Network security: SSL / TLS connections or not?

Hi,
Our small office-network is administered by a (very good) self-employed debian dev, and in the last six years I have learned a great deal by reading through configfiles on our server. I have even setup my own (modest) homeserver and am very interested in everything about networking.
Earlier this year there were the SSL-vulnerabilities, so I glanced through our own setup and I think I have found a weakness that I'm not sure of if it is serious or not.
Internal authentication is handled with LDAP / Kerberos, so at this level I see no problems, but connections to f.e. our LDAP-server are not protected with SSL or TLS and thus my question: should this not be mandatory on an office network that (although protected by iptables) allows connections with the internet?
Our server handles next to LDAP / Kerberos also apache, postgresql, imap, smtp, calDAV, NFS, cups etc...
THX!

Our LDAP-server is used to authenticate users (LAN only), but also as an addressbook (LAN only, although exposed through a local web app).
But other services are exposed to the internet: imap, smtp, http, etc. Whenever I need to add a new device (smartphone f.e.), I'm confronted with the setting 'encryption', which has to be left blank for our setup. That's why I have my doubts...
But you seem to find encryption something 'optional' if I understand you completely. So my doubts are probably not warranted. THX for your reply!

Similar Messages

On my iPad 2, how can I verify a secure (SSL, TLS) connection?

After performing a search with the Google Search app and clicking on one of the "result" hyperlinks, I've just made an online purchase from my iPad 2. Soon as I committed to the transaction, I began to look around for some indication that the Google Search browser had actually established an encrypted connection. I became very nervous when I was unable to find something like the "padlock" icon, or even the "https" scheme in the first part of the URL — I guess Google thought such feedback to us users is superfluous or unnecessary information, but that supposition could really get me into trouble if it's not, in fact, true. So, then, how is one to know whether it's safe to conduct sensitive business that includes the sharing of personally identifying information, credit card numbers, etc., with an iPad 2?
NOTE: To be clear, this question assumes that I am working from my own, secure network, not from a public hotspot such as a coffee shop, library, hotel, etc.]

Hi, JimHdk!
In the case of doing a Google search from within the Safari app you're correct that the entire URL will display (including the https) and the padlock will display to the left of the page name. However, when doing a Google search using the Google Search app, my iPad's default browser (Safari) is not opened. Instead, the Google Search app runs its own browser that neither displays a padlock icon when it's on a secure connection nor does it display the entire URL — i.e. it "hides" the first scheme (http://) of every URL, displaying only the latter part "www.enterprise.com."
Bill

Require Only SSL/TLS Connections

I would like to require that only SSL/TLS connections be allowed to my server. This is not to be confused with wanting SSL client authentication. I had initially thought I could do this with ACI using the authmethod="ssl", however after looking at the documentation closely and experimentation this refers to do client based SSL authentication as well. I do have SSL/TLS set up correctly, I just want to disallow non-encrypted traffic.
In OpenLDAP I would merely state "security ssf=128" to require SSL/TLS only connections.
Anyone know how to do this in Sun's Directory Server?

The reason I don't use a firewall (presumedly to block port 389) or set the non-secure port to 0 is that this would disallow TLS on port 389. Hence all I could do is SSL and only 636. I would like to be able to allow only TLS on 389 and not allow non-TLS traffic.

Set-IRMConfiguration failed with error "Cou ld not establish trust relationship for the SSL/TLS secure channel."

