Create OpenSSL certificates signed by myself
c++,ssl,boost,openssl,ssl-certificate
Your signing certificate has no rights to sign, because it has not the CA flag set. Signing will still work, but verification will fail. Since there are already lots of guides on the internet which will show in detail how to do it right so you might just look here...
Java - Standalone SSL Web Service - JAX-WS, JRE, no web server
Try SSLContext ssl = SSLContext.getInstance("TLSv1.2"); SSLv3 is known to be vulnerable nowerdays and your browser probably won't accept a server configured like this. Another option try curl with -koption to connect to the server....
Self-signed Certificate and Client Keystore for SSL Authentication
java,ssl,certificate,keystore,keytool
Not an answer yet, but getting too complicated for comments so I'll give a start and edit later. Should (SSL/TLS) server(s) and client(s) share a key (and cert)? Okay for development and maybe test, varies for production. As a general rule every independent system that needs to be authenticated should...
serving GAE applications over http
There two things you've missed from docs: Google Cloud Endpoints requires SSL. If you need to access your backend API in a system not supporting SSL, you'll need to either update the system to support SSL or use a proxy. and Google Cloud Endpoints does not support custom domains. See...
Is Nginx + Node.js + Socket.io + SSL possible?
Ok, it turned out it was an issue with socket.io's namespaces in node.js code. More info here: http://socket.io/docs/rooms-and-namespaces Here's a working example of the server var app = require( 'express' )(); var http = require( 'http' ).Server( app ); var io = require( 'socket.io' )( http ); var nsp =...
wget ssl alert handshake failure
It works from here with same OpenSSL version, but a newer version of wget (1.15). Looking at the Changelog there is the following significant change regarding your problem: 1.14: Add support for TLS Server Name Indication. Note that this site does not require SNI. But www.coursera.org requires it. And if...
First authentification in order to get token
1 - it is not true that passwords don't have to be encrypted on HTTPS. The best approach would be your server encrypting the plain password just received and then try to authenticate the user, generating a token. This token should only last during this connection. 2 - yes, post...
Failing mutual auth on Android w/ javax.net.ssl.SSLHandshakeException: Handshake failed
java,android,ssl,openssl,mutual-authentication
I never put the client cert in the KeyManager: KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509"); kmf.init(keystore, "password".toCharArray()); sslContext.init(kmf.getKeyManagers(), new TrustManager[]{tm}, null); ...
Nodejs https request UNABLE_TO_GET_ISSUER_CERT_LOCALLY
There is a reason for SSL. Besides other features, it authenticates that you are really communicating with the server identified by private.service.com hostname. Otherwise your client software can be cheated by a Man-in-the-Middle attack. First when anyone encounters this issue, they should update system root SSL certificates. In Debian they...
NPM Error: self signed certificate in certificate chain
One little FYI first : if you just want to learn AngularJS, maybe it's not the best way to start with TypeScript. If it's the case for you, try the tutorial on angularjs.org, which use JavaScript and angular-seed. Anyway, if you want to use tsd, you have to edit your...
Get RMI socket in RMI function?
You can't. You're in the server, and the socket created in your RMIClientSocketFactory is in the client. That part of the question doesn't make sense. You can however get hold of the socket created at your end by your RMIServerSocketFactory. It's a little fiddly, as you have to arrange to...
How to configure wildfly to use https with ClientBuilder in resteasy?
java,ssl,jax-rs,resteasy,wildfly
"Do we have to generate keystores ourselves?" Yes. You need to generate one for the Server and a Trust store (which is just a key store, but we just call it a trust store to differentiate it). See SSL setup guide in the Wildfly documentation. It will show you...
How to add a SSL certificate after running Web2py 'one step production deployment'
If you look into the one-step-production-deployment script, you can see that it generated a self-signed cert: echo "creating a self signed certificate" echo "==================================" openssl genrsa 1024 > /etc/apache2/ssl/self_signed.key chmod 400 /etc/apache2/ssl/self_signed.key openssl req -new -x509 -nodes -sha1 -days 365 -key /etc/apache2/ssl/self_signed.key > /etc/apache2/ssl/self_signed.cert openssl x509 -noout -fingerprint -text <...
