Pandora and SSL/TLS
Help.
I listen to music on Pandora and got a message today that my browser (Safari 8.02) appears to not support SSL/TCS. It suggested that I update my browser.
I understand that these are web security items.
The question is then: Does Safari support SSL/TCS? If it does and I don't have it, how can I get it? Or, should I start using a different browser? Or, is Pandora out of their minds and I should ignore the message?
Thanks for reading and replying in advance.
I use a MacBook Pro (early 2011) with Yosemite and 8 gb RAM. The machine is wired directly to my router and my internet service is from TWC.
Bill
Mozilla Firefox as of Firefox 34 has the vulnerable SSL 3.0 disabled and only allows for TLS 1.0 at minimum to 1.2 now.
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
So Pandora is incorrect if they believe Firefox is not safe to use.
Actually Pandora potentially needs to do a bit of upgrading themselves.
https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&s=208.85.40.50
Similar Messages
-
Solaris 8, pam_ldap and SSL/TLS
Has anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
Error received on compilation:
# ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
loading cache ../config.cache
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking build system type... sparc-sun-solaris2.8
checking for a BSD compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for mawk... no
checking for gawk... no
checking for nawk... nawk
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking how to run the C preprocessor... gcc -E
checking for a BSD compatible install... ../install-sh -c
checking for security/pam_appl.h... yes
checking for security/pam_misc.h... no
checking for security/pam_modules.h... yes
checking for pam/pam_appl.h... no
checking for pam/pam_misc.h... no
checking for pam/pam_modules.h... no
checking for des.h... no
checking for crypt.h... yes
checking for lber.h... yes
checking for ldap.h... yes
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
updating cache ../config.cache
creating ./config.status
creating Makefile
creating config.h
# make
cd . && /padl/pam_ldap-161/missing aclocal
WARNING: `aclocal' is missing on your system. You should only need it if
you modified `acinclude.m4' or `configure.in'. You might want
to install the `Automake' and `Perl' packages. Grab them from
any GNU archive site.
cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
WARNING: `automake' is missing on your system. You should only need it if
you modified `Makefile.am', `acinclude.m4' or `configure.in'.
You might want to install the `Automake' and `Perl' packages.
Grab them from any GNU archive site.
cd . && autoconf
/bin/sh ../config.status --recheck
running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
checking build system type... sparc-sun-solaris2.8
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking for a BSD-compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking how to run the C preprocessor... gcc -E
checking for a BSD-compatible install... ../install-sh -c
checking for egrep... egrep
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... no
checking for unistd.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no
checking security/pam_modules.h usability... no
checking security/pam_modules.h presence... yes
configure: WARNING: security/pam_modules.h: present but cannot be compiled
configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for security/pam_modules.h... yes
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking pam/pam_misc.h usability... no
checking pam/pam_misc.h presence... no
checking for pam/pam_misc.h... no
checking pam/pam_modules.h usability... no
checking pam/pam_modules.h presence... no
checking for pam/pam_modules.h... no
checking des.h usability... no
checking des.h presence... no
checking for des.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking ldap_ssl.h usability... no
checking ldap_ssl.h presence... yes
configure: WARNING: ldap_ssl.h: present but cannot be compiled
configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
configure: creating ../config.status
cd . \
&& CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
config.status: creating Makefile
config.status: executing default-1 commands
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
cd . && autoheader
WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.
WARNING: Using the third argument of `AC_DEFINE' and
WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
WARNING: `acconfig.h':
WARNING: AC_DEFINE([NEED_MAIN], 1,
WARNING: [Define if a function `main' is needed.])
