's ok....

serving GAE applications over http

java,google-app-engine,ssl

There two things you've missed from docs: Google Cloud Endpoints requires SSL. If you need to access your backend API in a system not supporting SSL, you'll need to either update the system to support SSL or use a proxy. and Google Cloud Endpoints does not support custom domains. See...

Spring Boot SSL Client

spring,rest,ssl,spring-boot,ssl-certificate

I could not get the above client submitted by Andy to work. I kept getting errors saying that "localhost != clientname". Anyways, I got this to work correctly. import java.io.IOException; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.HttpException; import org.apache.commons.httpclient.URI; import org.apache.commons.httpclient.methods.GetMethod; public class SSLClient { static { System.setProperty("javax.net.ssl.trustStore","c:/apachekeys/client1.jks");...

Authenticate with login.microsoftonline.com through PHP cURL (SSL connect error)

php,ssl,curl,dynamics-crm-2015

I suspect it might be an issue with your POST and Host values. Your successfully connecting to login.microsoftonline.com however the next step I believe is your organisation. I haven't played around with this stuff for a while however the values I have look like so:- POST /Organization.svc Host yourorganisation.api.crm5.dynamics.com Obviously...

How can I edit the list of cipher suite in Java using Bouncy Castle

java,ssl,cryptography,bouncycastle

How can I edit the list of cipher suite in Java using Bouncy Castle See Which Cipher Suites to enable for SSL Socket? and use SSLSocketFactoryEx. Its a drop-in replacement for Java's SSLSocketFactory If you don't want to use SSLSocketFactoryEx, then rip the code to find the intersection of...

Same system, same code, different behaviors: The request was aborted: Could not create SSL/TLS secure channel

c#,wcf,ssl,windows-services,windows-applications

I found Windows Service's permission settings in Properties window's Log On tab, changed account from Local System to My User Account (Logged In User) and it works like a charm.

Getting SSL related error against my request to Ejabberd

android,sockets,ssl,erlang,ejabberd

Here is how you can go about it. I work on the sandbox environment and after a bit of patching, i could make it work. Follow the patching done here: http://erlang.org/pipermail/erlang-questions/2015-June/084868.html You would be required to make changes in ssl_cipher.erl and ssl_handshake.erl files. These 2 files are a part of...

https post request using httpClient and cert.em

java,ssl,https,httpclient,ca

As per the documentation on SSL properties javax.net.ssl.trustStoreType - (Optional) For Java keystore file format, this property has the value jks (or JKS). You do not normally specify this property, because its default value is already jks. Try setting javax.net.ssl.trustStoreType The exception you are getting is often thrown due to...

SSL certificate is not installing

iis,ssl,https

You did not generate the certificate request via IIS Manager. Thus, you should not use IIS to complete the request. Instead, you need to use OpenSSL to generate a PFX file, create a pfx file from a .cer and a .pem file Then you can import it to IIS....

First authentification in order to get token

php,android,ssl,https,token

1 - it is not true that passwords don't have to be encrypted on HTTPS. The best approach would be your server encrypting the plain password just received and then try to authenticate the user, generating a token. This token should only last during this connection. 2 - yes, post...

How to make a website work only with https [duplicate]

asp.net,ssl,https

Sure, assuming you are using IIS to host your site, open IIS Manager and select your web site and then binding on the right: make sure you only have a binding for https not for http. This way IIS will only send https traffic to that web site. Edit: What...

Particular URL redirect to http if request come from particular host

apache,http,mod-rewrite,ssl,url-rewriting

You should add another RewriteCond to exclude redirect for this IP: RewriteCond %{SERVER_PORT} =80 RewriteCond %{REMOTE_ADDR} !=10.1.2.3 RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] ...

Wildfly mysql with SSL

mysql,ssl,wildfly

You will need to add the certificate to keystore to make an SSL connection.You can refer to the following links. Install SSL Certificate Create KEYSTORE-File from existing SSL-Certificate Then you can create a datasource with a SSL URL as demonstrated in the below sample in standalone.xml file. <datasource jndi-name="java:jboss/datasources/dbname" pool-name="poolname">...

mod_rewrite to force ssl in apache24

apache,mod-rewrite,ssl

I don't think it will work, it will ask for the authorization before the redirect to SSL. Instead you could put the Auth directives in a VirtualHost block corresponding to the SSL port (443). Also you don't really need mod_rewrite, but a simple Redirect directive. <VirtualHost *:80> ServerName www.domain.com Redirect...

Websocket SSL connection

javascript,node.js,ssl,websocket

The https module is rejecting your self-signed cert (as one would hope). You can force it to stop checking by passing a rejectUnauthorized: false option (which WebSocket will pass down to https): var ws = new WebSocket('wss://localhost:15449/', { protocolVersion: 8, origin: 'https://localhost:15449', rejectUnauthorized: false }); ...