SSL/TLS: Why will the server be the only one to be able to decrypt the encrypted number if it's a public key?
Because it's public-private key encryption, not symmetric encryption. The plaintext is encrypted to cipher text with the public key and decrypted back to the plaintext with the private key. Trying to decrypt that ciphertext with the public key doesn't work.
Particular URL redirect to http if request come from particular host
apache,http,mod-rewrite,ssl,url-rewriting
You should add another RewriteCond to exclude redirect for this IP: RewriteCond %{SERVER_PORT} =80 RewriteCond %{REMOTE_ADDR} !=10.1.2.3 RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L] ...
Java client certificates and keystores
java,ssl,https,ssl-certificate
My understanding is that if you have to store a certificate with an alias matching the target domain name (in our case i.domain.io or r.domain.io) so java can provide the associated certificate as a client certificate when you are attempting a SSL connection to that domain e.g. https://r.domain.io That's...
Connecting via mutual SSL fails reading incoming changeCipherSpec
ssl,ssl-certificate,jscript,chilkat,mutual-authentication
So it turns out that despite the sender insisting several times that the certificate was correct, and despite them insisting (when asked) that the email encoding had not stripped any characters, it turns out the certificate was incorrect and the email encoding had stripped some characters from the body text....
Redirecting http to https
apache,.htaccess,redirect,ssl,https
You can use this in your .htaccess file. Just replace example.com with your domain and all bases should be covered. IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} !^www\. [NC,OR] RewriteCond %{HTTPS} !^on RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L] </IfModule> ...
Meteor mupx ssl configuration is not working, still routing to port 80
You're welcome! I initially forgot to post it here too. We all need recognition when we can get it, thanks. I found this quote somewhere, sounds like a starting point to check...I n your EC2 control panel, look at your instance and note the Security Group that is assigned to...
SSL certificate is not installing
You did not generate the certificate request via IIS Manager. Thus, you should not use IIS to complete the request. Instead, you need to use OpenSSL to generate a PFX file, create a pfx file from a .cer and a .pem file Then you can import it to IIS....
Problems generating a self-signed 1024-bit X509Certificate2 using the RSA AES provider
c#,.net,ssl,encryption,x509certificate2
The problem is with CryptGenKey function call. In the Algid parameter, you should pass either 0x1 (for RSA key exchange) or 0x2 (RSA digital signature). You don't need other values. And key length value should be 0x4000001 (with exportable key). Also, I noticed that you pass incorrect provider type when...
Perl, LWP “certificate verify failed” with paypal.com
perl,ssl,paypal,lwp,lwp-useragent
Mozilla::CA 20141217 (note: I've tried the script both using Mozilla::CA and without it... results have been the same) In short: I don't know what "without it" means for RHEL6 but please try again with Mozilla::CA 20130114 or with the "older ca-bundle" linked from http://curl.haxx.se/docs/caextract.html. Details: The certificate chain you...
How does DNS server know the IP address of an SSL's URL?
When you enter an URL in your browser the DNS server is asked for the URL's IP first by your system, before even connecting to the server. So SSL is not even in the game at this point. SSL encrypts between the client (e.g. your browser) and the server, but...
Enabling SSL on an AWS EC2 instance
apache,ssl,amazon-web-services,amazon-ec2
Great. The error messages helped. You're missing two lines: SSLCertificateFile /directory/to/file.crt SSLCertificateKeyFile /directory/to//file.key Here's a howto on configuring SSL on Apache....
HTTP to HTTPS mapping using proxy servers
this should be easy with apache. in your virtual host add ProxyPass /myapp https://somehost.com/myapp ProxyPassReverse /myapp https://somehost.com/myapp then you can use yourinternalhost.company.com/myapp/ then watch your error log about SSLProxyCheck* messages (depends on the ssl certificate) see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn mod_proxy: httpd.apache.org/docs/2.4/mod/mod_proxy.html (see proxyremote for using another (corporate) proxy...
