Enabled SSL + TLS

Similar Messages

• SSL/TLS clients binds fail to Solaris 10 06/06 DS5.2p4 Server

  hello all,
  this is a bizarre issue that i think is related to the solaris version that is running on the directory server, at least this appears to the the issue. i have 2 SunDS servers running solaris 10 06/06 and the other solaris 10 01/06 with DS5.2p4. both have SSL enabled, the certs i signed with my own CA which i maintain with tinyca2. the directory starts fine and is listening on both 389(ldap) and 636(ldaps). i am able to successfully bind to both servers on the non-secure ports fine, commands like getent, finger, id are pulling the people from the directory. when i enable the clients to use ssl/tls those same commands fail against the solaris 10 06/06 machine but NOT the solaris 10 01/06 server. on the linux machines i'm getting "nscd: pam_ldap: could not search LDAP server" errors and on the solaris machines "Mesg: openConnection: failed to initialize TLS security" and "libsldap: Status: 7 Mesg: Session error no available conn."
  using "ldapsearch -x -ZZ" from the clients is successful to both systems, and i can use "openssl s_client" to view the certs fine. another bizzare occurance is when i do "getent passwd" i see the local and ldap users but "getent passwd ldap_user" will return nothing. again this are against the solaris 10 06/06 machine.
  has anyone see this before? i'm going to open a service request for sun on this but i wanted to see if anyone else has run into this.

  there was a problem with the certificate db which was causing this.

• SSL/TLS ciphers of an SMA (M-series) appliance

  So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
  If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
  MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
    <ssl>
      <ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
      <ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
      <ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
      <ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
      <ssl_gui_method>sslv3tlsv1</ssl_gui_method>
      <ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
    </ssl>
  After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
  Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
  https://www.ssllabs.com/ssltest/analyze.html

  I believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
  []> FIPS:-aNULL
  DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
  DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
  AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
  DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
  DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
  AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
  EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
  EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
  DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
  -Robert

• WSUS Sync is not working Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --- System.Security.Authentication.AuthenticationException: The remote

  I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
  This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
  server is configured on http port 80 
  ERROR
  Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
  according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
  I've checked proxy server connectivity. I'm able browse following site from WSUS server
  http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
  I did telnet proxy server on the particular port (8080) and that is also fine.
  I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
  Any tips appreciated !
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

  Hi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
  Your reply  ("SSL is enabled/configured, and the certificate being used is invalid
  (or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
  I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
  My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
  proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
  Any other hints where I can prove them it's a sure shot problem from their side.
  Thanks again !!
  Anoop C Nair (My Blog www.AnoopCNair.com)
  - Twitter @anoopmannur -
  FaceBook Forum For SCCM

• Issue with one of the Managed server while enabling SSL.__ Issue Resovled

  Weblogic version:wls 8.1sp6
  SSL: internal
  Environment:
  1 AdminServer and 2 Managed servers. Admin and M1 are on same host. M2 is on different host. We have enabled SSL on M1 & M2 only. Configuration of M1 & M2 are identical. After restarting the servers M1 has no issue with SSL but M2 throws javax.net.ssl.SSLKeyException as shown below,
  <Aug 4, 2008 12:29:01 PM BST> <Notice> <WebLogicServer> <BEA-000360> <Server started in RUNNING mode>
  <Aug 4, 2008 12:29:02 PM BST> <Info> <WebLogicServer> <BEA-000213> <Adding address: 10.96.201.249 to licensed client list>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090171> <Loading the identity certificate stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Notice> <Security> <BEA-090170> <Loading the private key stored under the alias wpy-euq02 from the JKS keystore file /home/lonwpyq/ssl_cert/WPY_PAYROLLSOLUTIONSKeystore.jks.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  <Aug 4, 2008 12:29:09 PM BST> <Error> <Cluster> <BEA-000141> <TCP/IP socket failure occurred while fetching statedump over HTTP from -6401422690190304510S:lonlxwebhost99:[16544,16544,16042,16042,16544,16042,-1,0,0]:etg:lonwpyq_16543_1.
  javax.net.ssl.SSLKeyException: [Security:090773]The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
  at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
  at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  at com.certicom.tls.record.WriteHandler.write(Unknown Source)
  at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
  at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
  at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
  at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
  at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:122)
  at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:322)
  at weblogic.cluster.HTTPExecuteRequest.connect(HTTPExecuteRequest.java:73)
  at weblogic.cluster.HTTPExecuteRequest.execute(HTTPExecuteRequest.java:121)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)>
  Please let me know where I am going wrong. Thnx in advance
  Message was edited by:
  Shashi_sr