Hi, experts
I'm trying to configure a lab environment according tutorial http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part3.html
After completing configuration, I execute cmdlet Set-IRMConfiguration -InternalLicensingEnabled $true, but get error
The remote certificate is invalid according to the validation procedure. ---> The underlying connection was closed: Cou
ld not establish trust relationship for the SSL/TLS secure channel. ---> Failed to get Server Info from https://exhv-65
94/_wmcs/certification/server.asmx.
+ CategoryInfo : InvalidOperation: (:) [Set-IRMConfiguration], Exception
+ FullyQualifiedErrorId : C810E449,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration
Then I run cmdlet Test-IRMConfiguration -Sender [email protected] and get error
Results : Checking Exchange Server ...
- PASS: Exchange Server is running in Enterprise.
Loading IRM configuration ...
- PASS: IRM configuration loaded successfully.
Retrieving RMS Certification Uri ...
- PASS: RMS Certification Uri: https://server1/_wmcs/certification.
Verifying RMS version for https://server1/_wmcs/certification ...
- WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
or AD RMS on Windows Server 2008 R2.
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
//server1/_wmcs/certification/server.asmx. ---> System.Net.WebException: The underlying connection was clos
ed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authenticatio
n.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest async
Request, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequ
est asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Obje
ct state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
uests)
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
--- End of inner exception stack trace ---
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
rviceType serviceType)
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
OVERALL RESULT: PASS with warnings on disabled features
From the error message, this issue seem to related with SSL/TLS connection. So I go back to check configuration and find out a difference to tutorial. Current SCP url is https://server1/_wmcs/certification, but in tutorial it is https://server1:433/_wmcs/certification.
On my opinion, I don't think it is the real reason.
So, how can I resolve this error? Could you give me some suggestion? Thanks in advance.
System Info:
Windows Server 2008 R2 + Exchange Server 2010 SP3 RTM

Hi
Please have a try with the solution on this KB article
“Error message when you try to test access from the Microsoft Dynamics CRM E-mail Router: "Incoming Status: Failure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"”
http://support.microsoft.com/kb/954584/en-us
Cheers
Zi Feng
TechNet Community Support

Checking the details of SSL/TLS

In most of common browsers you can check what cryptographic algorithms or security mechanisms are used (and choose them). For example in Firefox (or any other Mozilla software) there's about:config and you can find there things like these:
security.ssl3.dhersa_aes_128sha
security.ssl3.dhersa_aes_256sha
security.ssl3.dhersa_camellia_128sha
security.ssl3.dhersa_camellia_256sha
security.ssl3.ecdhecdsa_aes_128sha
security.ssl3.ecdhecdsa_aes_256sha
security.ssl3.ecdhecdsa_des_ede3sha
and so on.
Thanks to that i know which algorithms is my browser exactly using in SSL/TLS connections. If i think that for example "3DES with EC-Diffie-Hellman and SHA" isn't the most secure set of algorithms for me, i can turn it off. I'd like to know which algorithms do exactly Safari use? It's an important thing because for example FF still uses for example ARC4 algorithm which isn't highly secure.
How to check it?
Safari version: 4.0.4 (531.21.10)
Operating System: Windows XP
Best regards,
Michael

Hmmmm ... not a lot of info in the following document from the Safari Development Center, and it's a bit dated too, but just in case it's of any use as a starting point:
[What encryption, authentication, and proxy technologies does Safari support?|http://developer.apple.com/safari/library/qa/qa2009/qa1537.html]

Can't get SSL/TLS e-mail access working

Am having zero luck trying to get my wife's brand new 9810 to access a pop/imap account on a server where SSL/TLS is mandatory.
Background -- I'm the server admin.
I can access e-mail on the same server/domain from my 9700 Bold running OS 6 - I can do SSL/TLS connections to e-mail just fine.
When I look at the server-side logs when the 9810 is attempting to connect, I see that the SSL/TLS session is not getting established - hence the username/password is never being sent to the server.
The 9810 is running OS 7.1.x - is this version of the OS buggy?
Looking for an e-mail wizard to help me figure this out.

Hi and Welcome to the Community!
Please try this:
KB25266 How to enable TLS on a BlackBerry smartphone preloaded with BlackBerry Device Software 6.0 or 7.0
Also, please try integrating from the BB Browser using this url:
www.blackberry.com/integrate
Also try using your carriers BIS site, from a PC/Browser
http://www.blackberryfaq.com/index.php/Where_can_I_log_into_my_BIS_account%3F
If your carrier is not listed, you may need to contact them to find their BIS site, if they have such.
Also, if you talk to them, they should be able to integrate the account as well. Further, if they can't help get it working, they have the power to escalate your case into RIM for enhanced support.
Good luck!
Occam's Razor nearly always applies when troubleshooting technology issues!
If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
Join our BBM Channels
BSCF General Channel
PIN: C0001B7B4 Display/Scan Bar Code
Knowledge Base Updates
PIN: C0005A9AA Display/Scan Bar Code