Client certificate authentication
authentication,ssl,https,ssl-certificate,x509
I've to break down your question into two parts. Part one: Let's say a hacker X sends a CA issued certified to the server as part of handshake. Then server would automatically trust it and grant access. If X aquires the client certificate of an authentic client then that's ok....
Use python to access a site with PKI security
python,python-2.7,ssl,urllib2,pki
I created a PKI handler to handle the requests so I can use it work urllib2 library. import httplib, urllib2 class HTTPSClientAuthHandler(urllib2.HTTPSHandler): def __init__(self, key, cert): urllib2.HTTPSHandler.__init__(self) self.key = key self.cert = cert def https_open(self, req): #Rather than pass in a reference to a connection class, we pass in #...
Expected Compatibility Issues with upcoming TLS/SSL Cipher Suite update on Azure WebApps?
We have repeated our tests today and IE7 and IE8 on XPSP3 now pass the client test at https://testsslclient.trafficmanager.net. We assume the implementation of the TLS/SSL cipher suit has been updated to allow for this now......
Call to SOAP WebService using client certificate in objective c
objective-c,web-services,ssl,soap,client-certificates
I'll answer my own question because no one did and i've already found the solution. First of all, you need to save the certificate in the project's directory. Drag and drop the certificate from it's folder to the directory of the project in Xcode. Select "copy" and yes to the...
How do you unblock the 993 port if your firewall settings is blocking it?
You can find the answer here which is already asked on Stackoverflow. Make sure that the mailbox you are trying to connect is IMAP. PS. It doesn't look like firewall issue to me...
Same system, same code, different behaviors: The request was aborted: Could not create SSL/TLS secure channel
c#,wcf,ssl,windows-services,windows-applications
I found Windows Service's permission settings in Properties window's Log On tab, changed account from Local System to My User Account (Logged In User) and it works like a charm.
Starting a tls communication with python asyncio
Unfortunately, up to python 3.5 there is not standard way to do it! As of python 3.5, there is a new thing called MemoryBIO within ssl module with which you can wrap your socket for TLS. You have a couple of options here: Use Python traditional (sync) socket and loop.executor...
Getting SSL related error against my request to Ejabberd
android,sockets,ssl,erlang,ejabberd
Here is how you can go about it. I work on the sandbox environment and after a bit of patching, i could make it work. Follow the patching done here: http://erlang.org/pipermail/erlang-questions/2015-June/084868.html You would be required to make changes in ssl_cipher.erl and ssl_handshake.erl files. These 2 files are a part of...
SecKeyRawVerify verifies on mac but fails with -9809 on iOS
ios,osx,ssl,cryptography,commoncrypto
Well after some experimenting with sign/verify, I've found out that changing padding agreement to SecKeyRawVerify/SecKeyRawSign from kSecPaddingPKCS1SHA1 to kSecPaddingPKCS1, solves my problem. Don't know why it doesn't work with kSecPaddingPKCS1SHA1, there is not deprecations described in Apple's documentation. Also I didn't try this code on iOS different from 8.3 so...
Firefox and SSL pages - takes very long on certain sites [closed]
firefox,ssl,browser,ssl-certificate
Don't know why, but I removed the file cert8.db from within the profile folder, now it works again.
X.509 versus Whte Listing Authentication
security,ssl,amazon-web-services,https,x509
Ok, I figured out the answer. I found an excellent webpage by Maxim Porges that explained everything that I needed, http://www.maximporges.com/2009/11/18/configuring-tomcat-ssl-clientserver-authentication/ Yes, I can authenticate both the server and client. No code changes are needed on the server side. I just need to place the client certificate in the server...
Problems connecting via HTTPS/SSL through own Java client
java,ssl,https,sslhandshakeexception
According to https://www.ssllabs.com, the server supports cipher suites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA They are listed as "unavailable cipher suite" as you can see in the debug messages. In the JRE/lib/security/local_policy.jar, we see // Some countries have import limits on crypto strength. This policy file // is worldwide importable....
