DS 5.2: Plugin to force SSL/TLS and simple authentication available!

Similar Messages

• Pandora message "Pandora believes your browser does not support modern SSL/TLS" and everything seems disabled on the site-how fix?

  I have been using Firefox for a long time as my browser and typically play Pandora while at my office most days. For the first time today I received a pop up message "Pandora believes your browser does not support modern SSL/TLS. Consider upgrading your browswer" when I logged on to Pandora. I checked and I am on the latest version of Mozilla Firefox. I am unable to control volume or log out of Pandora now. I did some google searches and found Mozilla disabled ssl3.0 due to a "Poodle" attack. Does that mean that I can no longer use Firefox as my browser when I want to listen to music on Pandora or is there "a fix"? Thanks!

  Mozilla Firefox as of Firefox 34 has the vulnerable SSL 3.0 disabled and only allows for TLS 1.0 at minimum to 1.2 now.
  https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  So Pandora is incorrect if they believe Firefox is not safe to use.
  Actually Pandora potentially needs to do a bit of upgrading themselves.
  https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&s=208.85.40.50

• ISE 1.2 EAP-TLS and AD authentication

  Hi,
  I am sure I have had this working but Just cant get it to now.
  So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
  My Authentication profile says
  IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
  Then my authorization profile says
  if active directoy group = "Domian computers" then allow access.
  When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
  24433          Looking up machine in Active Directory - [email protected]
  24492          Machine authentication against Active Directory has failed
  22059          The advanced option that is configured for process failure is used
  22062          The 'Drop' advanced option is configured in case of a failed authentication request
  But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
  Cheers

  This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
  This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

• Is there any way to config iws6.0 to connect to LDAP directory using SSL client and server authentication.  Only SSL server authentication worked when I tried.

  As my previous question, I followed the following instructions to setup up connection between iws and an LDAP server.
  "Using SSL to Communicate with LDAP
  You should require your Administration Server to communicate with LDAP using SSL. To enable SSL on your Administration Server, perform the following steps:
  1.Access the Administration Server and choose the Global Settings tab.
  2.Click the Configure Directory Service link.
  3.Select Yes to use Secure Sockets Layer (SSL) for connections.
  4.Click Save Changes.
  5.Click OK to change your port to the standard port for LDAP over SSL. "
  Q1. Any other steps needed to setup client authentication (or mutual authentication)?
  Q2. Do I need to enable security for connection groups in order to have this setup to work?

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• The difference between SSL & TLS

  dear experts,
  i need to know The difference between SSL & TLS and in which situations i should i have to use them.
  thanks
  Labib Makar

  Labib,
  At a 10,000 foot level v3.0 was superceded by . v1.0.
  TLSv1.0 (RFC 4346) was an upgrade to SSL v3.0 (but they don't interoperate)
  This "Cisco.com document" describes the workings of both in some detail:  SSL: Foundation for Web Security
  it states this as some basic differences:
  TLS uses slightly different cryptographic algorithms for such things as the MAC function generation of secret keys. TLS also includes more alert codes.
  Also See: Wikipedia TLS
  As far as which to use, it would depend on if both sides (server/client) support each?  TLS v1.0 or v1.1 is newer.
  Most modern Browsers tend to support both.
  i.e.
  Firefox 3.5.7 supported both SSL v3.0 and TLS v1.0
  Internet Explorer v6 supported both SSLv2, SSLv3, TLS v1.0
  etc.
  Hope that helps.
  Steve Ochmanski

• SSL/TLS POP/SMTP setting 6270 ?

  Hi All,
  I recently purchased Nokia 6270 and I do have GPRS connection working well for WAP sites and for Internet access on my laptop.
  I have been trying to configure my GMAIL account on the email client provided with 6270. Gmail pop/smtp access required secure connection SSL/TLS and I could not find any place to set SSL or TLS YES. in personal configuration, there is everything to set except these.
  It was there in old Motorola E398..The settings are really confusing.
  If anybody has accessed/configured GMAIL on 6270, please help..
  Cheers
  Rajiv

  you are right that I should have checked it before buying, I think you can expect such a small feature from a highend mobile. Nokia do claim it as highend mobile. I randomly looked at some of the mobile from different makes today and all of the high end mobiles have this feature.
  And by the way all the email clients do contains feature for specifying SSL or TLS.
  Does that means that 40 series is missing this feature because that is only provided in 60 series. Or is there any logical reason behind it.
  Is there any software version update that can provide this feature. I have Version 03.65 19-12-05 RM-56

• EAP-TLS and LEAP on a 1200 AP

  Is it possible to have a 1200 AP use EAP-TLS and LEAP authentication simultaneously? We currently use LEAP in production and I have successfully configured a test 1200 AP to use EAP-TLS, but we would like to have it use both methods until all clients can be set up for EAP-TLS.