Unable to establish TLS connection to POP3 server

I've tried to reset my Outgoing Server to STARTTLS as suggested in one of your help pages so I can send from either of my 3 accounts with the appropriate outgoing server SMPT
However now I can't get any messages and even when I reset to the original setting I'm still getting no emails.
Feel like I've totally stuffed up, but none of your help pages suggestions seem to solve my dilemma.
Would appreciate some guidance on how to go from here.
Thanks
Frank

''re: send from either of my 3 accounts with the appropriate outgoing server SMPT''
noticed: All of your mail accounts are only using one smtp server.
Suggest you try:
'''account1:'''
INCOMING: account1, , (pop3) pop.googlemail.com:110, plain,
For incoming and outgoing server:
user name: Your full Gmail address (e.g. [email protected])
Gmail SMTP password: Your Gmail password
Tools > Account Settings > Server Settings for the pop gmail account
Incoming Server Name: pop.gmail.com
port: 995
Connection Security: SSL/TLS
Authentication Method: Normal Password
Tools > Account Settings > Ougoing Server (SMTP)
select the pop gmail server and click on 'Edit'
or
if no pop gmail server then click on 'Add'
Under Description type: Pop gmail
Outgoing Server Name: smtp.gmail.com
port: 465
Connection Security: SSL/TLS
OR
port (TLS): 587
Connection Security: STARTTLS
Authentication Method: Normal Password
click on OK to save changes.
Then assign correct outgoing smtp server to the account:
Tools > Account Settings
select the pop gmail account
bottom right 'outgoing Server(SMTP)
click on drop down list and select the pop gmail smtp server.
click on Ok to save settings
'''account7:'''
INCOMING: account7, , (imap) imap.googlemail.com:143,
For incoming and outgoing server:
user name: Your full Gmail address (e.g. [email protected])
Gmail SMTP password: Your Gmail password
Tools > Account Settings > Server Settings for the imap gmail account
Incoming Server Name: imap.gmail.com
port: 993
Connection Security: SSL/TLS
Authentication Method: Normal Password
Tools > Account Settings > Ougoing Server (SMTP)
select the imap gmail server and click on 'Edit'
or
if no imap gmail server then click on 'Add'
Under Description type: Imap gmail
Outgoing Server Name: smtp.gmail.com
port: 465
Connection Security: SSL/TLS
OR
port (TLS): 587
Connection Security: STARTTLS
Authentication Method: Normal Password
click on OK to save changes.
Then assign correct outgoing smtp server to the account:
Tools > Account Settings
select the gmail account
bottom right 'outgoing Server(SMTP)
click on drop down list and select the imap gmail smtp server.
click on Ok to save settings
''' account3:'''
INCOMING: account3, , (pop3) mail.internode.on.net:110,
http://www.internode.on.net/support/guides/email/secure_email/
Tools > Account Settings > Server Settings for the pop internode account
Incoming Server Name: mail.internode.on.net
port: 995
Connection Security: SSL/TLS
Authentication Method: Normal Password
Tools > Account Settings > Ougoing Server (SMTP)
select the pop internode server and click on 'Edit'
or
if no pop internode server then click on 'Add'
Under Description type: Pop Internode
Outgoing Server Name: mail.internode.on.net
port: 465
Connection Security: SSL/TLS
Authentication Method: Normal Password
click on OK to save changes.
Then assign correct outgoing smtp server to the account:
Tools > Account Settings
select the pop gmail account
bottom right 'outgoing Server(SMTP)
click on drop down list and select the Pop Internode smtp server.
click on Ok to save settings
'''account4:'''
INCOMING: account4, , (pop3) pop3.live.com:110,
https://support.mozilla.org/en-US/kb/thunderbird-and-hotmail
then make sure the account is using correct server, just like the other accounts.

Creating new ODBC connection does not show the tables

Post Author: reemjacob
CA Forum: Data Connectivity and SQL
Hello
I am creating a new ODBC Connection to SQL Server in Database Expert. Once I created the ODBC when I expand the Database I should be seeing the tables, views and stored procedures. But instead I am only seeing stored procedures. When I right click on the DB and go to options I see that Tables, Views and Stored Procedures are checked. How can I correct this so that I see the Tables and Views?
Regards
Reem