Websocket SSL connection
javascript,node.js,ssl,websocket
The https module is rejecting your self-signed cert (as one would hope). You can force it to stop checking by passing a rejectUnauthorized: false option (which WebSocket will pass down to https): var ws = new WebSocket('wss://localhost:15449/', { protocolVersion: 8, origin: 'https://localhost:15449', rejectUnauthorized: false }); ...
CFNetwork SSLHandshake failed iOS 9 Beta 1
iOS 9 and OSX 10.11 require TLSv1.2 SSL for all hosts you plan to request data from unless you specify exception domains in your app's Info.plist file. The syntax for the Info.plist configuration looks like this: <key>NSAppTransportSecurity</key> <dict> <key>NSExceptionDomains</key> <dict> <key>yourserver.com</key> <dict> <!--Include to allow subdomains--> <key>NSIncludesSubdomains</key> <true/> <!--Include to...
SMTP ports - SSL vs non-SSL
It may be possible to encrypt all traffic with SASL as they say, but the distinction is academic because PHPMailer doesn't support SASL for either authentication or any subsequent traffic, but does support SSL and TLS. So if you're using PHPMailer to send to them and you're not using SSL...
Now that SSLSocketFactory is deprecated on Android, what would be the best way to handle Client Certificate Authentication?
Apparently, there are two SSLSocketFactory classes. HttpClient has its own one, and that is deprecated along with the rest of HttpClient. However, everybody else will be using the more conventional javax.net.ssl edition of SSLSocketFactory, which is not deprecated (thank $DEITY).
mod_rewrite to force ssl in apache24
I don't think it will work, it will ask for the authorization before the redirect to SSL. Instead you could put the Auth directives in a VirtualHost block corresponding to the SSL port (443). Also you don't really need mod_rewrite, but a simple Redirect directive. <VirtualHost *:80> ServerName www.domain.com Redirect...
Nginx HTTPS issue to redirect from www to non-www
My issue has been resolved by doing modifications below, answering this as it might help someone else: Removed ssl_certificate and ssl_certificate_key from default_server block. Removed URL overwriting from SSL server block. Added ssl_protocols and ssl_ciphers to SSL server block The configuration look like below after modification: upstream unicorn { server...
How to make a website work only with https [duplicate]
Sure, assuming you are using IIS to host your site, open IIS Manager and select your web site and then binding on the right: make sure you only have a binding for https not for http. This way IIS will only send https traffic to that web site. Edit: What...
zsh: no matches found: requests[security]
python,security,python-2.7,ssl,python-requests
zsh uses square brackets for globbing / pattern matching. That means that if you need to pass literal square brackets as an argument to a command, you either need to escape them or quote the argument like this: pip install 'requests[security]' If you want to disable globbing for the pip...
Spring Boot SSL Client
spring,rest,ssl,spring-boot,ssl-certificate
I could not get the above client submitted by Andy to work. I kept getting errors saying that "localhost != clientname". Anyways, I got this to work correctly. import java.io.IOException; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.HttpException; import org.apache.commons.httpclient.URI; import org.apache.commons.httpclient.methods.GetMethod; public class SSLClient { static { System.setProperty("javax.net.ssl.trustStore","c:/apachekeys/client1.jks");...
Roundcube - Nginx does not redirect to .php file automatically
Solved. Here's the configuration that works for me: server { listen 80; server_name example.org; return 301 https://$server_name$request_uri; } server { listen 80; server_name www.example.org; return 301 https://$server_name$request_uri; } server { listen 443 ssl; ssl on; server_name example.org; root /var/www/soon; server_tokens off; ssl_certificate /etc/ssl/certs/example.org.certchain.crt; ssl_certificate_key /etc/ssl/private/example.org.key; ssl_session_cache shared:SSL:20m; ssl_session_timeout 10m; ssl_protocols...
Is it possible to use PROTOCOL_TLSv1_2 in python 3.2.5?
From https://docs.python.org/3/library/ssl.html: ssl.PROTOCOL_TLSv1_2 ...Available only with openssl version 1.0.1+. New in version 3.4. So you need to upgrade to get this option. You might try PROTOCOL_SSLv23 which offers the best protocol version the client can do in a backward compatible way. But lots of servers which are configured to allow...