  Solution given by BEA Engineer:
  <Warning> <Security> <BEA-090773> <The certificate chain received from lonlxwebhost99.lehman.com - 10.71.129.99 contained a V3 certificate which key usage constraints forbid its key use by the key agreement algorithm.>
  The reason for this was
  The CA Certificate was missing a required bit (according to RFC 3280).
  keyEncipherment bit is not in the KeyUsage and KeyUsage is marked as critical.
  As per RFC:
  The keyEncipherment bit is asserted when the subject public key is
  used for key transport. For example, when an RSA key is to be
  used for key management, then this bit is set.
  According to RFC3280, when the key will be used to encrypt other keys that are send over the wire ("key transport") the keyEncipherment bit of the KeyUsage extension must be set. If the KeyUsage extension is critical, the SSL certificate validation will check that the key can be used in the key agreement. That is, that the key can be used to encrypt the symmetric public key.
  Your KeyUsage only contains the following bits:
  [4]: ObjectId: 2.5.29.15 Criticality=true KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
  Since it is marked Critical, it MUST have the keyEncipherment bit.
  Otherwise, it should not be marked as Critical.
  So the three solutions that should work are
  1) Remove keyUsage
  2) Don't mark keyUsage as critical
  3) If keyUsage is critical, make sure keyEncipherment bit is set.

• Solaris 10 DS5.2Q4 with SSL/TLS with Replicaton

  I have been working on configuring DS5.2Q4 on Solaris 10 11/06. I have been successful with Gary Tay's documentation (a few changes for new syntax and svcs). My current configuration only has one ldap server and using self signed certs.
  I would now like to move to the next step of maintaining my ssl/tls but adding another master with replication.
  Here are a couple of my questions.
  1) How do I configure my clients to work with both replication master servers. I am a little confused since the certs in my client are assigned to only one of my masters. Do both masters need the same cert, or is there a way to allow for both certs to be loated on the client (/var/ldap).
  2) Enable secure replication. I have not looked too deep into this yet, but that is my plan.
  As a final note, I would like to thank Gary Tay for all of his feedback and documentation. I find that Sun often lacks step by step procedures for tasks such as this. Thanks!

  I have been working on configuring DS5.2Q4 on Solaris 10 11/06. I have been successful with Gary Tay's documentation (a few changes for new syntax and svcs). My current configuration only has one ldap server and using self signed certs.
  I would now like to move to the next step of maintaining my ssl/tls but adding another master with replication.
  Here are a couple of my questions.
  1) How do I configure my clients to work with both replication master servers. I am a little confused since the certs in my client are assigned to only one of my masters. Do both masters need the same cert, or is there a way to allow for both certs to be loated on the client (/var/ldap).
  2) Enable secure replication. I have not looked too deep into this yet, but that is my plan.
  As a final note, I would like to thank Gary Tay for all of his feedback and documentation. I find that Sun often lacks step by step procedures for tasks such as this. Thanks!

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• Web auth supporting fragmented SSL&TLS packets in 7.0.116?