WARNING: More sophisticated templates can also be produced, see the
WARNING: documentation.
cd . \
&& CONFIG_FILES= CONFIG_HEADERS=config.h \
/bin/bash ../config.status
config.status: creating config.h
config.status: executing default-1 commandsHas anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
Error received on compilation:
# ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
loading cache ../config.cache
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking build system type... sparc-sun-solaris2.8
checking for a BSD compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for mawk... no
checking for gawk... no
checking for nawk... nawk
checking whether make sets ${MAKE}... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... yes
checking whether gcc accepts -g... yes
checking how to run the C preprocessor... gcc -E
checking for a BSD compatible install... ../install-sh -c
checking for security/pam_appl.h... yes
checking for security/pam_misc.h... no
checking for security/pam_modules.h... yes
checking for pam/pam_appl.h... no
checking for pam/pam_misc.h... no
checking for pam/pam_modules.h... no
checking for des.h... no
checking for crypt.h... yes
checking for lber.h... yes
checking for ldap.h... yes
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
updating cache ../config.cache
creating ./config.status
creating Makefile
creating config.h
# make
cd . && /padl/pam_ldap-161/missing aclocal
WARNING: `aclocal' is missing on your system. You should only need it if
you modified `acinclude.m4' or `configure.in'. You might want
to install the `Automake' and `Perl' packages. Grab them from
any GNU archive site.
cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
WARNING: `automake' is missing on your system. You should only need it if
you modified `Makefile.am', `acinclude.m4' or `configure.in'.
You might want to install the `Automake' and `Perl' packages.
Grab them from any GNU archive site.
cd . && autoconf
/bin/sh ../config.status --recheck
running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
checking build system type... sparc-sun-solaris2.8
checking host system type... sparc-sun-solaris2.8
checking target system type... sparc-sun-solaris2.8
checking for a BSD-compatible install... ../install-sh -c
checking whether build environment is sane... yes
checking for gawk... no
checking for mawk... no
checking for nawk... nawk
checking whether make sets $(MAKE)... yes
checking for working aclocal... missing
checking for working autoconf... found
checking for working automake... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gnutar... no
checking for gtar... no
checking for tar... tar
checking for gcc... gcc
checking for C compiler default output... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking how to run the C preprocessor... gcc -E
checking for a BSD-compatible install... ../install-sh -c
checking for egrep... egrep
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... no
checking for unistd.h... yes
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
checking security/pam_misc.h usability... no
checking security/pam_misc.h presence... no
checking for security/pam_misc.h... no
checking security/pam_modules.h usability... no
checking security/pam_modules.h presence... yes
configure: WARNING: security/pam_modules.h: present but cannot be compiled
configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for security/pam_modules.h... yes
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking pam/pam_misc.h usability... no
checking pam/pam_misc.h presence... no
checking for pam/pam_misc.h... no
checking pam/pam_modules.h usability... no
checking pam/pam_modules.h presence... no
checking for pam/pam_modules.h... no
checking des.h usability... no
checking des.h presence... no
checking for des.h... no
checking crypt.h usability... yes
checking crypt.h presence... yes
checking for crypt.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking ldap_ssl.h usability... no
checking ldap_ssl.h presence... yes
configure: WARNING: ldap_ssl.h: present but cannot be compiled
configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
configure: WARNING: ## ------------------------------------ ##
configure: WARNING: ## Report this to [email protected]. ##
configure: WARNING: ## ------------------------------------ ##
checking for ldap_ssl.h... yes
checking for main in -ldl... yes
checking for main in -lpam... yes
checking for main in -lresolv... yes
checking for main in -lcrypt... yes
checking for main in -lnsl... yes
checking for gethostbyname... yes
checking for main in -lldap50... yes
checking for main in -lpthread... yes
checking for ldap_init... yes
checking for ldap_get_lderrno... yes
checking for ldap_set_lderrno... yes
checking for ldap_parse_result... yes
checking for ldap_memfree... yes
checking for ldap_controls_free... yes
checking for ldap_set_option... yes
checking for ldap_get_option... yes
checking for ldapssl_init... yes
checking for ldap_start_tls_s... no
checking for ldap_pvt_tls_set_option... no
checking for ldap_initialize... no
checking for gethostbyname_r... yes
checking whether gethostbyname_r takes 6 arguments... 5
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
configure: creating ../config.status
cd . \
&& CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
config.status: creating Makefile
config.status: executing default-1 commands
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
/usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
cd . && autoheader
WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.
WARNING: Using the third argument of `AC_DEFINE' and
WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
WARNING: `acconfig.h':
WARNING: AC_DEFINE([NEED_MAIN], 1,
WARNING: [Define if a function `main' is needed.])