Copied ssl cert to a test site, how do I remove it?

http,ssl,drupal,https,softlayer

https://www.drupal.org/https-information has some information on how to use SSL certs in drupal specifically. Since you didn't provide the actual error your browser is giving you, I'm going to guess its a domain name mismatch error (like this https://www.digicert.com/ssl-support/certificate-name-mismatch-error.htm ). Basically you will either need to access your site via the...

Meteor mupx ssl configuration is not working, still routing to port 80

javascript,ssl,meteor,docker

You're welcome! I initially forgot to post it here too. We all need recognition when we can get it, thanks. I found this quote somewhere, sounds like a starting point to check...I n your EC2 control panel, look at your instance and note the Security Group that is assigned to...

Rails, DNSimple, Heroku and SSL - do I need a certificate?

ruby-on-rails,ssl,heroku,dnsimple

I just went through this same scenario. The certificate you see in your herokuapp is the wildcard certificate issued for *.herokuapp.com. If you want to secure a custom domain name http://my-app-name.com, you would need to purchase and install your own wildcard certificate via DNSimple. ...

Is it possible to use PROTOCOL_TLSv1_2 in python 3.2.5?

python,python-3.x,ssl

From https://docs.python.org/3/library/ssl.html: ssl.PROTOCOL_TLSv1_2 ...Available only with openssl version 1.0.1+. New in version 3.4. So you need to upgrade to get this option. You might try PROTOCOL_SSLv23 which offers the best protocol version the client can do in a backward compatible way. But lots of servers which are configured to allow...

CFNetwork SSLHandshake failed iOS 9 Beta 1

ios,ssl,nsurlconnection

iOS 9 and OSX 10.11 require TLSv1.2 SSL for all hosts you plan to request data from unless you specify exception domains in your app's Info.plist file. The syntax for the Info.plist configuration looks like this: <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>yourserver.com</key> <dict> <!--Include to allow subdomains--> <key>NSIncludesSubdomains</key> <true/> <!--Include to...

SSL operation failed with code 1: dh key too small

php,codeigniter,ssl,mysqli,openssl

... error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small The error number you are interested in is the OpenSSL error 0x14082174. The SSL3_CHECK_CERT_AND_ALGORITHM is usually seen when enabling export grade ciphers. It may be showing up again in non-export grade negotiations due to Logjam (see below). I'm assuming DH Key is too...

Configure Apache web server to perform SSL authentication

linux,apache,security,ssl,xampp

Bitnami developer here, In XAMPP the SSL configuration is located at /opt/lampp/etc/extras/httpd-ssl.conf file, where there is a default VirtualHost already configured in port 443, and you are trying to bind again the same port. Please, try to modify this file instead. You can check if there is any other process...

How to use the Comodo certificate in Web2py?

ssl,web2py

Finally got it working! It turns out to be the Web2py 'One step production deployment' script is not complete. It leaves out the 'SSLCertificateChainFile' option when it configures the Apache server. So by adding this line: SSLCertificateChainFile = path_to_your_ca-bundle_file Below the line 'SSLCertificateKeyFile /etc/apache2/ssl/self_signed.key' will do the work....

ssl certificate with and without www

apache,ssl

Usually, registries create certificates for your hostname and the domain above (see https://en.wikipedia.org/wiki/SubjectAltName). If the registry does not support this, than choose a different one.

Get RMI socket in RMI function?

java,ssl,rmi

You can't. You're in the server, and the socket created in your RMIClientSocketFactory is in the client. That part of the question doesn't make sense. You can however get hold of the socket created at your end by your RMIServerSocketFactory. It's a little fiddly, as you have to arrange to...

Redirecting http to https

apache,.htaccess,redirect,ssl,https

You can use this in your .htaccess file. Just replace example.com with your domain and all bases should be covered. IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. [NC,OR] RewriteCond %{HTTPS} !^on RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L] </IfModule> ...

MAC OS X Pebble SDK 3.0 error building: Compilation error InverterLayer

python,ssl,pebble-watch,pebble-sdk,pebble-js

UPDATE: Solved it! PROBLEM: I read more about the new sdks that pebble has been updating and it seems that the new one deprecated the inverterLayer and some other functions that is why it wasn't compiling. FIX: What I did is I went on to the examples page on the...

Firefox and SSL pages - takes very long on certain sites [closed]

firefox,ssl,browser,ssl-certificate

Don't know why, but I removed the file cert8.db from within the profile folder, now it works again.

Perl, LWP “certificate verify failed” with paypal.com

perl,ssl,paypal,lwp,lwp-useragent

Mozilla::CA 20141217 (note: I've tried the script both using Mozilla::CA and without it... results have been the same) In short: I don't know what "without it" means for RHEL6 but please try again with Mozilla::CA 20130114 or with the "older ca-bundle" linked from http://curl.haxx.se/docs/caextract.html. Details: The certificate chain you...

