ACE - Support for SSL Server Name Indication (SNI)
Hi,
I have the question if Cisco ACE currently or in the future supports SSL SNI (RFC 3546 or 4366). You run into that problem when moving SSL termination from a server that supports having multiple different certificates bound to the same IP and acting on the different domain names (SNI). Currently I do not see any chance how to build that on the ACE. In case it is definitely not supported, is there anything on the roadmap for that?
Thanks and best regards,
Daniel
From what I understand SNI is largely reliant on client support. It is just an extension of the TLS SSL protocol. One of our Escalation Engineers wrote up a pretty good post explaining SNI.
http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx
"SNI is an extension to the TLS SSL protocol that allows the client to include the Hostname the client is connecting to in the SSL Client Hello. A server can then use the SNI header to determine which certificate to serve to the client. A key benefit
of SNI is that is allows a server to host multiple certificates on the same IP/port pair instead of needing an IP per certificate (assuming you are using port 443)."
A few questions I would have is what client and browser combination have you attempted on this? Also, are you using a wildcard certificate on your Web Listener? Have you taken network traces to see if client is sending SNI? Ian does a good job of explaining
how to do that in his blog post.
Similar Messages
-
Does Safari on iPad support SNI (Server Name Indication)
Hi,
I am testing name-based virtual host with apache 2.2 over SSL and noticed that this is only supported using SNI (server name indication). I have updated openSSL to include the SNI extensions on the apache but the client browser is also required to support this. I wanted to know if there is any indication as to when SNI will be supported by the Safari browser on iPad and/or if anyone else has experienced this issue.
I know of 1 additional work around is to use wildcard certs but I am not to keen on using those unless I really have to.
I verified that this is not support by hitting the site: https://sni.volex.ch from the iPad safari browser - it fails. However, using Opera on iPad worked.
ThanksFrom what I understand SNI is largely reliant on client support. It is just an extension of the TLS SSL protocol. One of our Escalation Engineers wrote up a pretty good post explaining SNI.
http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx
"SNI is an extension to the TLS SSL protocol that allows the client to include the Hostname the client is connecting to in the SSL Client Hello. A server can then use the SNI header to determine which certificate to serve to the client. A key benefit
of SNI is that is allows a server to host multiple certificates on the same IP/port pair instead of needing an IP per certificate (assuming you are using port 443)."
A few questions I would have is what client and browser combination have you attempted on this? Also, are you using a wildcard certificate on your Web Listener? Have you taken network traces to see if client is sending SNI? Ian does a good job of explaining
how to do that in his blog post. -
How to disable server name indication
I want to turn off SNI (server name indication) but I didn't find the right option. I could only disable TLS and use SSL to achieve this. I set the value of "security.tls.version.max" to 0.
I am looking for a way to have TLS while disabling server name indication extension.Under Tools → Options → Advanced → Encryption, make sure you have "Use TLS 1.0" enabled. This is off by default in older versions of Firefox.
-
So I have set up a localhost area in my Mac. I have the new server.app and I am running yosemite 10.10.2 .
I have a program running in my local server enviroment that wants to FTP to my mac .
It asks for the server , name, password, port and path. what are they?
I am pretty certain that the Serveris "localhost",
Name is my macs name (like my-mac-min)
password is "my login password"
and they suggest port 21.
But what is the file path, lets just say my site is set up http://localhost/siteftp and is actually at my Users/Sites/siteftp folder.
Why cant this program connect to the mac.
Is it because they are both operating in the same localhost enviroment,
could it be my folder permissions are not correct on siteftp folder?
Help please !I tried turning the computer off and then back on. The alerts don't show the notice to update as resolved. Hopefully this is not a problem or an indicator or another problem. Should I ignore or reload 10.10.1 from the app store to trigger a resolved check in a green circle?