WARNING: More sophisticated templates can also be produced, see the
WARNING: documentation.
cd . \
&& CONFIG_FILES= CONFIG_HEADERS=config.h \
/bin/bash ../config.status
config.status: creating config.h
config.status: executing default-1 commands -
Will iOS 7.0.2 and iOS 8.1 devices running CardDAV clients work with CardDAV server that only supports TLS and deprecated SSL?
For those with interest to upgrade your CardDAV and CalDAV servers and intend to deprecate SSL v3 on your servers, I am able to share and report that iOS 7.1.2 and iOS 8.1 contacts clients are able to do away with SSL v3 and use TLS 1.1/1.2 for encryption to void POODLE attacks.
This is my experience and thought it might be worthwhile to share.
Cheers! -
SophosWebIntelligence and SSL/TLS
Dear all, Despite perusing the available documentation and reading pages upon pages of bulletin board replies (both here and elsewhere), and I am still unsure about the role played by SophosWebIntelligence, especially with regard to SSL and TLS. It is obvious that SophosWebIntelligence proxies data sent to and from supported browsers (Safari, Chrome, Firefox) whether the page loads over HTTP or HTTPS. This suggests that it intercepts the TLS connection in order to run reputation checks and scan any downloads. This, in turn, suggests a lot of tricky issues with privacy and security (keeping in mind that browsers like Chrome are much better at securing TLS transactions than most third-party apps). Yet, upon examining certificates and certificate chains, I see no obvious signs of a Sophos MITM "attack." How does the SophosWebIntelligence bundle peek into encrypted streams? Does anybody have any idea?
francoisjoseph wrote:
How does the SophosWebIntelligence bundle peek into encrypted streams? Does anybody have any idea?
The short answer is: it doesn't peek into encrypted streams. We simply pass the encrypted content through from the server directly to the browser.
The longer answer: we do read the SNI (Server Name Indication) header from the encrypted stream, as this information contains the domain name being visited in clear text. We do the same reputation checks on these sites as we would for unencrypted streams. But because the actual content is encrypted, we cannot perform scanning.
Hope that helps explain what you are seeing. -
Broken SSL/TLS SMTP authentication with Outlook Express
Hi All,
I've created two ports for SMTP-Authentication with required SSL/TLS : port 25 and port 587. Everythings work fine on port 25 (both smtp-auth and ssl/tls works).
But when using Outlook Express with port 587, the problems happens:
Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'pop.cbn.net.id', Server: 'smtps.cbn.net.id', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F
I've already disable windows firewall, Desktop Antivirus etc. but still not works.
Does anyone has the same problem? Thank you.Sorry I'm a little late to the party.
This is a bug in OE. It is attempting to do an SSL negotiation immediately when the connection opens, like what a web browser does for HTTPS connections, rather than using the STARTTLS mechanism to start TLS in the middle of the connection. In other words, it's attempting to use the old, never actually standardized SMTPS protocol if you attempt to do secure SMTP on any port other than 25. When we deployed mandatory SSL/TLS here, we had to deploy an SMTPS server on port 465, just for OE users (our mail relay server is not an IronPort).
SMTPS was never standardized, never even made it past one Internet-Draft. It's allocation of port 465 was later revoked by IANA and reassigned to another protocol. Yet it was treated as gospel by many mail client authors. I refused to support it on our mail server until it became obvious that OE simply wouldn't work otherwise (getting correct STARTTLS operation by using port 25 is not always available because of ISPs doing port 25 blocking). I don't blame IronPort in the least for not supporting it, although it does make this situation harder to resolve.
I have learned to hate OE. -
I have been using Firefox for a long time as my browser and typically play Pandora while at my office most days. For the first time today I received a pop up message "Pandora believes your browser does not support modern SSL/TLS. Consider upgrading your browswer" when I logged on to Pandora. I checked and I am on the latest version of Mozilla Firefox. I am unable to control volume or log out of Pandora now. I did some google searches and found Mozilla disabled ssl3.0 due to a "Poodle" attack. Does that mean that I can no longer use Firefox as my browser when I want to listen to music on Pandora or is there "a fix"? Thanks!
Mozilla Firefox as of Firefox 34 has the vulnerable SSL 3.0 disabled and only allows for TLS 1.0 at minimum to 1.2 now.
