SSL certificate issue with WLS 10.3

Similar Messages

• When accessing Intranet sites that use SSL Certificates issued by our internal PKI, FF for Windows give an error of "improperly formatted DER-encoded message"

  When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
  Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.

  Hi Guigs2,
  From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
  registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
  The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix?

• We are having issues with WLS 5.1   pdf   SSL

  We are running IE 5.0 and above browser with our application and the server is Weblogic 5.1 We are having issues with a generated pdf being sent down from the server using the response outputStream in an SSL connection. We tried setting the content type before getting the outputstream. IE comes back with a dialog for download. When we select either of the options IE comes back with "Unable to download <url> from <server>. We are using WLS 5.1 service pack 6. Any help will be greatly appreciated
            

            I tried this option, but did not help. We have two weblogic servers on different
            machines. One works fine in downloading pdf file over https, but not the other.
            The error we are getting after selecting it to save it to a file:
            IE cannot download xx.pdf from www.xxx.com
            From the link, when we say "save target as", we get different error as:
            This file could not be written to cache.
            Someone suggested to pass "pragma: public" or "pragama: no-cache" in the header.
            But we are just simply serving it as a file, neither from servlet nor from jsp.
            So I suspect it something to do with our weblogic proxy or security configuration.
            Any ideas/help is much appreciated.
            Thanks
            Jayashree Raghavan <[email protected]> wrote:
            >If you ever have a similar problem it might help to check in browser
            >settings.
            >In IE goto tools/internet options/
            >Goto advanced Tab
            >go down to Security.
            >Uncheck the "donot save encrypted pages to disk".
            >This will make downloading a pdf work in ssl.
            >
            >
            >Jayashree Raghavan wrote:
            >
            >> We resolved this problem thanks to Maxim, by commenting out the code
            >that sends to the browser not to cache these pdf files. response.setHeader("Pragma",
            >"no-cache");
            >
            

• DS 6: SSL certificate mapping with subject/issuer containing (")

  Hello,
  I got my personal test certificate from Verisgin, with an issuer: CN=VeriSign Class 1 Individual Subscriber CA - G2, OU=Persona Not Validated, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  The subject of the certificate ends with: ...OU=Digital ID Class 1 - Netscape, OU=Persona Not Validated, OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
  My certmap.conf looks like:
  certmap VeriSign [issuerDN]
  VeriSign:FilterComps cn
  VeriSign:verifycert on
  VeriSign:CmapLdapAttr certSubjectDN
  The question is what's the valid form of these strings containing (") in certmap.conf ([issuerDN]) to match the issuer and in certSubjectDN attribute - assuming it follows DirectoryString syntax. Note that they surround strings containing comma (,).
  I see in logs:
  conn=1 op=-1 msgId=-1 - SSL 128-bit RC4; client *OU=Digital ID Class 1 - Netscape,OU=Persona Not Validated,OU=\22www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98\22,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22; issuer CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22,C=US
  I tested configuration against cert strings from logs, but they don't work. Strings containing (") also don't work.
  Did anyone face the same issue?
  Thanks for help in advance.

  The DN normalized version of O="Verisign, Inc." is O=Verisign\, Inc.
  You may want to try this. BUt I must admit that I've never tried to do certificate mapping with quotes.
  The certificate mapping functionality hasn't changed since the Netscape DS 4 code when Sun and Netscape started to work together.
  Ludovic.

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• NAC SSL certificate Issue

  I recently applied a signed certificate to both the CAM and CAS. ever since then I have been having problems with the system. In the perfigo logs on the CAM I receive a lot of messages with "Certificate chaining error" in them. My question is what is the best way to roll back the signed certificates to the self signed ones? Any other suggestions would be greatly appreciated.
  Thanks in advance.

  Hi Giles,
  Thanks for te update. The problem I am facing is:-I have 2 SSL certificates on my ACE and I have also configured 2 server farms (farm1 and farm2)each associated with ssl certificate, now the problem i am facing is when we access the farm2 serverfarm we are issued the certificate of farm1 wereas i need to be getting the certificate from the farm2.
  Thanks in advance.
  Regards
  Sum

• Firefox does not recognize SSL Certificate issuer Entrust Certification Authority – L1K, but Entrust Certification Authority – L1C is ok?