Interesting that I had to buy server software after my free Yosemite download. I would have hoped that the two pieces of software would have gone together without any complication. It is not positive to end up buying a problem. Ah well, time to move on. -
Java 7 or 8 support for Crystal Server 2011 SP8
I was searching this wonderful site and didn't see any specific about what version of Java 7 or 8 that SAP supports for Crystal Server 2011 SP8. If anyone knows please reply back.
Thanks,
AdamAshvin,
I have those option but it won't create another discussion. I am getting this error on one report:
The viewer could not process an event. Error in File Case Usage Analysis by Patient: Encapsulating page failed.
I have search the internet and the community network for a solution with no luck. This happens on only one report. It's an oracle database 11g, and the report has one subreport. Any help would be appreciated.
Thanks,
Adam -
Microsoft support for Windows Server 2008 R2 on vSphere 5.5
Hi, everybody.
I'm checking if Microsoft will provide support for Windows Server 2008 R2 running on a VM on vSphere 5.5 Update 2. So far what I've found at
http://windowsservercatalog.com is:
Filtering vendor VMware and Windows Server 2008 R2, it shows vSphere up to version 5.0 update 1
http://www.windowsservercatalog.com/results.aspx?&chtext=&cstext=&csttext=&chbtext=&bCatID=1521&cpID=2274&avc=34&ava=0&avq=0&OR=1&PGS=25&ready=0
http://www.windowsservercatalog.com/item.aspx?idItem=c92e5cbd-9690-b62a-2ace-843390ac3ea4&bCatID=1521
Filtering vendor VMware it shows vSphere 5.5 update 2, but details only Windows Server 2012, not Windows Server 2008 R2.
http://www.windowsservercatalog.com/results.aspx?&chtext=&cstext=&csttext=&chbtext=&bCatID=1521&cpID=2274&avc=0&ava=0&avq=0&OR=1&PGS=25&ready=0&PG=2
http://www.windowsservercatalog.com/item.aspx?idItem=ef39c5b2-2f5b-5b73-08e2-c07fecdadcff&bCatID=1521
Does that mean Microsoft doesn't support Windows 2008 R2 on vSphere 5.5 update 2?
I'm aware Windows Server 2008 R2 lifecycle is close to EOL, but customer requires this specific version for application compatibility.
ThanksHi mdgrkb,
Products that have passed the SVVP requirements for Windows Server 2012 R2 are considered supported on Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, and
Windows Server 2003 SP2 and later Service Packs, both x86 and x64.
Look this website the top left additional information:
http://www.windowsservercatalog.com/item.aspx?idItem=ef39c5b2-2f5b-5b73-08e2-c07fecdadcff&bCatID=1521
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Netscape cert type does not permit use for SSL server on Weblogic
We have WLS 11g (11.1.1.5 SOA) on UNIX and we are trying to connect secured service (Using client certificate along with UserName and Password for Authentication ). I was able to test it using SOAP UI.
But when I am testing the webservice I am facing listed error
java.lang.Exception: oracle.sysman.emSDK.webservices.wsdlapi.SoapTestException: oracle.fabric.common.FabricInvocationException: Unable to access the following endpoint(s): https://abcd:1111/JWSs/V1/TermsWS at oracle.sysman.emas.model.wsmgt.WSTestModel.invokeOperation(WSTestModel.java:575) at oracle.sysman.emas.view.wsmgt.WSView.invokeOperation(WSView.java:381) at
and domain log shows that
Caused By: javax.xml.soap.SOAPException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server
Please help me to resolve listed issue.
Can I use Netscape client certificate on WLS?
Do I need to take any extra care while working with client cert?
I appreciate your help.Netscape cert type does not permit use for SSL clientTry using another certificate. Your certificate can't be used as a web browser client certificate.
-
Documentation for changing Server name
Hi,
I'm looking for documentation for changing server name. Ex. from prod1.domainname.com to prod2.domainname.com. We only change the server name, not the server itself.
Does someone know where I can find it?