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
So Pandora is incorrect if they believe Firefox is not safe to use.
Actually Pandora potentially needs to do a bit of upgrading themselves.
https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&s=208.85.40.50 -
Sql server service wont start after disabling TLS 1.0 and SSL 3.0 on windows
We have been hardening our servers for some time now and recently we disabled SSL 3.0 because of the poodle attack. When I did this on one of our test servers SQL Server failed to start up after the restart.
I have been able to reproduce this on Windows Server 2012 and Windows 7 by disabling TLS 1.0 and SSL 3.0 through the registry. I am using SQL Server 2012 on the server machine. On my windows 7 machine sql server 2012 and sql server 2005 will not start with
those disabled.
These are the event log errors I get:
Application Logs:
(28/10/2014 8:38:54 AM) SQL Server could not spawn FRunCM thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
(28/10/2014 8:38:54 AM) Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
(28/10/2014 8:38:54 AM) TDSSNIClient initialization failed with error 0x80090331, status code 0x1.
(28/10/2014 8:38:54 AM) TDSSNIClient initialization failed with error 0x80090331, status code 0x80.
System Logs:
(28/10/2014 8:38:54 AM) The SQL Server (MSSQLSERVER) service terminated with service-specific error %%-2146893007.
(28/10/2014 8:38:54 AM) A fatal error occurred while creating an SSL server credential. The internal error state is 10013.
Done anyone know have we can keep SSL 3.0 and TLS 1.0 disabled and get SQLServer server to start?Hi Don,
I already have TLS 1.0 Disabled to prevent the BEAST exploit. So the values I have for:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.0\Client
Both have enabled set to ("Enabled"=dword:00000000).
If change both of these back to ("Enabled"=dword:00000001)
to enable TLS 1.0, and restart then SQLServer is able to start again. But we are now vulnerable to the BEAST attack once again.
If I keep server enabled and disable the client or vice versa and restart. Then SQLServer starts but I
am unable to connect to it. When I check the Event logs I get the same errors as my original past.
With your last post, do you mean to backup SCHANNEL and delete it so it gets recreated? If that is the case it will probably work because if I re enable SSL 3.0 or TLS 1.0 from here it fix's the issue, but I then I won't have the exploits patched and
we need this for some of our customers.
This is my SCHANNEL Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000 -
I have no experience with sharepoint at all. but this is what I observed.
I intermittently getting this error message on my sharepoint. could not establish trust relationship for the ssl/tls secure channel. Remote Certificate is invalid according to the validation procedure.
Screnshot of the error
This is how the sharepoint page layout.
I have report.aspx. and below is the content of the aspx file.
The url is http://sharepoint.COMPANY.com/Pages/Report.aspx.
The URL is intranet only.
The sharepoint is hosted in SERVER1 and the SSRS is hosted in SERVER.
I observed this error happens on both HTTP and HTTPS http sharepoint COMPANY com/Pages/Report.aspx OR https sharepoint COMPANY com/Pages/Report.aspx
So far, the step I did was to follow this blog http://krishnasangani.blogspot.ca/2013/06/the-remote-certificate-is-invalid.html Restarted
IIS in SERVER1 AND SERVER2. but the problem persist. Another I have done is to click the certificate in internet explorer and everything looks ok on that side to (certificate is valid)
It seems to only happen earlier during the morning, then it fixes itself around 9 Oclock. It has been on going for about 2 weeks. Please help troubleshooting this.
