Re: SSL on port 443

Similar Messages

• SSL on port 443

  BM 3.8 sp5, Open Enterprise 6.5 SP6 - SSL - listening port 443 - Craig
  advised to change to port 444 because it conflicts with Apache on the
  server. Do my users need to type :444 when they authenticate or is this
  change will be transparent to them? Also, one of our NetAdmins indicates
  we are not running Apache...
  Please provide me with more info. on this issue.
  Thank you in advance for your help

  Is wrote:
  > BM 3.8 sp5, Open Enterprise 6.5 SP6 - SSL - listening port 443 - Craig
  > advised to change to port 444 because it conflicts with Apache on the
  > server. Do my users need to type :444 when they authenticate or is this
  > change will be transparent to them?
  I assume you're referring to proxy authentication, where the user enters
  credentials in the browser to gain access to the proxy. In this case the
  BM server automatically redirects users to the port 444 URL... they
  don't type it in. Thus, the port the proxy listens on for SSL
  *authentication* requests doesn't matter much, as long as it doesn't
  conflict with other services running on the server.
  Jim
  Support Sysop

• Non SSL website on port 443

  Hi, I have a non-SSL website running on port 443. When I access this website using Chrome or IE it works just fine, but Firefox can't seem to accept what I have done. All browsers on the same machine and using the same web proxy.
  I access the website as http://xyz:443.
  Just a bit of background info as to why I need this. Where I work I can only access ports 443 and 80 via the web proxy. I have two distinct websites running on a couple of devices at home behind a very config-wise limited router which has ports 80 and 443 redirected to these hosts. There is no way for me to setup two port forward rules on port 80 to two different devices. I cannot setup SSL on either of the websites.
  Regardless of options that could exist to overcome my particular issue, I would like to check if you guys know how to make Firefox work with a website running on port 443 whilst not having a certificate assigned to it.
  Firefox 32.0.3
  Error message:
  The connection was reset
  The connection to the server was reset while the page was loading.
  The site could be temporarily unavailable or too busy. Try again in a few moments.
  If you are unable to load any pages, check your computer's network connection.
  If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

  What type of ssl are you running? [https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/]
  You can somehow remove the Strict-Transport-Security header or if there is a feature that forced encryption but by default https uses 443 for encryption. I do not know if this is possible.

• Error with default SSL port (443) on Solaris

  Hi all
  I would like to config default SSL port 443 on Solaris but I found this error. What is the problem?
  I use WebLogic 8.1 sp3
  SSL port : 443
  Unable to create a server socket on Channel Default for port: 443. java.net.BindException: Permission denied Perhaps another process is using port 443
  I dont sure about permission. How can I do?

  Oh I can use root start weblogic and I can use 443 port, but when I use other users. I can't use 443 port