Ruby on Windows XP: How to change directory of SSL certificates
ruby,ssl,directory,certificate
Like this, but you get a warning because you overwrite a constant OpenSSL::X509::DEFAULT_CERT_FILE = 'C:/Users/Gebruiker/cert.pem' puts OpenSSL::X509::DEFAULT_CERT_FILE or like this ENV['SSL_CERT_FILE']="C:/users/username/cert.pem" #make sure a correct certificate is there In both cases followed by http.use_ssl = true You can download a valid .pem file from http://curl.haxx.se/ca/cacert.pem. Save this file to with...
MaxCDN - shared ssl - invalid certificate?
Nevermind I solved it myself. It turned out that the A-Record change (after disabling the full-site-cache) took time to be updated everywhere in the world (as usual) and people that were unfortunate to have still the old DNS-record ended up with a route over the CDN which caused the SSL-Certificate...
How to load SSL Certficate in Java
You can use Apache HttpClient (or just use the required classes from it to use SslContextBuilder, really), and then it'd be like so: SSLContextBuilder sslContextBuilder = SSLContextBuilder.create(); sslContextBuilder.loadTrustMaterial(new File("yourTrustStore.jks"), "thePassWord"); SSLContext sslContext = sslContextBuilder.build(); HttpsURLConnection httpsURLConnection = (HttpsURLConnection) (new URL("https://thesite.com").openConnection()); httpsURLConnection.setSSLSocketFactory(sslContext.getSocketFactory()); But you need to create a...
Subject Alternative Name not present in certificate
You can use: copy_extensions = copy under your CA_default section in your openssl.cnf. but only when you're sure that you can trust the extensions in the CSR as pointed out in this thread: http://openssl.6102.n7.nabble.com/subjectAltName-removed-from-CSR-when-signing-td26928.html See also: How can I generate a self-signed certificate with SubjectAltName using OpenSSL?...
How can i get Certificate issuer information in python?
Updated answer If you can establish a connection to the remote server you can use the ssl standard library module: import ssl, socket hostname = 'google.com' ctx = ssl.create_default_context() s = ctx.wrap_socket(socket.socket(), server_hostname=hostname) s.connect((hostname, 443)) cert = s.getpeercert() subject = dict(x[0] for x in cert['subject']) issued_to = subject['commonName'] issuer =...
Wildcard SSL - Which to chose and what is the key differences?
ssl,https,certificate,ssl-certificate
The main things to consider when purchasing a wildcard certificate are: If you want the certificate to support the domain itself (e.g., domain.com) in addition to subdomains (*.domain.com), then make sure that the wildcard vendor you choose supports Subject Alternative Name extension. Before you buy, make sure you know who...
How to set up a meteor server on https connection?
Deploy the app using Meteor Up which have built in SSL support. Or use common web server like Nginx or Apache, setup SSL and reverse proxy back to meteor app. Example: Nginx configuration server { listen 80; server_name www.example.com; rewrite ^ https://$server_name$request_uri? permanent; } server { listen 443 ssl ;...
Do I need an SSL certificate when using Paypal IPN on my site?
If you are not collecting credit/debit card info on your site, then no... you don't need SSL. It sounds like you are sending people to PayPal, who collects payment information, and PayPal then sends the user back to your site. If this is so... you don't need SSL.
Wildfly mysql with SSL
You will need to add the certificate to keystore to make an SSL connection.You can refer to the following links. Install SSL Certificate Create KEYSTORE-File from existing SSL-Certificate Then you can create a datasource with a SSL URL as demonstrated in the below sample in standalone.xml file. <datasource jndi-name="java:jboss/datasources/dbname" pool-name="poolname">...
Configure Apache web server to perform SSL authentication
linux,apache,security,ssl,xampp
Bitnami developer here, In XAMPP the SSL configuration is located at /opt/lampp/etc/extras/httpd-ssl.conf file, where there is a default VirtualHost already configured in port 443, and you are trying to bind again the same port. Please, try to modify this file instead. You can check if there is any other process...