Not an Oracle proble. Not an instant driver problem.
If the ODBC tool and driver you use, fail to construct the proper SQL to interrogate the very rich Oracle data dictionary.. what is Oracle suppose to do? Fix the software from those vendors for the user? Not going to happen. Get Oracle Raptor instead and use a proper Oracle client.
Simple test. Run the following SQLs via your ODBC connection.
To see all your objects in your schema (i.e. the one you logged into via ODBC):
SELECT * FROM user_objects
To see a list of schemas:
SELECT username FROM all_users ORDER BY 1
To view other schemas' contents:
SELECT * FROM all_objects
Also note that historically ODBC has delivered poor performance. I recall many performance tests I've done during the 90's that showed ODBC up to 3x slower and generating more than 4x the network traffic, than native connections. Not too mention using ODBC introduces an additional software layer, which means more moving parts, more complexity, and more failures.
I have not touched ODBC with the proverbial 10ft pole since - and today, I have even less need to use a clunky software layer like ODBC. And should I be forced to, it will be passthru all the way.

Enabled SSL + TLS

Hello all,
I'm a beginner in JavaMail, I have several question, can I use following case:
SMTP + TLS + Authentication
SMTP + TLS + without Authentication
SMTP + Authentication + without TLS
and
SMTP + SSL + TLS + Authentication
SMTP + SSL + TLS + without Authentication
SMTP + SSL + Authentication + without TLS
Because I have the following code, it's correctly work for send a mail with returned Transporter, but no with SMTP only, SMTP + SSL, SMTP + SSL + TLS.
I have the following exception for example:
javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Can you give me use properties and means to correctly use SSL and TLS ?
Great thank !
Best regards
Adryen
public static Transport getConnectedTransportForSending(String smtpServer, String username, String password, SmtpServerType protocolSec) throws MessagingException {
Session session = null;
Boolean isWithAuth = (username != null && !username.equals("")) && (password != null && !password.equals(""));
Properties props = new Properties();
     String prefixMailSmtp = "mail.smtp";
if (SmtpServerType.SSL.equals(protocolSec)) {
//prefixMailSmtp += "s";
useSSL(props, prefixMailSmtp);
        // props.put("mail.transport.protocol", "smtps");
props.put(prefixMailSmtp+".port", "587");
} else if (SmtpServerType.SSLTLS.equals(protocolSec)) {
//prefixMailSmtp += "s";
useSSL(props, prefixMailSmtp);
useTLS(props, prefixMailSmtp);
         //props.put("mail.transport.protocol", "smtps");
props.put(prefixMailSmtp+".port", "587");
} else if (SmtpServerType.TLS.equals(protocolSec)) {
useTLS(props, prefixMailSmtp);
//props.put("mail.transport.protocol", "smtp");
props.put(prefixMailSmtp+".port", "25");
} else {
props.put(prefixMailSmtp+".port", "25");
//props.put("mail.transport.protocol", "smtp");
props.put(prefixMailSmtp+".socketFactory.fallback", "false");
if (smtpServer != null) {
props.put(prefixMailSmtp+".host", smtpServer);
if (isWithAuth) {
Authenticator auth = new ServerAuthenticator(username, password);
props.put(prefixMailSmtp+".auth", "true");
session = Session.getInstance(props, auth);
} else {
session = Session.getInstance(props, null);
Transport transporter = session.getTransport("smtp");
transporter.connect(smtpServer, username, password);
return transporter;
private static void useSSL(Properties props, String prefixMailSmtp){
props.put(prefixMailSmtp+".socketFactory.port", "587");
props.put(prefixMailSmtp+".socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.put("mail.smtp.ssl.enable", "true");
private static void useTLS(Properties props, String prefixMailSmtp){
props.put(prefixMailSmtp+".starttls.enable", "true");
public static class ServerAuthenticator extends Authenticator {
private PasswordAuthentication authentication;
public ServerAuthenticator(String username, String password) {
authentication = new PasswordAuthentication(username, password);
@Override
protected PasswordAuthentication getPasswordAuthentication() {
return authentication;

You can simplify your code by getting rid of the socket factory stuff.
If you connect using SSL to begin with, there's no need to use "TLS" (by which I assume you mean the STARTTLS command that switches a plain text connection to an SSL/TLS connection).
And of course whether you're required to use SSL or required to use STARTTLS or required to authenticate depends entirely on the configuration of the mail server.