• How do i temporarily disable TLS/SSL port 443 going to server on CSS

  We are having issues with truncating packets that go through the CSS
  I did a capture after the CSS and there is truncation............however i cant read it before the since everything is encrypted.
  They hit vip address 172.20.120.16. on the CSS and get redirected to 2 servers depening on what the url says
  They server team would like to turn it off just to test..i tried removing
  "add service ARR-public-ssl" from the contetn below and we lost http and https to the server
  so in essence i want to try and turn the 443 connection to a port 80---than it goes to port 7777 backend to 172.20.212.6
  content BYE-WEB-SSL
     vip address 172.20.120.16
     protocol tcp
     port 443
     advanced-balance ssl
     application ssl
     add service ARR-public-ssl
     active
  ssl-server 40
  ssl-server 40 rsacert byetest
  ssl-server 40 vip address 172.20.120.16
  ssl-server 40 cipher rsa-with-rc4-128-sha 172.20.120.17 80
  ssl-server 40 cipher rsa-with-rc4-128-md5 172.20.120.17 80
  ssl-server 40 urlrewrite 1 *
  ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 172.20.120.17 80
  ssl-server 40 rsakey byekey
  backend-server 50
  backend-server 50 type initiation
  backend-server 50 server-ip 69.xxx.xxx.xxx
  backend-server 50 ip address 69.xxx.181.xxx
  backend-server 50 rsacert byetest
  backend-server 50 rsakey byekey
  active
  !************************** SERVICE **************************
  service TIE-SSLINIT
    protocol tcp
    ip address 69.xxx.xxx.xxx
    keepalive type tcp
    keepalive port 443
    slot 2
    type ssl-init
    add ssl-proxy-list HR-SSL
    active
  owner PublicBYE
    content BYE-WEB-ARRR
      vip address 172.20.120.17
      protocol tcp
      port 80
      url "/arr*"
      advanced-balance arrowpoint-cookie
      balance aca
      arpt-lct http-100-reinsert
      add service BYE-ods-web1
      active
    content BY-WEB-TIX
      protocol tcp
      port 80
      url "/tix*"
      advanced-balance arrowpoint-cookie
      balance aca
      arpt-lct http-100-reinsert
      add service BYE-ods-web2
      vip address 172.20.120.17
      active
    content BYE-WEB-TIX-CLEARTEXT
      add service TIX-SSLINIT
      vip address 172.20.120.19
      protocol tcp
      port 80
      active
  content BYE-WEB-Nav
    vip address 172.20.120.17
    protocol tcp
    port 80
    url "/na*"
    balance aca
    arpt-lct http-100-reinsert
    add service BYE-ods-web1
    active
  content BYE-WEB-SSL
    vip address 172.20.120.16
    protocol tcp
    port 443
    advanced-balance ssl
    application ssl
    add service ARR-public-ssl
    active
  service BYE-ds-web1-ssl
    ip address 172.20.212.5
    port 443
    keepalive type ssl
    active
  service BYE-ds-web2
    ip address 172.20.212.6
    port 7777
    keepalive port 7777
    keepalive type tcp
    active
  service BYE-ds-web2
    ip address 172.20.212.6
    port 7777
    keepalive port 7777
    keepalive type tcp
    active
  service BYEos-web2-ssl
    ip address 172.20.212.6
    port 443
    keepalive type ssl
    active

  CSS11506# sh ver
  Version:               sg0810205 (08.10.2.05)
  Flash (Locked):        08.10.1.06
  Flash (Operational):   08.10.2.05
  Type:                  PRIMARY
  Licensed Cmd Set(s):   Standard Feature Set
                         Secure Management
  Yeah..if done a packet trace before it hits the CSS and after......the only issue is that everything is engrypted before it hits the LB so i cant really read anythign....i did a pacet trace after the LB and on the Server itself its seems we get this
  I thought i saw some bug info from cisco but i cant tell if its related
  CSCsx05640—When you configure the CSS for a Layer 5 (L5) content rule and it receives an HTTP method POST with the HTTP header in one packet that is quickly followed by many packets of POST data or payload, it could fail to deliver all the data to the back-end server. The CSS Flow Manager (FM) application could incorrectly handle the POST and the data packet as a spanned content request and could cause the data to be mishandled. Workaround: Use less than 1-Gb connections in the network; a 100-Mb link does not exhibit this issue.
  As you can see after the content-length..........nothing comes across........sometimes addtional stuff will come in ...but usually nothing
  Is there a bug related to this on the CSS?
  POST /TIXX/DocumentRepository_Service HTTP/1.1
  Accept-Encoding: gzip,deflate
  Content-Type: application/soap+xml;charset=UTF-8;action="urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b"
  User-Agent: Jakarta Commons-HttpClient/3.1
  Host: www.xxxxxxxxxxxx.net
  Content-Length: 9044

• The attempt to connect to the server (IP address) on port 443 failed - OLT

  Hi all
  I am facing one problem, if i run load to any application for 100 users for 1 iteration then it is not showing any error. Lets say i ran the load of 100 users for one hour then for some users there are errors like
  Line: (script.java:84)][ScriptException]: The attempt to connect to the server (IP address) on port 443 failed.
  And my understanding is the user's which are facing failures is not able to get response or page loaded at their end. As failures are occuring for some particular steps not the entire scenario. Pls confirm.
  Thanks