Azure Web Test - Could not create SSL/TLS secure channel when using CloudFlare SSL
It sounds like the same issue discussed on https://social.msdn.microsoft.com/Forums/azure/en-US/ca6372be-3169-4fb5-870f-bfbea605faf6/azure-webapp-webjob-exception-could-not-create-ssltls-secure-channel?forum=windowsazurewebsitespreview. You may want to monitor that thread.
HibernateException: Could not instantiate dialect class when using HTTPS for GWT
When you use -server :ssl then you no longer use the AppEngineLauncher, so class loading is different; with a parent class loader using the classpath (AppEngine only uses WEB-INF/{classes,lib}); this is what causes the ClassCastException. Try removing your server dependencies from the DevMode classpath as a starting point; leaving them...
How do I accept a self-signed SSL certificate using iOS 7's NSURLSession
ios,swift,ssl,https,self-signed
Both connection:canAuthenticateAgainstProtectionSpace: and connection:didReceiveAuthenticationChallenge: are deprecated in iOS 8 anyway so you should use other methods. What I am using in my projects is a delegate method of NSURLSessionDelegate. Adhere to that protocol then add this method: func URLSession(session: NSURLSession, didReceiveChallenge challenge: NSURLAuthenticationChallenge, completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential!) -> Void) {...
python requests SSLError
Your version of python does not support SNI yet, which is needed to get the proper certificates on sites which have multiple certificates per IP address. Without SNI you get a certificate for *.google.com and others (see the error message), but none of these match the hostname android.clients.google.com because the...
.htaccess not redirecting web site to https
It doesn't appear that your .htaccess file is being read. So make sure you have AllowOverride All in your config. Also for your rules, I wouldn't use SERVER_NAME, that isn't always set and sometimes is not correct. I would either use HTTP_HOST variable or your actual domain name. You also...
https post request using httpClient and cert.em
As per the documentation on SSL properties javax.net.ssl.trustStoreType - (Optional) For Java keystore file format, this property has the value jks (or JKS). You do not normally specify this property, because its default value is already jks. Try setting javax.net.ssl.trustStoreType The exception you are getting is often thrown due to...
Openshift trustwave intermediate ssl cert issue
ssl,https,ssl-certificate,openshift
Ok solve it after lots of searching, and Trustwave still reports it as wrong but all browsers seem to accept it. So I got the main cert file (I was using my-domain.com.pem) copy and paste the contents into a new file (something like combined.pem) then open your intermediate file (chain.cer...
GET request throws error after app implemented SSL: Mixed Content: This request has been blocked; the content must be served over HTTPS"
angularjs,http,ssl,https,flask
It was a weird case that came down to removing a forward slash from the end of a URL fixing everything. Somehow, whenever we made a GET request using $http in Angular like baseurl + inventory.id + "/", it would make a http request but as soon as remove that...
Java 8 , JCE Unlimited Strength Policy and SSL Handshake over TLS
Try limiting the protocols to just TLSv1 using: -Djdk.tls.client.protocols=TLSv1 See this page for more details: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#descPhase2 Hope this helps, Yuri...
MAC OS X Pebble SDK 3.0 error building: Compilation error InverterLayer
python,ssl,pebble-watch,pebble-sdk,pebble-js
UPDATE: Solved it! PROBLEM: I read more about the new sdks that pebble has been updating and it seems that the new one deprecated the inverterLayer and some other functions that is why it wasn't compiling. FIX: What I did is I went on to the examples page on the...
Wildcard SSL on several servers - seems OK when tested but red in Chrome
There are several tools available to test your website having SHA1 or SHA2 certificate. https://www.sha2sslchecker.com/ https://shaaaaaaaaaaaaa.com/ You can also check it manually. Browse site in chrome. Click on the green padlock. Click on "certificate information" under the "connection" tab. Click on "Details" tab where you can find secure hash algorithm:...