Thanks
AndréOn the server side you need to edit two files:
1. ORACLE_HOME/network/admin/listener.ora
depending on the protocols you are accepting connections on, you need to change the value for HOST = <new server name goes here>
2. ORACLE_HOME/dbs/init<SID>.ora
You probably haven't specified this parameter, but if you did specify a value for LOCAL_LISTENER, then change it accordingly.
On the client and server side you need to edit one file
1. ORACLE_HOME/network/admin/tnsnames.ora
Find the service names that refer to the databases that live on the server whose name was changed. If TCP is the protocol being used to connect to these databases, then change the HOST = <new server name goes here> accordingly. -
Microsoft Project Server Support for SQL Server 2014
Does anyone know the timeline for Microsoft Project Server to support deployment on SQL Server 2014? Also, has anyone tried this yet as an unsupported deployment, and if so, have they found any issues?
"SQL Server 2014 is not yet supported for Project Server 2013", as per the article Hardware
and software requirements for Project Server 2013: https://technet.microsoft.com/en-us/library/ee683978(v=office.15).aspx updated as on Dec
09, 2014.
Cheers! Happy troubleshooting !!! Dinesh S. Rai - MSFT Enterprise Project Management Please click Mark As Answer; if a post solves your problem or Vote As Helpful if a post has been useful to you. This can be beneficial to other community members reading
the thread. -
LabVIEW network library with support for SSL, Ping and IPv6
I have posted on LAVA
an OpenG package that will install a LabVIEW network library with
support for SSL, Ping and IPv6.
Please go there if you are
interested to look it up.
Rolf Kalbermatter
CIT Engineering Netherlands
a division of Test & Measurement SolutionsBob Y. wrote:
OK, but what is it and why should I use it? What need does it fulfill? I have been unable to find much documentation for this at the wiki page and maybe a couple of paragraphs here would help.
Thanks,
Bob Young
Hi Bob,
Yes, this info got burried. Basically, it's a tool for building LabVIEW-based software products. It is highly flexible/extensible and tries to fill the holes left by LabVIEW's built-in Application Builder. Here are some good links to more info:
OpenG Builder Homepage
OpenG Builder 1.0 Documentation
Thanks,
-Jim -
3rd part security providers for SSL Server
Hello,
I was wondering if anyone knows if you can use a 3rd party security provider to
provide SSL for Weblogic 7.x Server ???
What is the best way to accomplish this (eg. MBeans) ???
Does anyone have experience attempting this ???
I would really like to use our security provider which includes support for PKCS#11
hardware etc.
Thanks,
Trevor.Hi Christian,
I would really like to check out the example you specified in the below URL, but
it appears to be invalid. Could you please send another URL for the example.
PS. Our security provider is a JSSE/JCE implementation. Do you guys have any
implementations or examples of the Sun JSSE provider being used with the BEA Weblogic
model. This would also be very helpful.
Thanks,
Trevor Nielsen
Wedgetail Communications
"Security for Network Devices"
"Christian Plenagl" <[email protected]> wrote:
>
Hi Trevor,
sure you can use your own security provider with WLS 7,
to do this please read the following document:
http://e-docs.bea.com/wls/docs70/dvspisec/index.html
We also provide a sample security provider which is available
at http://dev2dev/direct/SampleSecurityProvidersUnmanaged.zip
Christian Plenagl
Developer Relations Engineer
BEA Support
"Trevor Nielsen" <[email protected]> wrote:
Hello,
I was wondering if anyone knows if you can use a 3rd party securityprovider
to
provide SSL for Weblogic 7.x Server ???
What is the best way to accomplish this (eg. MBeans) ???
Does anyone have experience attempting this ???
I would really like to use our security provider which includes support
for PKCS#11
hardware etc.
Thanks,
Trevor. -
Does BC4J works as ORM (eg: Toplink) to support for MSQL Server / Oracle DB
Hi,
My current product is running on Struts 1.1, Apache Cocoon(for reports generation), JDBC & MS SQL Server environment.
To provide the more flexibility & user friendliness to the application I have a proposal for the re-development of the application with ADF 11g.