<%@ Page Inherits="Microsoft.SharePoint.Publishing.TemplateRedirectionPage,Microsoft.SharePoint.Publishing,Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bsasdasdasd9c" %> <%@ Reference VirtualPath="~TemplatePageUrl" %> <%@ Reference VirtualPath="~masterurl/custom.master" %><%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bsasdasdasd9c" %>
<html xmlns:mso="urn:schemas-microsoft-com:office:office" xmlns:msdt="uuid:547SF010-65B3-11d1-A29F-00457845FFSW"><head>
<!--[if gte mso 9]><SharePoint:CTFieldRefs runat=server Prefix="mso:" FieldList="FileLeafRef,Comments,PublishingStartDate,PublishingExpirationDate,PublishingContactEmail,PublishingContactName,PublishingContactPicture,PublishingPageLayout,PublishingVariationGroupID,PublishingVariationRelationshipLinkFieldID,PublishingRollupImage,Audience,PublishingPageImage,PublishingPageContent,SummaryLinks,ArticleByLine,ArticleStartDate,PublishingImageCaption,HeaderStyleDefinitions"><xml>
<mso:CustomDocumentProperties>
<mso:PublishingContact msdt:dt="string">8</mso:PublishingContact>
<mso:HeaderStyleDefinitions msdt:dt="string"></mso:HeaderStyleDefinitions>
<mso:display_urn_x003a_schemas-microsoft-com_x003a_office_x003a_office_x0023_PublishingContact msdt:dt="string">First Last Name</mso:display_urn_x003a_schemas-microsoft-com_x003a_office_x003a_office_x0023_PublishingContact>
<mso:PublishingContactPicture msdt:dt="string"></mso:PublishingContactPicture>
<mso:PublishingContactName msdt:dt="string"></mso:PublishingContactName>
<mso:ContentTypeId msdt:dt="string">0x010100C568DB5SDH48375LKNSDFG8340JKRG8034U6NEGK8TNGE8U34NIOGE8355H3358TRNG38G43JIOEG0T3JIGE9034340R8J05T4I54T4J8903HH5640K9445G54HH6564H65665</mso:ContentTypeId>
<mso:Comments msdt:dt="string"></mso:Comments>
<mso:PublishingContactEmail msdt:dt="string"></mso:PublishingContactEmail>
<mso:PublishingPageLayout msdt:dt="string">https://sharepoint.COMPANY.com/_catalogs/masterpage/PageFromDocLayout.aspx, Body only</mso:PublishingPageLayout>
<mso:PublishingPageContent msdt:dt="string"><div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read a74e0591-4ee6-4837-935a-3c932a967fac" id="div_a74e0591-4ee6-4837-935a-3c932a967fac"></div>
<div id="vid_a74e0591-4ee6-4837-935a-3c932a967fac" style="display:none"></div></div>
<div class="ms-rtestate-read ms-rte-wpbox"><div class="ms-rtestate-notify ms-rtestate-read e97fce7c-b702-4530-ae50-16ea77475fd5" id="div_e97fce7c-b702-4530-ae50-16ea77475fd5"></div>
<div id="vid_e97fce7c-b702-4530-ae50-16ea77475fd5" style="display:none"></div></div>
</mso:PublishingPageContent>
<mso:PublishingRollupImage msdt:dt="string"></mso:PublishingRollupImage>
<mso:RequiresRouting msdt:dt="string">False</mso:RequiresRouting>
</mso:CustomDocumentProperties>
</xml></SharePoint:CTFieldRefs><![endif]-->
<title>Report</title></head>
A few questions I have in mind is Any pointer to troubleshoot this problem AND By looking at the ASPX file, Would you be able to determine what method is my Sharepoint page calling the SSRS report , integrated mode, native mode? IEFrame? The reason I am asking
this is that maybe IF I google using the right terminology I can get to the similar problem and solution.
ThanksPlease let us know if you are using
SharePoint communicates to an external service via HTTPS
Please try perform following steps:
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
If my contribution helps you, please click Mark As Answer on that post and
Vote as Helpful
Thanks, ShankarSingh(MCP) -
What is the Chiper suite and TLS and SSL protocol sent by safari browser ver 8 from iOS8
Hello,
I have a production environment where users login in from Ipad/Iphone having Ios8 and safari v8 are not able to log on to the application.
However, on the same Ipad/Iphone when user tries login in with Chrome or any other browser , they are able to login.
I need the following help/information:
1. What is the SSL/TLS protocol version that is supported or used by Apple iOS8.
2. What is the cipher suites of safari version 8
Any information on this would be very helpful.
Thanks,
Parin.Just to recap, this is a collection of ports I have collected over time for people who needed this information when setting up the HP ePrint app so that they could view their email from within the app. I am certain other applications also need this information. Although lengthy, I could not find a more comprehensive place to retrieve this information. Feel free to post additional information, faulty information, or other related topics below as this is simply a collection of data and it would be practically impossible to test all of them. Thank you!