Java does not accept 2 methods with same name
Your issue seems to be that createSocket(Socket, String, int, boolean) already exists in the super class you are extending (SSLSocketFactory). When extending a class in Java the methods in that super class become methods in the subclass (unless a method's scope does not allow it). Therefore when you add the...
How SignedXml.CheckSignature verify the certificate
It uses windows certificate store to build a certificate chain up to trusted root authority. When it is building the chain the method also verifies revocation status of the certificates (usually from CRLs of all authorities in the chain) to check if any of the certificates in the chain are...
Get SSLContext for default system truststore in Java(JSEE)
The javax.net.ssl.* system properties will affect the default SSLContext, the one used by SSLSocketFactory.getDefault() and the one returned by SSLContext.getDefault(), if you haven't used SSLContext.setDefault(...) using a custom context, that is. If you want to keep the ability to use the default truststore for some connections (not not the ones...
How to disable common name check in SSLContext in java?
java,ssl,jersey,jax-rs,ssl-certificate
If I'm understanding you correctly, I think you can accomplish what you are trying to do by implementing a HostnameVerifier, and just returning true in the verify method. You can set up the verifier on the ClientBuilder. For example Client client = ClientBuilder.newBuilder() .sslContext(sslContext) .hostnameVerifier(hostnameVerifier) .build(); ...
Server Authentication in Swift 2.0 & XCode 7 broken
Your simulator is most likely running iOS 9 then. In iOS 9, TLS 1.2 is enforced. If you're not using it, your requests will fail. Check out this post for more info. You can bypass it by putting this in your Info.plist: <key>NSAppTransportSecurity</key> <dict> <!--Include to allow all connections (DANGER)-->...
ssl certificate with and without www
Usually, registries create certificates for your hostname and the domain above (see https://en.wikipedia.org/wiki/SubjectAltName). If the registry does not support this, than choose a different one.
Meteor force-ssl on a staging system without ssl cert?
Found a solution. Someone wrote a force-ssl package for exactly this problem: https://atmospherejs.com/keyvan/my-force-ssl...
SSL operation failed with code 1: dh key too small
php,codeigniter,ssl,mysqli,openssl
... error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small The error number you are interested in is the OpenSSL error 0x14082174. The SSL3_CHECK_CERT_AND_ALGORITHM is usually seen when enabling export grade ciphers. It may be showing up again in non-export grade negotiations due to Logjam (see below). I'm assuming DH Key is too...
Rails, DNSimple, Heroku and SSL - do I need a certificate?
ruby-on-rails,ssl,heroku,dnsimple
I just went through this same scenario. The certificate you see in your herokuapp is the wildcard certificate issued for *.herokuapp.com. If you want to secure a custom domain name http://my-app-name.com, you would need to purchase and install your own wildcard certificate via DNSimple. ...
Authenticate with login.microsoftonline.com through PHP cURL (SSL connect error)
php,ssl,curl,dynamics-crm-2015
I suspect it might be an issue with your POST and Host values. Your successfully connecting to login.microsoftonline.com however the next step I believe is your organisation. I haven't played around with this stuff for a while however the values I have look like so:- POST /Organization.svc Host yourorganisation.api.crm5.dynamics.com Obviously...
Another nginx reverse proxy issue
The config below should do a similar redirect as you mentioned without entering a loop: upstream my_upstream_server { server 10.20.30.40:12345; } server { server_name ssl-enabled.example.com; listen 443 ssl; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; location /upstream { proxy_pass http://my_upstream_server/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP...
Copied ssl cert to a test site, how do I remove it?
http,ssl,drupal,https,softlayer
https://www.drupal.org/https-information has some information on how to use SSL certs in drupal specifically. Since you didn't provide the actual error your browser is giving you, I'm going to guess its a domain name mismatch error (like this https://www.digicert.com/ssl-support/certificate-name-mismatch-error.htm ). Basically you will either need to access your site via the...
Issue with understanding keystore and ssl
Now he adds the server.cer to the clients-keystore and the clients.cer to the server's keystore. Wrong here. You should add the exported certificate to a truststore in each case. Export from server keystore to client truststore, client keystore to server truststore. That way the client can encrypt the plaintext...