SSL/TLS - secure connection could not be established but passes diagnostics

Any other ideas for the ever popular inability to create a secure connection issue?
I've tried just about everything I could find in all the posts on this issue and continue to get the inability to create a secure connection messag4e when logging in.
We tried the various Apple non-support channels: e-mail, chat, phone, and Genius Bar with no success.
Here's what I've tried (attempting to log in after each change):
SSL3.0 and TLS 1.0 are enabled (and always have been)
iTunes and iTunes Helper are in the Windows Firewall Exception list
reinstalled itunes 9.02 several times.
UNINSTALLED Norton Internet Security
Turned off Windows firewall.
deleted contents of /etc/hosts
Cleared SSL state
Unchecked “Check for server certificate revocation, restarted IE
--After this change I got an "network connection timed out." message
Cleared SSL state
--Back to "secure network connection could not be established"
This happens on my daughter's college network and on our home family area network. And other PCs have no trouble accessing this iTunes account on both of these networks.

Hi there,
I would recommend taking a look at the troubleshooting steps found in the article below.
Can't connect to the iTunes Store
http://support.apple.com/kb/TS1368
-Griff W.

WSUS Sync is not working Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --- System.Security.Authentication.AuthenticationException: The remote

I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
server is configured on http port 80
ERROR
Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
I've checked proxy server connectivity. I'm able browse following site from WSUS server
http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
I did telnet proxy server on the particular port (8080) and that is also fine.
I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
Any tips appreciated !
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM

Hi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
Your reply ("SSL is enabled/configured, and the certificate being used is invalid
(or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
Any other hints where I can prove them it's a sure shot problem from their side.
Thanks again !!
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM

SSRS Report Server Could not establish connection. The underlying connection was closed. Could not establish trust relationship for the SSL/TLS Secure channel

Hi
Had to un-install and then re-install MS SQL Server 2012 with SSRS.
After we re-installed we are able to get to the Web Services page but not the Report Server page and get the above error message. We need to use SSL and when we bind the cert in RS Configuration Manager it says it does this successfully on the WebServices
tab. We also do a similar exercise on the ReportServer page.
Any help warmly welcomed :D
Thanks

Hi Rich Whight,
According to your description, after you re-installed SQL Server 2012 with SSRS, you are able to access Web Service URL, but when you tried to access Report Manager URL, the error occurred: The underlying connection was closed. Could not establish trust
relationship for the SSL/TLS Secure channel.
The issue may be caused when the certificate isn't installed correctly in the trusted root for the local computer. To verify and install the certificate, Please refer to the steps blow:
In RsReportServer.config file(default location: C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer), change the “SecureConnectionLevel” element value from 0 to 3.
Add correct value to <UrlRoot> element.
Add the same value to the <ReportServerUrl> element as step2.
Go to Microsoft management Console, add the certificate which you use to access the report server under “Trusted Root Certification Authorities”.
For more information about SSL configuration and Managing Trusted Root Certificates, please refer to the following documents:
http://blogs.msdn.com/b/mariae/archive/2007/12/12/ssl-configuration-and-reporting-services.aspx
http://technet.microsoft.com/en-us/library/cc754841.aspx
If you have any more questions, please feel free to ask.
Best Regards,
Wendy Fu

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

I tried to redeem a digital download copy of a movie and was presented the following error:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Any guesses on what it is and how to resolve it?
Thanks

Hi
Abhilash Francis,
Could you tell us your scenario? What's your project? Is it a WCF service?
Looks like this is not a code issue.
Just from the error information,
it seems that you do not configure the service certificate very well so as to Server was unable to process request.
I am not completely sure what the real scenario is, but it might be a problem of that It is a WCF services application, please check these following articles to configure the service certificate.
If not, please feel free to let me know.
How to: Configure an IIS-hosted WCF service with SSL
Could not establish trust
relationship for the SSL/TLS secure channel
Hope this helps.
Best regards,
Kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

TF215097: An error occurred while initializing a build for build definition : Could not establish trust relationship for the SSL/TLS secure channel