  We have a new Entrust SSL Certificate with issuer Entrust Certification Authority – L1K which Firefox does not recognize. Internet Explorer and Chrome are ok.
  On a different system we have an Entrust SSL Certificate with issuer Entrust Certification Authority – L1C which is ok with Firefox.

  Did you verify that all intermediate certificates are installed on the server?
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/
  *https://www.ssllabs.com/ssltest/

• SSL communication issue with JDK 1.6.0_19

  Hi,
  I am facing issue with JDK 1.6.0_19. I have a Java client which communicate with the Server in SSL communication.so, It is able to communicate properly with the JDK <=1.6.0_18 version.But I got handling exception: javax.net.ssl.SSLException: HelloRequest followed by an unexpected  handshake message exception when the client is trying to communicate with the server in JDK 1.6.0_19.
  We are using mutual authentication.The client and the server both have the signed certificate.The client certificate has to be validated by the server to establish the connection.
  I have seen in forum that it is a renegotiation issue.So, if I enable the renegotiation flag by -Dsun.security.ssl.allowUnsafeRenegotiation=true it's working fine.But enabling renegotiation itself is a vulnerability.So, I can't enable renegotiation.
  I am using httpclient 4.0 and JSSE in client side and IIS in the server side for this SSL connection.
  I am not sure which side client or server initiating the renegotiation?
  Please help me out.
  I have tried Openssl command from console.
  The command is : openssl s_client -connect X.X.X:443 -CAfile "xxxxx" -cert "xxxxxxxx" -key "xxxxxxxxxx" -state -verify 20 here is the output:
  Loading 'screen' into random state - done
  CONNECTED(00000748)
  SSL_connect:before/connect initialization
  SSL_connect:SSLv2/v3 write client hello A
  SSL_connect:SSLv3 read server hello A
  xxxxxxxxxxx.................
  verify return:1
  xxxxxxxxxxx.................
  verify return:1
  SSL_connect:SSLv3 read server certificate A
  SSL_connect:SSLv3 read server done A
  SSL_connect:SSLv3 write client key exchange A
  SSL_connect:SSLv3 write change cipher spec A
  SSL_connect:SSLv3 write finished A
  SSL_connect:SSLv3 flush data
  SSL_connect:SSLv3 read finished A
  Certificate chain
  xxxxxxxxxxx.................
  Server certificate
  -----BEGIN CERTIFICATE-----
  xxxxxxxxxxx.................
  -----END CERTIFICATE-----
  xxxxxxxxxxx.................
  No client certificate CA names sent
  SSL handshake has read 1839 bytes and written 392 bytes
  New, TLSv1/SSLv3, Cipher is RC4-MD5
  Server public key is 1024 bit
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : RC4-MD5
      Session-ID: xxxxxxxxxxx
      Session-ID-ctx:
      Master-Key: xxxxxxxxxxx
      Key-Arg   : None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1275564626
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
  read:errno=10054If you see the console output you can see that two statement is missing those are :
  SSL_connect:SSLv3 read server certificate request A
  SSL_connect:SSLv3 write client certificate ASo, I like to know if this is any clue which is asking for renegotiation.

  Thank you for your response.
  Yes I have set the particular proerty SSLAlwaysNegoClientCert to True and it is able to establish the ssl conneciton without initiating renegotiation from IIS server side.The property has to be set the metabase.xml file.
  Thank you very much once again.
  Edited by: arpitak on Jun 23, 2010 2:10 AM

• Snow Leopard Server - SSL Certificate Issue

  Hi. I am hoping someone can shine some light into an issue I am currently experiencing with SSL Certificates on the Snow Leopard Server which hosts out websites. This past weekend an SSL certificate pertaining to our primary domain expired which caused users to receive error messages prior to accessing the website ... the error message stated "the site's security certificate has expired!"
  I have since renewed the certificate via networksolutions.com and applied it on the Mac server. The certificate was applied successfully and i have added the certificate the sites along with restarting the apache to take in the settings. However, the certificate is not propagating out at all. I have also restarted the mac server as well in case there was something in the cache causing issues but unfortunately, the issue still exists.
  I have also removed the certificate entirely and reapplied it from scartch to make sure the original certificate wasn't causing any issues.
  Has anyone else incurred a similar issue or would anyone have any insight on how to possibly resolve the issue?
  Thank you!