Don't forgot to say thanks by giving "Kudos" if I helped solve your problem.
When a solution is found please mark the post that solves your issue.
Every problem has a solution! -
The difference between SSL & TLS
dear experts,
i need to know The difference between SSL & TLS and in which situations i should i have to use them.
thanks
Labib MakarLabib,
At a 10,000 foot level v3.0 was superceded by . v1.0.
TLSv1.0 (RFC 4346) was an upgrade to SSL v3.0 (but they don't interoperate)
This "Cisco.com document" describes the workings of both in some detail: SSL: Foundation for Web Security
it states this as some basic differences:
TLS uses slightly different cryptographic algorithms for such things as the MAC function generation of secret keys. TLS also includes more alert codes.
Also See: Wikipedia TLS
As far as which to use, it would depend on if both sides (server/client) support each? TLS v1.0 or v1.1 is newer.
Most modern Browsers tend to support both.
i.e.
Firefox 3.5.7 supported both SSL v3.0 and TLS v1.0
Internet Explorer v6 supported both SSLv2, SSLv3, TLS v1.0
etc.
Hope that helps.
Steve Ochmanski -
Hello,
We are facing an issue when triggering a new build using TFS 2013 Update 4, VS2013 Update 4 using TFVCTemplate.12.XAML template. All our other older build definitions just work fine but not the TFVCTemplate.12.XAML. It seems to me that some certificate
might be invalidated. Can anyone please point me in the right direction?
Thanks,
Mitul
TF215097: An error occurred while initializing a build for build definition :
Exception Message: One or more errors occurred. (type AggregateException)
Exception Stack Trace: at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFile(TfsTeamProjectCollection projectCollection, String itemPath, Stream outputStream)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFileAsString(TfsTeamProjectCollection projectCollection, String itemPath)
at Microsoft.TeamFoundation.Build.Client.ProcessTemplate.Download(String sourceGetVersion)
at Microsoft.TeamFoundation.Build.Hosting.BuildControllerWorkflowManager.PrepareRequestForBuild(WorkflowManagerActivity activity, IBuildDetail build, WorkflowRequest request, IDictionary`2 dataContext)
at Microsoft.TeamFoundation.Build.Hosting.BuildWorkflowManager.TryStartWorkflow(WorkflowRequest request, WorkflowManagerActivity activity, BuildWorkflowInstance& workflowInstance, Exception& error, Boolean& syncLockTaken)
Inner Exception Details:
Exception Message: An error occurred while sending the request. (type HttpRequestException)
Exception Stack Trace: at Microsoft.VisualStudio.Services.WebApi.VssHttpRetryMessageHandler.<SendAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.VisualStudio.Services.WebApi.HttpClientExtensions.<DownloadFileFromTfsAsync>d__2.MoveNext()
Inner Exception Details:
Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)Exception Stack Trace: at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
Inner Exception Details:
Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
Exception Stack Trace: at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)Hi Mitul,
Thanks for your reply.
It’s strange, if your old build definitions can work using the same TFS Build Server, that indicate your TFS Server configuration is correct and can works. But only new build definition with default TfvcTemplate.12.xaml template cannot build successful.
Please share your TFS Server detailed environment information here. And share your
Build Service Properties dialog screenshot here.
Try to clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
Clean the Cache folder on Server machine. The folder path is:
C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.
After cleaned, on Server machine, click Start and select
Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
Additionally, you can run the TFS 2013 Power Tools BPA to scan the installation of your TFS Server.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
SSL/TLS clients binds fail to Solaris 10 06/06 DS5.2p4 Server
hello all,
this is a bizarre issue that i think is related to the solaris version that is running on the directory server, at least this appears to the the issue. i have 2 SunDS servers running solaris 10 06/06 and the other solaris 10 01/06 with DS5.2p4. both have SSL enabled, the certs i signed with my own CA which i maintain with tinyca2. the directory starts fine and is listening on both 389(ldap) and 636(ldaps). i am able to successfully bind to both servers on the non-secure ports fine, commands like getent, finger, id are pulling the people from the directory. when i enable the clients to use ssl/tls those same commands fail against the solaris 10 06/06 machine but NOT the solaris 10 01/06 server. on the linux machines i'm getting "nscd: pam_ldap: could not search LDAP server" errors and on the solaris machines "Mesg: openConnection: failed to initialize TLS security" and "libsldap: Status: 7 Mesg: Session error no available conn."