  Dear collegues and Cisco experts.
  I hope anyone of you can reply if this is supported on thew current platform (WLC5508 sw rel 7.0.116)
  I have not been able to reproduce this myself, but some problems have been reported after mid january, when KB2585542 might be the culprit.
  Is the internal webauthentication portal in above platform able to handle this, or is s/w upgrade inevitable?
  Does WLC guest portal w high cipeher option handle the Fragmentation  of SSL/TLS application records, as described in the following RFCs:
  TLS 1.0: http://www.ietf.org/rfc/rfc2246.txt paragraph 6.2.1
  SSL 3.0: http://www.ietf.org/rfc/rfc6101.txt paragraph 5.2.1
  Environment
  Windows XP Professional SP3 clients with Internet Explorer 8
  Wireless lan controller cluster with redundant(2) webauthentication anchors (all AIR-CT5508-XXX-K9 sw rel 7.0.116)
  Microsoft statement
  "After installing MS12-006, you may experience authentication failure or loss of connectivity to some HTTPS servers. This issue occurs because this security update changes the way that records are sent to HTTPS servers. To address an information disclosure vulnerability, SChannel now implements certain ciphers used in SSL 3.0 and TLS 1.0 in a more secure fashion. The updated behaviour is fully compliant with the RFCs, but it is something that has generally not been used on the internet before
  There are two fixes involved: the SChannel fix makes the new behaviour available, and a fix included in the December Cumulative Update makes Internet Explorer request that more secure option. The behaviour will change only if both are present"
  Sincere regards
  Mats Nilson
     AIR-CT5508-100-K9

  Debug says your client is being requested to anchor but not moving passed that....
  So from the looks of things, this has nothing to do with DHCP. Instead, you are either trying to Anchor your clients to a non-existant anchor, or something is royally hosed with mobility.
  I'd suggest debug client   and "debug mobility handoff enable"  from this same WLC as well what ever other WLC your client is being sent to....

• Failed to use LDAP over SSL MUTUAL AUTHENTICATION with some Directory enable SSL.

  In iPlanet Web Server, Enterprise Edition Administration's guide, chapter 5: secure your web server - Using SSL and TLS protocol specifying that the Administrator server camn communicate LDAP over SSL with some Directory enable SSL.
  Is there any way to configure iplanet Administration server to talk ldap/ssl in mutual authentication mode with some directory?

  Hi,
  Sorry, I could not understand what your are trying to do with iWS.
  Could you please berifly explain your question. So that I can help you.
  Regards,
  Dakshin.
  Developer Technical Support
  Sun Microsystems
  http://www.sun.com/developers/support.

• Error messagCannot connect Secure connection needed  enable ssl 3.0 and slt

  Error message "We cannot complete your itunes request. A secure internet connection cannot be determined. Be sure to enable ssl 3.0 or slt 1.0 in the internet options control panel. I did NOTHING different to my computer. One day I could purchase songs from itunes and 4 days later I couldn't. I've checked all things that discussion boards and technical support have suggested and nothing works. Enabled ssl 3.0 and slt 1.0, turned off firewall, authorized my computer, blah, blah...
  Not only can't I purchase songs but when I plug in my ipod to shuffle or change playlists, the error messages tell me I will lose many of my songs if I don't authorize my account. Then, back to the problem of it looping me through error messages.

  You don't really need to do anything, as the handshake will fall back to SSLv3 if either end can't speak TLS.
  However if you want to enforce SSLv3 and nothing else (e.g. SSLv2) you could remove TLSv1 from the enabledProtocols of the SSLSocket (or SSLServerSocket if you're writing a server). You should also remove SSLv2 at the same time IMHO as it is insecure.
  Alternatively, if you're using SSLContexts, do SSLContext.getInstance("SSLv3") and get your SSLSocketFactory from the result; see http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html#AppA.
  EJP

• Can I re-enable SSL in Firefox without downgrading? When I hit an SSL-only site, my only current option is to use another browser.