  Just a quick update. the DNS seems fine but I am getting errors in the logs as follows.
  May 12 09:37:34 server jabberd/sm[2084]: version: jabberd sm 2.1.24.1-326.5
  May 12 09:37:34 server org.jabber.jabberd[2082]: ERROR: router died. Shutting down server.
  May 12 09:37:34 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
  May 12 09:37:34 server jabberd/sm[2084]: attempting connection to router at 127.0.0.1, port=5347
  May 12 09:37:34 server jabberd/sm[2084]: shutting down
  May 12 09:38:45 server jabberd/sm[2167]: version: jabberd sm 2.1.24.1-326.5
  May 12 09:38:45 server jabberd/sm[2167]: attempting connection to router at 127.0.0.1, port=5347
  May 12 09:38:45 server jabberd/sm[2167]: shutting down
  May 12 09:38:45 server org.jabber.jabberd[2165]: ERROR: router died. Shutting down server.
  May 12 09:38:45 server com.apple.launchd[1] (org.jabber.jabberd): Throttling respawn: Will start in 10 seconds
  I checked the the crash report which has the follow kernal issue.
  Exception Type: EXCBADACCESS (SIGBUS)
  Exception Codes: KERNPROTECTIONFAILURE at 0x000000010011adb0
  Crashed Thread: 0 Dispatch queue: com.apple.main-thread
  Any ideas?

• SSL certificates possible with different tools

  I had the impression that the SSL certificate can be configured with Linux eg. RHEL only by following the normal procedure of installing mod_ssl package, using genkey …etc
  But, I came to know that SSL certificate can be generated with the web server like Tomcat also. Is it correct that generation of SSL certificates is not limited to Linux only?
  I hope my query is clear that if SSL certificates can be generated not only with Linux but with other tools also.
  Please revert with the reply to my query.
  Regards

  Try using Google to get information.
  Just because you happen to be a user of these forums (and also glancing at your posting history to see what sort of issues you are curious about) doesn't mean you should ask every question here at this web forum site.
  When I place one of your sentences into Google,
  "I came to know that SSL certificate can be generated with the web server like Tomcat also"
  I get more than 800,000 search results that would easily guide toward better information than waiting for someone here to teach you about a non-Oracle topic.

• SSL Certificate Mismatch with AnyConnect client

  Hello,
  We are having a problem with the AnyConnect client when connecting to our VPN.  We are running the following:
  AnyConnect v2.4.0202
  (2 each) ASA v8.2(1) -- active/standby failover
  AnyConnect Essentials Licensing
  NOTE:  We are not using certificates for authentication.
  Primary clients:  Windows XP and Windows 7
  Problem
  We have purchased an Entrust certificate for our ASA failover cluster called "vpn.company.com" and the it is attached to the outside interface on the ASA.
  Steps to Reproduce
  Install the AnyConnect (AC) client via https://vpn.company.com/.  Connection occurs here without issue.
  Once the AC client is installed and we try to use it in stand-alone mode (i.e., w/o hitting the ASA w/ a browser), a certificate mismatch occurs, and AC brings up the Windows/IE Security Alert dialog (see attachment CertError.jpg).
  The user must press Yes to bypass mismatch.
  PROBLEM:  On Windows 7, the user must have administrative privileges and run the AC client as administrator -- otherwise, they get a dialog saying "Unable to establich VPN" (see attachment Unable.jpg).
  The issue is we have a valid certificate that should be used for the connection.  However, when looking at the connections made by the AC client with Fiddler, it would appear that the AC client is trying to connect directly to the ASA's IP address, and not the name.  This is a nuisance for XP users, and a show-stopper for Win7 users as they do not have admin privileges.
  I have not been able to find any documentation on Cisco.com relating to this issue.  In short, how do I get the AC client to use "vpn.company.com" so there is no Cert mismatch?
  Thanks,
  -Matt