using "ldapsearch -x -ZZ" from the clients is successful to both systems, and i can use "openssl s_client" to view the certs fine. another bizzare occurance is when i do "getent passwd" i see the local and ldap users but "getent passwd ldap_user" will return nothing. again this are against the solaris 10 06/06 machine.
has anyone see this before? i'm going to open a service request for sun on this but i wanted to see if anyone else has run into this.there was a problem with the certificate db which was causing this.
-
SSL/TLS ciphers of an SMA (M-series) appliance
So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
<ssl>
<ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
<ssl_gui_method>sslv3tlsv1</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
</ssl>
After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
https://www.ssllabs.com/ssltest/analyze.htmlI believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
[]> FIPS:-aNULL
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
-Robert -
SSL/TLS POP/SMTP setting 6270 ?
Hi All,
I recently purchased Nokia 6270 and I do have GPRS connection working well for WAP sites and for Internet access on my laptop.
I have been trying to configure my GMAIL account on the email client provided with 6270. Gmail pop/smtp access required secure connection SSL/TLS and I could not find any place to set SSL or TLS YES. in personal configuration, there is everything to set except these.
It was there in old Motorola E398..The settings are really confusing.
If anybody has accessed/configured GMAIL on 6270, please help..
Cheers
Rajivyou are right that I should have checked it before buying, I think you can expect such a small feature from a highend mobile. Nokia do claim it as highend mobile. I randomly looked at some of the mobile from different makes today and all of the high end mobiles have this feature.
And by the way all the email clients do contains feature for specifying SSL or TLS.
Does that means that 40 series is missing this feature because that is only provided in 60 series. Or is there any logical reason behind it.
Is there any software version update that can provide this feature. I have Version 03.65 19-12-05 RM-56 -
SSL/TLS security certificate data match with XML Payload in SAP PI
Hi,
We are working on a solution where we would want to use SSL/TLS or WS Security with client server mutual authentication using client server certificates.
But, once the sender is authenticated using the certificates, can the XML payload be matched for the correctness with the certificate information? Is this available to PI integration engine at any time? Like Sender A autheticated as A using certificates, must be stopped if his XML payload is saying that he is sender B (which is most unlikely if we trust the senders but did not want to leave a loophole).
Any ideas here?
Thanks and Regards,
VijayHi Wolfgang,
Cross-posting is discouraged and against the forum rules, because it is misused and makes a mess of the search due to distributed discussions and answers.
I will move it to the PI forum and add a watch on it as it is security forum related.
Unfortunately, the forum software does not have the option to "mirror" threads.
Cheers,
Julius
Edited by: Julius Bussche on Sep 14, 2009 9:50 PM
Maybe you are looking for
-
My new company installed Adobe Creative Cloud (There was some annoying Proxy issues at first, because of the seriously tight I.T policies) but we are having some serious resolution issues with After Effects CC 2014 (also have this resolution problem
-
I started having internet problems with all my devices in the house, ipod, imac, pc laptop, tablets, etc... found out after being on the phone with comcast for hours, they determined my modem that they supply was bad. So I have the new modem now and
-
Adding new field in Monitor Shopping Cart
Helll All, I have a requirement where I need to add a new field in the Search Criteria screen for Monitor Shopping Cart (item data). The new field needs to have a property so as to be able to add more than 1 value for it. It is just like Purchasing G
-
Can't open iWork files saved to iCloud
I've updated my MBP to Mtn Lion and subsequently my iWork to latest versions. However when I attempt to open any files stored on iCloud via the Open dialog window, it states "The document "XXXX.numbers" could not be opened."; does not matter if it's
-
Differences between Netweaver 2004 and Netweaver 2004s?
Hi All, Can anyone please explain me in details the major differences between Netweaver 2004 and Netweaver 2004s. Thanks in advance Regards Henry