  Just hit an SSL-only site that I needed to access that FF 35 blocked. I don't see an obvious way to create an exception or re-enable it. We need this option... many users understand POODLE and can make an intelligent decision regarding the risks. TLS has its vulnerabilities as well.

  hello ancistrus, as you know ssl3.0 encrypted connections can be no longer considered secure since an attack vector against them ("POODLE") has become known. please contact the webmaster in charge of the site and urge them to update their encryption to something contemporary.
  https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  if you want to re-enable ssl 3.0 in firefox you can do that - however keep the consequences in mind, that you will become vulnerable to the attack mentioned above: enter '''about:config '''into the firefox address bar (confirm the info message in case it shows up) & search for the preference named '''security.tls.version.min'''. double-click it, change its value to '''0''' and restart the browser.

• Can't get SSL/TLS e-mail access working

  Am having zero luck trying to get my wife's brand new 9810 to access a pop/imap account on a server where SSL/TLS is mandatory.
  Background -- I'm the server admin.
  I can access e-mail on the same server/domain from my 9700 Bold running OS 6 -  I can do SSL/TLS connections to e-mail just fine.
  When I look at the server-side logs when the 9810 is attempting to connect, I see that the SSL/TLS session is not getting established - hence the username/password is never being sent to the server.
  The 9810 is running OS 7.1.x  -  is this version of the OS buggy?
  Looking for an e-mail wizard to help me figure this out.

  Hi and Welcome to the Community!
  Please try this:
  KB25266 How to enable TLS on a BlackBerry smartphone preloaded with BlackBerry Device Software 6.0 or 7.0
  Also, please try integrating from the BB Browser using this url:
  www.blackberry.com/integrate
  Also try using your carriers BIS site, from a PC/Browser
  http://www.blackberryfaq.com/index.php/Where_can_I​_log_into_my_BIS_account%3F
  If your carrier is not listed, you may need to contact them to find their BIS site, if they have such.
  Also, if you talk to them, they should be able to integrate the account as well. Further, if they can't help get it working, they have the power to escalate your case into RIM for enhanced support.
  Good luck! 
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Creating a TCP connection with SSL/TLS