  Tim,
  I will read through the article more thoroughly; I've already been through parts of it -- won't hurt to go through again.  I did initially have the IP address in my XML file, and immediately removed it when I noticed that it was using the IP address in the FIddler dump.  It hasn't had any effect unfortunately -- even with uninstalling and re-installing the AC client locally.
  The only other article/post I've come across on Cisco's site that comes close is here:
  Cisco Support Community: ASA VPN Load Balancing/Clustering with Digital Certificates Deployment Guide
  which seems to suggest that I will need a UCC certificate (which seems ridiculous) to do some of what I need to do.  However the issue with that post is that it still wouldn't fix the issue where the AC client is using the IP address.
  I will let you know if I find any smoking guns in the doco link you sent.  Any other thoughts appreciated.  I can't believe Cisco made the setup of the AC client this convoluted.
  Thanks!
  -Matt

• AnyConnect SSL Client issue with Mac OS X

  Hello this seems to be a very common issue with AnyConnect working on Mac OS X. A lot of random sites talk about this.
  I have a Cisco 2801 running IOS 12.4(22)T (ADV ENT SRV) with AnyConnect 2.3 package installed.
  From Windows I can connect without any issues.
  From a Mac OS X after providing login credentials the AnyConnect log says its connecting... checking for updates... and then disconnects.
  If this does work on Mac OS X what is needed (or needs to be configured) to get this to work properly on Mac OS X?
  Thank you!

  Hello All,
  I recently experienced the same problem when my company upgraded to our entire company from the stone age to a VPN system using the Cisco AnyConnect. At first, I had the same problem as described above. Then my IT guy and I got on the phone with Cisco.
  Here is the solution that worked for me. First, our IT department had to specifically load a MAC connection file into the VPN firewall to allow access for MacIntosh computers. Then I redownloaded the latest anyconnect files and updated whatever else through the vpn.yourcompany.com site. Finally, from www.citrix.com/download I downloaded (on the RH side under featured downloads) the appropriate Citrix ICA File.
  Everything works fine now. I don't know if this will work for you, but it did the trick for us.

• SSL Certificates issues on ACE module

  Hi,
  SSL certificate and keys are not been transfered from active to standby automaticaaly, could anyone tell me why is this happening and what needs to be done.
  Thanks
  Neha

  Hi Neha,
  Yes - unless you are running the 2.2 version of ACE software - which is intended for really large configurations then there is no bulk certificate/key import process.
  Whatever you did to import the certificates/keys on your active configs you'll need to do on the standby configs.
  Note, by having missing files, replication will have been stopped.
  Cathy

• How to update revoked certificate issue with CS5 suite?

  I have a security issue found with a Nessus scan that states:
  Synopsis: An application installed on the remote Windows host is signed by a revoked certificate.
  Description&#8232;: The remote host is using Adobe software that has been digitally signed by a revoked certificate. An Adobe build server was compromised, which has caused at least two malicious utilities to be signed with Adobe's code signing certificate. Any software signed by this revoked certificate (including legitimate Adobe software) is no longer trusted.
  I have followed everything I found on how to correct this, but most information is regarding CS6.  I have updated the certificate through Acrobat (version 9), but that has not fixed my issue. 
  The programs it says that are affected are:
  Bridge.exe
  Extension Manager
  Illustrato
  Photoshop
  I see no way to update anytype of certificate in these programs.
  Is it just that CS5 is no longer supported, or have I missed an update?
  Thanks,
  Dan

  Rahul,
  You can do this in the doDMl method of your Entity Object.
  See this white paper:
  http://www.oracle.com/technology/products/jdev/collateral/papers/10131/businessrulesinadfbctechnicalwp.pdf
  If you have follow-up questions, please use the JDeveloper forum, since your question is not related to JHeadstart.
  Steven Davelaar,
  JHeadstart Team.

• Why am I now having certificate issues with Firefox but not IE?

  I can no longer log into Gmail, Facebook, Amazon, etc... using Firefox. I get the following error "accounts.google.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)". It works with IE but not Firefox. This just started a few days ago - prior to that I was able to log into those https sites without issue.
  Any suggestions? Thank you.

  "browser.xul.error_pages.expert_bad_cert" was set on false so I set it to true and tried reloading.
  Got the page giving me the option to add exception and continue. Kept trying that and would not continue to the page even after accepting 10+ times.