But the main concern here is, the current product is running on MS Sql Server DB, now the product team has a future plan to migrate it to Oracle Database. In view of this DB migration, the frame work/environment that I choose for the re-development must support for very less code changes (at least from the Application Business logic/Queries prospective)
Here I have two options for the re-development
1. ADF 11g + Top-link (ORM) + MS Sql Server / Oracle DB
2. ADF 11g + BC4J + MS Sql Server / Oracle DB
Plz suggest me, out of these two options which one suits for my requirement & better in performance tooCheck this out:
http://www.oracle.com/technology/products/jdev/collateral/papers/11/certification/index.html#Databases
Also
http://www.oracle.com/technology/products/jdev/11/how-tos/multidatabaseapp.html
Have a nice day -
Support for Java Server FAce in Workshop
Dear All,
Does anyone have any idea if and when Workshop will include support for the Java
Server Faces (JSF) framework?
Thank you
AbeWhile I cannot share any specific product plans from any vendor, I would like to point out that all of the vendors of IDEs in the Java web application space are members of the JSR-127 expert group that is defining JavaServer Faces. Indeed, one of the primary design goals for the APIs is to ensure that development tools have sufficient information available to create high quality user interfaces at design time, so we're doing all we can to enable this kind of thing.
As JavaServer Faces matures, I think you will be very pleased with the quality and quantity of tools support for it.
Craig McClanahan -
OSX Server DHCP Service - Support for tftp-server or bootp-server entries
We have a bunch of IP phones that get their initial setup from DHCP. On a Linux box, we can add the entries:
option tftp-server-name
or
option boot-server
We do this to tell the phones where to download their settings/firmware from. Does OSX DHCP support this? If so, what entries do I have to put in NetInfo/config/dhcp to make this work??
Thanks!Personally I never got that dirty and fiddled aroung os x's bootpd but as you can read in its man page:
Regardless of whether bootpd knows the type of the option or not, you can always specify the DHCP option using the data
property list type e.g.:
<string>dhcpoption128</string>
<data>
AAqV1Tzo
</data>
that could be possible.
see man bootpd
-Ralph -
Support for SQL Server 2014 for CMS + Audit Repository?
We are currently on BusinessObjects 4.1 SP01 Patch 6 on Windows Server 2008 using SQL Server 2008 R2 for our CMS and Audit repository databases. Is there any information out in regard to when SQL Server 2014 will be supported for the CMS and Audit repositories?
According to the Product Availability Matrix shown in the screenshot below SQL Server 2012 is supported, right? One of our DBAs claims there isn't that much of a difference between SQL Server 2012 and 2014, but I am not willing to try it if it isn't officially supported.
Thanks,
NoelDenis Konovalov Henry Banks James Rapp Toby Johnston
Need your attention here.
Maybe you are looking for
-
How to test Connection in DTS...
Hi All I have a Job which having a Step "Clear_Report" and Step having " DTSRun /S "CrosconnectSrv" /U "dt_Fee" /P "res@1i2" /N "Report_Clear" /A "Our_camp_suit":"7"="1" /W "R" " and it throwing an Error DTSRun OnError: DTSStep_DTSActiveScriptTask_1
-
Device id of the root file system changes
I have noticed that sometimes the device id of the root file system changes (it typically get incremented by one). This seems to happen after an abnormal shutdown. After a normal shutdown and reboot the device id reverts back to what it was previousl
-
When i on my Mac pro there is a folder sign with question mark?
sir when i on my Pac Pro there is appear a folder sign with question mark in white screen .what is the problem tell me pls?
-
Resizing digital photos to use in videos
I have a g4 power Mac OSX 10.4.11 and use final cut pro 3 with an epson printer and 2 gb ddr sd ram. I have adobe photoshop elements 6. My problem is that I have never used photoshop and need to change over 200 digital photos to 720 X 480 pixels for
-
I keep getting message saying my accounts about to expire even though I have auto-renewal and bought a new subscription. William Campbell