  Hi,
  I am working in a application that depends on the server. I need to estabilish a TCP connection with SSL/Tls secure connection with the server in order to get the datas.
  I have the following code structure :
  - (id)initWithHostAddressNSString*)_host andPortint)_port
  [self clean];
  self.host = _host;
  self.port = _port;
  CFWriteStreamRef writeStream;
  CFReadStreamRef readStream;
  return self;
  -(BOOL)connect
  if ( self.host != nil )
  // Bind read/write streams to a new socket
  CFStreamCreatePairWithSocketToHost(kCFAllocatorDef ault, (CFStringRef)self.host, self.port, &readStream, &writeStream);
  return [self setupSocketStreams];
  - (BOOL)setupSocketStreams
  // Make sure streams were created correctly
  if ( readStream == nil || writeStream == nil )
  [self close];
  return NO;
  // Create buffers ---- has not been released , so need to check possible ways to release in future
  incomingDataBuffer = [[NSMutableData alloc] init];
  outgoingDataBuffer = [[NSMutableData alloc] init];
  // Indicate that we want socket to be closed whenever streams are closed
  CFReadStreamSetProperty(readStream, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
  CFWriteStreamSetProperty(writeStream, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
  //Indicate that the connection needs to be done in secure manner
  CFReadStreamSetProperty(readStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
  CFWriteStreamSetProperty(writeStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
  // We will be handling the following stream events
  CFOptionFlags registeredEvents = kCFStreamEventOpenCompleted |
  kCFStreamEventHasBytesAvailable | kCFStreamEventCanAcceptBytes |
  kCFStreamEventEndEncountered | kCFStreamEventErrorOccurred;
  // Setup stream context - reference to 'self' will be passed to stream event handling callbacks
  CFStreamClientContext ctx = {0, self, NULL, NULL, NULL};
  // Specify callbacks that will be handling stream events
  BOOL doSupportAsync = CFReadStreamSetClient(readStream, registeredEvents, readStreamEventHandler, &ctx);
  BOOL doSupportAsync1 = CFWriteStreamSetClient(writeStream, registeredEvents, writeStreamEventHandler, &ctx);
  NSLog(@"does supported in Asynchrnous format? : %d :%d", doSupportAsync, doSupportAsync1);
  // Schedule streams with current run loop
  CFReadStreamScheduleWithRunLoop(readStream, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);
  CFWriteStreamScheduleWithRunLoop(writeStream, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);
  // Open both streams
  if ( ! CFReadStreamOpen(readStream) || ! CFWriteStreamOpen(writeStream))
  // close the connection
  return NO;
  return YES;
  // call back method for reading
  void readStreamEventHandler(CFReadStreamRef stream,CFStreamEventType eventType, void *info)
  Connection* connection = (Connection*)info;
  [connection readStreamHandleEvent:eventType];
  // call back method for writing
  void writeStreamEventHandler(CFWriteStreamRef stream, CFStreamEventType eventType, void *info)
  Connection* connection = (Connection*)info;
  [connection writeStreamHandleEvent:eventType];
  `
  As above, I have used
  CFReadStreamSetProperty(readStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelSSLv3);
  CFWriteStreamSetProperty(writeStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelSSLv3);
  in order to make a secured connection using sockets.
  The url i am using is in the format "ssl://some domain.com"
  But in my call back method i am always getting only kCFStreamEventErrorOccurred for CFStreamEventType .
  I also tried with the url "https://some domain.com" ,but getting the same error.
  i also commented out setting kCFStreamPropertySocketSecurityLevel, but still i am receiving the same error that i mentioned above.
  I dont know how it returns the same error. I have followed the api's and docs , but they mentioned the same way of creating a connection as i had given above.
  I tried to get the error using the following code :
  CFStreamError error = CFWriteStreamGetError(writeStream);
  CFStreamErrorDomain errDomain = error.domain;
  SInt32 errCode = error.error;
  The value for errCode is 61 and errDomain is kCFStreamErrorDomainPOSIX. so i checked out the "errno.h", it specifies errCode as "Connection refused"
  I need a help to fix this issue.
  If the above code is not the right one,
  **(i)how to create a TCP connection with SSL/TLS with the server.**
  **(ii)How the url format should be(i.e its "ssl://" or "https://").**
  **(iii)If my above code is correct where lies the error.**
  I hope the server is working properly. Because I can able to communicate with the server and get the datas properly using BlackBerry and android phones. They have used SecuredConnection api's built in java. Their url format is "ssl://" and also using the same port number that i have used in my code.
  Any help would be greatly appreciated.
  Regards,
  Mohammed Sadiq.

  Hello Naxito. Welcome to the Apple Discussions!
  Try the following ...
  Perform a "factory default" reset of the AX
  o (ref: http://docs.info.apple.com/article.html?artnum=108044)
  Setup the AX
  Connect to the AX's wireless network, and then, using the AirPort Admin Utility, try these settings:
  AirPort tab
  o Base Station Name: <whatever you wish or use the default>
  o AirPort Network Name: <whatever you wish or use the default>
  o Create a closed network (unchecked)
  o Wireless Security: Not enabled
  o Channel: Automatic
  o Mode: 802.11b/g Compatible
  Internet tab
  o Connect Using: Ethernet
  o Configure: Manually
  o IP address: <Enter your college-provided IP address>
  o Subnet mask: <Enter your college-provided subnet mask IP address>
  o Router address: <Enter your college-provided router IP address>
  o DNS servers: <Enter your college-provided DNS server(s)
  o WAN Ethernet Port: Automatic
  <b>Network tab
  o Distribute IP addresses (checked)
  o Share a single IP address (using DHCP & NAT) (enabled)