  You may view this link : http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm
  Regards
  Mc

• SSL Certificate and SSL Authentication

  Hi-
  I'm hoping someone can shed some light on this issue.
  First off, is there a difference between SSL Certificate and SSL Authentication?
  I have a POP account. The Incoming port is set to 110. The Outgoing, 26. (This is according to Bluehost.com). The security settings for both incoming/outgoing are set to none. Everything works fine.
  But if I want extra security, I'll set the incoming to 995 and outgoing to 465.
  If I set the security settings to SSL, do I check "Use secure authentication", or do I have to purchase a SSL certificate to secure the authentication? This is where I'm confused. I tried asking the hosting company but they're not much help.
  Any advice would be appreciated.
  Thanks!

  Hi Imagine,
  You do not need to purchase your own SSL certificate to use secure authentication. The server handles this for you. You just need to make sure the port #s are correct and you simply check mark the SSL boxes and leave authentication on Password at least on most setups. Each host maybe different so you have to double check with them.
  Hope That Helps,
  Eric

• How Redirect browser(client) based on non-negotiable SSL/TLS protocol or cipher

  Hi guys,
  we have a security requirement wherein we have to  force the browsers accessing our asp.net application hosted on windows server 2012 to have atleast tsl 1.1 , but we don't want to simply block the request, instead we would like to redirect the request
  to a unsecured static html page with the instructions on how to get them onto tsl.
  can any one help me here?>? actually i found a similar and exactly same thread on stackoverflow but i think that is probably directed towards linux family.   http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher
  please help me guys..
  ps: i have posted the same question on IIS forum (http://forums.iis.net/t/1223352.aspx?How+Redirect+browser+client+based+on+non+negotiable+SSL+TLS+protocol+or+cipher+from+IIS)
  and got a reply saying that it can be done at windows kernel level(possibly).

  Hi,
  As far as I know, once SSL handshake fails, no subsequent communication would occur between the server and client.
  Therefore, as the way I see it, the goal cannot be achieved.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

  Hi All ,
               I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
               I have downloaded client supplicant certficate file for my windows XP machine .
  When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
  Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
  Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

  Hello,
  I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
  Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
  -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
  -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
  -          Delete the wireless network from the computer
  -          REBOOT!!
  -          Open the Microsoft Management Console, “mmc”.
  -          Go FILE\Add Remove SnapIn. Select Certificates ..
  -          If promoted, do it for “My User Account”.
  -          Make sure the certificates are where you put them. 
  -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
  -          Redo wireless network setup again
  I hope this helps you.
  Mike

• How Redirect browser(client) based on non-negotiable SSL/TLS protocol

  Hi guys,
  we have a security requirement wherein we required to force the browsers accessing our application to have atleast tsl 1.1 , but we don't want to simply block the request, instead we would like to redirect the request to a unsecured static html page with the
  instructions on how to get them onto tsl.
  can any one help me here?>? actually i found a similar and exactly same thread on stackoverflow but i think that is probably directed towards linux family.   http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher
  ps: i have posted the same question on IIS forum (http://forums.iis.net/t/1223352.aspx?How+Redirect+browser+client+based+on+non+negotiable+SSL+TLS+protocol+or+cipher+from+IIS) and got a reply saying
  that it can be done at windows kernel level(possibly by making use of
  http.sys, ksecdd.sys and schannel).
  can any one help me here guys.
  Thanks,
  Haroon 

  Hi,
  As far as I know, once SSL handshake fails, no subsequent communication would occur between the server and client.
  Therefore, as the way I see it, the goal cannot be achieved.
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224

  Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice

  Hi,
  From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
  https://www.openssl.org/news/vulnerabilities.html
  Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
  CVE-2014-0224: 5th June 2014
  An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
  Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
  Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
  Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
  Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
  If you have any feedback on our support, please send to [email protected]

• Network security: SSL / TLS connections or not?

  Hi,
  Our small office-network is administered by a (very good) self-employed debian dev, and in the last six years I have learned a great deal by reading through configfiles on our server. I have even setup my own (modest) homeserver and am very interested in everything about networking.
  Earlier this year there were the SSL-vulnerabilities, so I glanced through our own setup and I think I have found a weakness that I'm not sure of if it is serious or not.
  Internal authentication is handled with LDAP / Kerberos, so at this level I see no problems, but connections to f.e. our LDAP-server are not protected with SSL or TLS and thus my question: should this not be mandatory on an office network that (although protected by iptables) allows connections with the internet?
  Our server handles next to LDAP / Kerberos also apache, postgresql, imap, smtp, calDAV, NFS, cups etc...
  THX!