Did google change/update related to vm ssl connections to Cloud SQL?
Solution to openssl auto update to 11 that breaks the ssl connection to cloudssl. The following command shows the openssl updates and version change that affected the gce CentOS 6.6 vm >> cloudsql ssl connection (8 works, 11 won't connect): grep -i openssl /var/log/yum.log Apr 02 03:34:00 Updated: openssl-1.0.1e-30.el6.8.x86_64 Apr...
Nginx redirect http subdomains to https
ubuntu,redirect,ssl,nginx,rewrite
Your web server is setup with Strict-Transport-Security max-age=16070400; includeSubdomains. This will tell the web browser to request your domain using https only. If you want the subdomain blog to be accessed through insecure http, you will need to remove includeSubdomains from the HTTP Strict Transport Security (HSTS) and use a...
How to create a private certificate for connecting to a website
apache,ssl,privatekey,digital-certificate,self-signed
It sounds like you want to use client-side SSL certificates for authentication. The Apache documentation covers this use case in some detail (that's for version 2.4; see here for version 2.2).
ArgumentError - unknown SSL method `TLSv1_2'
Instead of setting it inside the fog_credentials hash, try setting it afterwards on config itself with the following 2 lines: config.fog_authenticated_url_expiration = 600 config.fog_attributes = { ssl_version: :TLSv1_2 } ...
Getting SSLHandshakeException in java
java,eclipse,ssl,https,digital-certificate
If importing to keystore not resolving your issue.. as i was not able to resolve it. Then add following line of code. It worked for me. System.setProperty( "javax.net.ssl.keyStore", "D:\\G2B.p12" ); // The path to the .p12 file System.setProperty( "javax.net.ssl.keyStorePassword", "****" ); // The password of the p12 file System.setProperty( "javax.net.ssl.keyStoreType",...
“tlsv1 alert internal error” during handshake
These two are a bad combination: -cipher ECDHE-ECDSA-AES128-GCM-SHA256 And: error:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_clnt.c OpenSSL 0.9.8 does not have full EC support. And it does not support TLS 1.1 or 1.2. To get the AEAD cipher suites, you need to use TLS 1.2. That means you need OpenSSL 1.0.0 or above (IIRC). OpenSSL 1.0.1...
SSLV3_ALERT_HANDSHAKE_FAILURE with SNI using Tornado 4.2 in Python 2.9.10
python,python-2.7,ssl,tornado,sni
It is very hard to tell without having ore information about the server, but I'll try: OpenSSL 0.9.8zd 8 Jan 2015 context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) You are restricting the protocol to TLS 1.0. It might be that the server expects TLS 1.2 or TLS 1.1 or SSL 3.0. Note that TLS...
How to use the Comodo certificate in Web2py?
Finally got it working! It turns out to be the Web2py 'One step production deployment' script is not complete. It leaves out the 'SSLCertificateChainFile' option when it configures the Apache server. So by adding this line: SSLCertificateChainFile = path_to_your_ca-bundle_file Below the line 'SSLCertificateKeyFile /etc/apache2/ssl/self_signed.key' will do the work....
SSL Handshake in Java Servlet (HttpsURLConnection)
So, whenever SSL connection is established it tries to verify the server name with the host name in certificate. In this case, since it is self signed it may not be having any server name mostly. What you need to do is write a implementation of javax.net.ssl.HostnameVerifier and assign to...
How can I edit the list of cipher suite in Java using Bouncy Castle
java,ssl,cryptography,bouncycastle
How can I edit the list of cipher suite in Java using Bouncy Castle See Which Cipher Suites to enable for SSL Socket? and use SSLSocketFactoryEx. Its a drop-in replacement for Java's SSLSocketFactory If you don't want to use SSLSocketFactoryEx, then rip the code to find the intersection of...
How can we improve SSL handshake to increase the security?
security,ssl,encryption,server,cl
I'm not sure that you quite have this right. The connection is supposed to be: client <--> server The client knows that it's talking to the server due to the SSL handshake and validation of the server certificate. Your question is what would happen if: client // MiTM <--> server...