• My problem when I enable SSL in Weblogic and I don't have a trusted CA cert

  <h3>Hello
  I've enabled weblogic SSL
  Now when I want use Weblogic Administration Console with Https protocol it works
  But at first when I enter to its addredd my Web Browser(Mozella Firefox) show me this exception </h3>
  "+This Connection is Untrusted You have asked Firefox to connect+
  +securely to localhost:7002, but we can't confirm that your connection is secure.+
  +Normally, when you try to connect securely,+
  +sites will present trusted identification to prove that you are+
  +going to the right place. However, this site's identity can't be verified+."
  <h3>
  I know that it's because I don't have any certificate of trusted certificate authorities (however when I add the exception it goes to the administration console)
  Suppose I want develop an application for a small company and it uses HTTPS for its loging page and I don't have
  any trusted CA certificate , when users want login , web brwoser shows the exception
  </h3>
  <h3>
  Know I want ask
  can I create a valid certificate by myself without connecting a trusted certificate authority and doing its official stages ? In other word , can I
  be a Trusted Certificate Authority for myself and configure Web Browser for getting rid of that exception ?
  My aim is to finding a way to use SSL and make a secure connection without receiving the exception in Web Browser and without
  connecting certificate authorities and doing its official corresponding and paying cost
  do you have any solution for me ?
  Thanks
  </h3>

  Hi
  I enabled SSL Debugging in Weblogic and it show me this log when the WebBrowser want user https :
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 1639942021>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 SSL3/TLS MAC>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 received HANDSHAKE>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ClientHello>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 58>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 1583>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <write HANDSHAKE, offset = 0, length = 4>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 SSL3/TLS MAC>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <181142934 received ALERT>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
  at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
  at com.certicom.tls.record.alert.AlertHandler.handleAlertMessages(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
  at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
  at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
  at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
  at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
  at javax.net.ssl.impl.SSLSocketImpl.startHandshake(Unknown Source)
  at weblogic.server.channels.DynamicSSLListenThread$1.run(DynamicSSLListenThread.java:130)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <Alert received from peer, notifying peer we received it: com.certicom.tls.record.alert.Alert@47204d1a>
  <Jan 4, 2012 4:18:48 PM IRST> <Warning> <Security> <BEA-090482> <BAD_CERTIFICATE alert was received from 172.17.33.59 - 172.17.33.59. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <close(): 424502001>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <close(): 424502001>
  <Jan 4, 2012 4:18:48 PM IRST> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 1639942021>
  Can it give helpful glue ?
  Thanks

• Configuração SLL/NFe - PI para recebimento de e-mails usando SSL/TLS

  Usamos o GRC/SLL 10 NFe  - SP16  para emissão / recebimento de NFes.
  Estamos migrando nosso exchange 2003 para exchange 2010 e existe a necessidade de aumentarmos a segurança.
  Alguem poderia nos ajudar ? temos que usar o SSL/TLS -
  Existe alguma opção al´me de Plain/MD5 ? Podemos usar outro tipo de encriptação ?
  Agradeço desde já a ajuda de todos

  Boa tarde Daniela,
  Ao meu ver, a configuração dos dois ambientes da SEFAZ (Hom/Prod) em um mesmo ambiente PI (Dev, por ex) é desnecessária e acaba dobrando o esforço de configuração e é passível de erro.
  Após a primeira implementação, onde usei essa prática descrita por você, vi que não fazia sentido, já que após o transporte dos objetos de DEV para QAS, tive que refazer toda a configuração de canal de comunicação duas vezes (Homologação e Produção). Quando transportei para Produção, o mesmo tormento. Os canais produtivos em DEV/QAS nunca foram utilizados -- ainda bem, pois isto é o correto. O mesmo em produção -- canais de homologação nunca foram utilizados e apenas serviam de peso morto no ambiente.
  Agora, se na sua empresa você possui alguma ferramenta de transporte dos objetos do Directory que leva todos os canais de comunicação com os seus devidos valores, sem ter a necessidade de preenchê-los logo após o transporte (tenho isso no cliente atual - viva a API do Directory), aí as coisas mudam de figura.
  A recomendação que eu dou é de sempre configurar os cenários da maneira mais simples e genérica possível (Srv_SEFAZ_SP ao invés de Srv_SEFAZ_SP_HOM), utilizando a última versão do PI e configurar os cenários utilizando ICO.
  []'s
  JN