  Our LDAP-server is used to authenticate users (LAN only), but also as an addressbook (LAN only, although exposed through a local web app).
  But other services are exposed to the internet: imap, smtp, http, etc. Whenever I need to add a new device (smartphone f.e.), I'm confronted with the setting 'encryption', which has to be left blank for our setup. That's why I have my doubts...
  But you seem to find encryption something 'optional' if I understand you completely. So my doubts are probably not warranted. THX for your reply!

• Configuração SLL/NFe - PI para recebimento de e-mails usando SSL/TLS

  Usamos o GRC/SLL 10 NFe  - SP16  para emissão / recebimento de NFes.
  Estamos migrando nosso exchange 2003 para exchange 2010 e existe a necessidade de aumentarmos a segurança.
  Alguem poderia nos ajudar ? temos que usar o SSL/TLS -
  Existe alguma opção al´me de Plain/MD5 ? Podemos usar outro tipo de encriptação ?
  Agradeço desde já a ajuda de todos

  Boa tarde Daniela,
  Ao meu ver, a configuração dos dois ambientes da SEFAZ (Hom/Prod) em um mesmo ambiente PI (Dev, por ex) é desnecessária e acaba dobrando o esforço de configuração e é passível de erro.
  Após a primeira implementação, onde usei essa prática descrita por você, vi que não fazia sentido, já que após o transporte dos objetos de DEV para QAS, tive que refazer toda a configuração de canal de comunicação duas vezes (Homologação e Produção). Quando transportei para Produção, o mesmo tormento. Os canais produtivos em DEV/QAS nunca foram utilizados -- ainda bem, pois isto é o correto. O mesmo em produção -- canais de homologação nunca foram utilizados e apenas serviam de peso morto no ambiente.
  Agora, se na sua empresa você possui alguma ferramenta de transporte dos objetos do Directory que leva todos os canais de comunicação com os seus devidos valores, sem ter a necessidade de preenchê-los logo após o transporte (tenho isso no cliente atual - viva a API do Directory), aí as coisas mudam de figura.
  A recomendação que eu dou é de sempre configurar os cenários da maneira mais simples e genérica possível (Srv_SEFAZ_SP ao invés de Srv_SEFAZ_SP_HOM), utilizando a última versão do PI e configurar os cenários utilizando ICO.
  []'s
  JN

• TF215097: An error occurred while initializing a build for build definition : Could not establish trust relationship for the SSL/TLS secure channel

  Hello,
  We are facing an issue when triggering a new build using TFS 2013 Update 4, VS2013 Update 4 using TFVCTemplate.12.XAML template. All our other older build definitions just work fine but not the TFVCTemplate.12.XAML.  It seems to me that some certificate
  might be invalidated. Can anyone please point me in the right direction? 
  Thanks, 
  Mitul
  TF215097: An error occurred while initializing a build for build definition :
  Exception Message: One or more errors occurred. (type AggregateException)
  Exception Stack Trace: at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
  at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFile(TfsTeamProjectCollection projectCollection, String itemPath, Stream outputStream)
  at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFileAsString(TfsTeamProjectCollection projectCollection, String itemPath)
  at Microsoft.TeamFoundation.Build.Client.ProcessTemplate.Download(String sourceGetVersion)
  at Microsoft.TeamFoundation.Build.Hosting.BuildControllerWorkflowManager.PrepareRequestForBuild(WorkflowManagerActivity activity, IBuildDetail build, WorkflowRequest request, IDictionary`2 dataContext)
  at Microsoft.TeamFoundation.Build.Hosting.BuildWorkflowManager.TryStartWorkflow(WorkflowRequest request, WorkflowManagerActivity activity, BuildWorkflowInstance& workflowInstance, Exception& error, Boolean& syncLockTaken)
  Inner Exception Details:
  Exception Message: An error occurred while sending the request. (type HttpRequestException)
  Exception Stack Trace: at Microsoft.VisualStudio.Services.WebApi.VssHttpRetryMessageHandler.<SendAsync>d__1.MoveNext()
  --- End of stack trace from previous location where exception was thrown ---
  at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
  at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
  at Microsoft.VisualStudio.Services.WebApi.HttpClientExtensions.<DownloadFileFromTfsAsync>d__2.MoveNext()
  Inner Exception Details:
  Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)Exception Stack Trace: at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
  at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
  Inner Exception Details:
  Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
  Exception Stack Trace: at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
  at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

  Hi Mitul,
  Thanks for your reply.
  It’s strange, if your old build definitions can work using the same TFS Build Server, that indicate your TFS Server configuration is correct and can works. But only new build definition with default TfvcTemplate.12.xaml template cannot build successful.
  Please share your TFS Server detailed environment information here. And share your
  Build Service Properties dialog screenshot here.
  Try to clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
  Clean the Cache folder on Server machine. The folder path is:
  C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.  
  After cleaned, on Server machine, click Start and select
  Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
  Additionally, you can run the TFS 2013 Power Tools BPA to scan the installation of your TFS Server.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.