Hello,
We are facing an issue when triggering a new build using TFS 2013 Update 4, VS2013 Update 4 using TFVCTemplate.12.XAML template. All our other older build definitions just work fine but not the TFVCTemplate.12.XAML. It seems to me that some certificate
might be invalidated. Can anyone please point me in the right direction?
Thanks,
Mitul
TF215097: An error occurred while initializing a build for build definition :
Exception Message: One or more errors occurred. (type AggregateException)
Exception Stack Trace: at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFile(TfsTeamProjectCollection projectCollection, String itemPath, Stream outputStream)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFileAsString(TfsTeamProjectCollection projectCollection, String itemPath)
at Microsoft.TeamFoundation.Build.Client.ProcessTemplate.Download(String sourceGetVersion)
at Microsoft.TeamFoundation.Build.Hosting.BuildControllerWorkflowManager.PrepareRequestForBuild(WorkflowManagerActivity activity, IBuildDetail build, WorkflowRequest request, IDictionary`2 dataContext)
at Microsoft.TeamFoundation.Build.Hosting.BuildWorkflowManager.TryStartWorkflow(WorkflowRequest request, WorkflowManagerActivity activity, BuildWorkflowInstance& workflowInstance, Exception& error, Boolean& syncLockTaken)
Inner Exception Details:
Exception Message: An error occurred while sending the request. (type HttpRequestException)
Exception Stack Trace: at Microsoft.VisualStudio.Services.WebApi.VssHttpRetryMessageHandler.<SendAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.VisualStudio.Services.WebApi.HttpClientExtensions.<DownloadFileFromTfsAsync>d__2.MoveNext()
Inner Exception Details:
Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)Exception Stack Trace: at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
Inner Exception Details:
Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
Exception Stack Trace: at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

Hi Mitul,
Thanks for your reply.
It’s strange, if your old build definitions can work using the same TFS Build Server, that indicate your TFS Server configuration is correct and can works. But only new build definition with default TfvcTemplate.12.xaml template cannot build successful.
Please share your TFS Server detailed environment information here. And share your
Build Service Properties dialog screenshot here.
Try to clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
Clean the Cache folder on Server machine. The folder path is:
C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.
After cleaned, on Server machine, click Start and select
Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
Additionally, you can run the TFS 2013 Power Tools BPA to scan the installation of your TFS Server.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Reporting services with R2 on DPM2012 - Could not establish trust relationship for the SSL/TLS secure channel

Hi everyone,
A somewhat similar question has been asked before by others but none of the answers given has helped me.I am attempting a DPM 2012 installation, which is failing at the "deploying reports" stage.My analysis of logs seems to point me in the direction of an SSL
error, which does not make sense since the configuration files say SSL is disabled (or at least, should be).
Here are the symptoms:
1.I am able to browse http://FQDN/Reports_MSDPM2012 folder from internet explorer
2.I am also able to browse http://FQDN/ReportServer_MSDPM2012 from internet explorer
3.The information given in the logs and relevant config files is shown below:
<<RSREPORTSERVER.CONFIG>>
<ConnectionType>Default</ConnectionType>
<LogonUser></LogonUser>
<LogonDomain></LogonDomain>
<LogonCred></LogonCred>
<InstanceId>MSRS10_50.MSDPM2012</InstanceId>
<InstallationID>{d9b1c335-5842-4a81-9148-79184c38bf09}</InstallationID>
<Add Key="SecureConnectionLevel" Value="0"/>
<Add Key="CleanupCycleMinutes" Value="10"/>
<Add Key="MaxActiveReqForOneUser" Value="20"/>
<Add Key="DatabaseQueryTimeout" Value="120"/>
<Add Key="RunningRequestsScavengerCycle" Value="60"/>
<Add Key="RunningRequestsDbCycle" Value="60"/>
<Add Key="RunningRequestsAge" Value="30"/>
<Add Key="MaxScheduleWait" Value="5"/>
<Add Key="DisplayErrorLink" Value="true"/>
<Add Key="WebServiceUseFileShareStorage" Value="false"/>





<Add Key="WatsonFlags" Value="0x0428"/>
<Add Key="WatsonDumpOnExceptions"
4.The DPM log file still appears to be using SSL even though i used reporting services configuration to remove SSL bindings:
running.Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.BackEndErrorException: exception ---> Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.ReportDeploymentException:
exception ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest,
Exception exception)
5:I do have an SCCM site on the default web site used by SMS clients but on different ports
I am stumped.Somebody please give some advice
Thank you

Hi
This is an old post but did you come right?

Network security: SSL / TLS connections or not?

Similar Messages

Maybe you are looking for