Use python to access a site with PKI security

python,python-2.7,ssl,urllib2,pki

I created a PKI handler to handle the requests so I can use it work urllib2 library. import httplib, urllib2 class HTTPSClientAuthHandler(urllib2.HTTPSHandler): def __init__(self, key, cert): urllib2.HTTPSHandler.__init__(self) self.key = key self.cert = cert def https_open(self, req): #Rather than pass in a reference to a connection class, we pass in #...

Is Nginx + Node.js + Socket.io + SSL possible?

node.js,ssl,nginx,socket.io

Ok, it turned out it was an issue with socket.io's namespaces in node.js code. More info here: http://socket.io/docs/rooms-and-namespaces Here's a working example of the server var app = require( 'express' )(); var http = require( 'http' ).Server( app ); var io = require( 'socket.io' )( http ); var nsp =...

Wildcard SSL - Which to chose and what is the key differences?

ssl,https,certificate,ssl-certificate

The main things to consider when purchasing a wildcard certificate are: If you want the certificate to support the domain itself (e.g., domain.com) in addition to subdomains (*.domain.com), then make sure that the wildcard vendor you choose supports Subject Alternative Name extension. Before you buy, make sure you know who...

SSLV3_ALERT_HANDSHAKE_FAILURE with SNI using Tornado 4.2 in Python 2.9.10

python,python-2.7,ssl,tornado,sni

It is very hard to tell without having ore information about the server, but I'll try: OpenSSL 0.9.8zd 8 Jan 2015 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) You are restricting the protocol to TLS 1.0. It might be that the server expects TLS 1.2 or TLS 1.1 or SSL 3.0. Note that TLS...

Ruby on Windows XP: How to change directory of SSL certificates

ruby,ssl,directory,certificate

Like this, but you get a warning because you overwrite a constant OpenSSL::X509::DEFAULT_CERT_FILE = 'C:/Users/Gebruiker/cert.pem' puts OpenSSL::X509::DEFAULT_CERT_FILE or like this ENV['SSL_CERT_FILE']="C:/users/username/cert.pem" #make sure a correct certificate is there In both cases followed by http.use_ssl = true You can download a valid .pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to with...

Server Authentication in Swift 2.0 & XCode 7 broken

ios,swift,ssl,swift2

Your simulator is most likely running iOS 9 then. In iOS 9, TLS 1.2 is enforced. If you're not using it, your requests will fail. Check out this post for more info. You can bypass it by putting this in your Info.plist: <key>NSAppTransportSecurity</key> <dict> <!--Include to allow all connections (DANGER)-->...

How to configure wildfly to use https with ClientBuilder in resteasy?

java,ssl,jax-rs,resteasy,wildfly

"Do we have to generate keystores ourselves?" Yes. You need to generate one for the Server and a Trust store (which is just a key store, but we just call it a trust store to differentiate it). See SSL setup guide in the Wildfly documentation. It will show you...

Wildcard SSL on several servers - seems OK when tested but red in Chrome

ssl,apache2.4

There are several tools available to test your website having SHA1 or SHA2 certificate. https://www.sha2sslchecker.com/ https://shaaaaaaaaaaaaa.com/ You can also check it manually. Browse site in chrome. Click on the green padlock. Click on "certificate information" under the "connection" tab. Click on "Details" tab where you can find secure hash algorithm:...

“tlsv1 alert internal error” during handshake

php,ssl,openssl

These two are a bad combination: -cipher ECDHE-ECDSA-AES128-GCM-SHA256 And: error:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_clnt.c OpenSSL 0.9.8 does not have full EC support. And it does not support TLS 1.1 or 1.2. To get the AEAD cipher suites, you need to use TLS 1.2. That means you need OpenSSL 1.0.0 or above (IIRC). OpenSSL 1.0.1...

Another nginx reverse proxy issue

ssl,nginx,reverse-proxy

The config below should do a similar redirect as you mentioned without entering a loop: upstream my_upstream_server { server 10.20.30.40:12345; } server { server_name ssl-enabled.example.com; listen 443 ssl; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; location /upstream { proxy_pass http://my_upstream_server/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP...

How to add a SSL certificate after running Web2py 'one step production deployment'

python,linux,ssl,web2py

If you look into the one-step-production-deployment script, you can see that it generated a self-signed cert: echo "creating a self signed certificate" echo "==================================" openssl genrsa 1024 > /etc/apache2/ssl/self_signed.key chmod 400 /etc/apache2/ssl/self_signed.key openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/apache2/ssl/self_signed.key > /etc/apache2/ssl/self_signed.cert openssl x509 -noout -fingerprint -text <...