  I believe that's an indication that there is an error receiving mail, but if you have any drafts or email in your outgoing mailbox, try deleting them.  Apple's troubleshooting steps for this are (from http://support.apple.com/kb/TS4002):
  Cannot receive mail in OS X Mail
  If you use OS X Mail, look at the name of your iCloud account on the left side of the main Mail window. If your iCloud account name is dim and has a lightning bolt next to it, your account is offline. To resolve this, make sure your computer is connected to the Internet. Then choose Go Online from the Mailbox menu.
  If taking your iCloud account online doesn't resolve the issue, follow these steps:
  From the Mail menu, choose Preferences.
  In the Preferences window, click the Accounts tab if it is not already selected.
  In the Accounts list, select your iCloud email address.
  Click the Account Information tab.
  Verify your SMTP server settings with the following information:
  Incoming Mail Server: imap.mail.me.com
  User Name: Your iCloud email address
  Password: Your iCloud password
  Click the Advanced tab and verify the following additional settings:
  Port: 993
  Use Secure Sockets Layer (SSL): Should be enabled
  Authentication: Password

• Non-root user can't start Apache on port 443

  Today I've been attempting to get SSL working for my Oracle Applications 11i (11.5.10.2) installation and I just hit a small problem. I've followed all of the Oracle literature I've come across, which instructed me to create a new (non-root) user to own the database tier and the applications tier. I've also followed the instructions for configuring SSL ([Doc 123718.1|https://metalink2.oracle.com/metalink/plsql/f?p=130:14:6976756808231635106::::p14_database_id,p14_docid,p14_show_header,p14_show_help,p14_black_frame,p14_font:NOT,123718.1,1,1,1,helvetica]) and the SSL wizard in OAM defaults to the standard HTTPS port (443). However, because 443 is a privileged port, a non-root user cannot bind to it. In other words, the Oracle literature itself has led me to an impossible situation. This is what I see in the Apache error log:
  [Fri May 15 15:05:03 2009] [crit] (13)Permission denied: make_sock: could not bind to port 443
  At this point, I see two choices:
  1. Run the application tier services as root.
  2. Change the SSL port to something greater than 1024 (i.e. 4443).
  I'm leaning towards option #2, since option #1 negates the advantage of using a non-root user to begin with. Does anyone have any other suggestions? Does Oracle have any recommendations for this scenario?

  Hi,
  You just need to start Apache as root (not all the application services). For Option 1, the application tier files should be owned by applmgr/oracle user (not root), and for Option 2, you do not need to change the port (though it is valid option). Just follow the steps in the following document.
  Note: 356080.1 - How to run Apache on Port 80 in Apps 11i
  https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=356080.1
  BTW, this is mentioned in the document "if you have chosen port 443 (or any port under 1024) for your SSL port, you will have to start Apache as root".
  Regards,
  Hussein

• Port 443

  Is it possible to run iSQL*Plus only using Port 443/SSL? I receive the following
  error whenever I do not listen for port 80 connections:
  [Mon Sep 16 13:29:58 2002] [emerg] OPM: Could not find a valid non-ssl LISTEN ip
  and port. The whole process exits.
  [Mon Sep 16 13:29:58 2002] [alert] (2)No such file or directory: FastCGI: read()
  from pipe failed (0)
  [Mon Sep 16 13:29:58 2002] [alert] (2)No such file or directory: FastCGI: the PM
  is shutting down, Apache seems to have disappeared - bye

  Alison,
  Thanks for the reply. I think that the httpd.conf file is saying if you want both
  types of connections (http and https) you have to listen for both types of connections.
  We have other Apache web servers here that only allow https/port 443 connections and
  only listen for those type of connections.
  Maybe I should have asked my question a different way, is it possible configure
  iSQL*Plus via the httpd.conf file (and other .conf files) so that FastCGI will
  work with SSL connections? If not, is there a way to configure everything so that
  the only non-SSL connections are between FastCGI and iSQL*Plus (i.e., no users can
  connect to the web server without using and SSL connection)?
  Again, thanks for your help.
  Cecil,
  After reading the httpd.conf (web server config file), I found this:
  # Port: The port to which the standalone server listens. Certain firewall
  # products must be configured before Apache can listen to a specific port.
  # Other running httpd servers will also interfere with this port. Disable
  # all firewall, security, and other services if you encounter problems.
  # To help diagnose problems use the Windows NT command NETSTAT -a
  Port 7778
  ## SSL Support
  ## When we also provide SSL we have to listen to the
  ## standard HTTP port (see above) and to the HTTPS port
  Listen 7778
  Listen 4443
  It looks like you have to listen on a default port, as well as on an https port. iSQL*Plus doesn't actually care which port it is being called from as it is one step removed and has it's own (different) port connection to the web server.
  Perhaps this is a question to research from the web server (essentially Apache) point of view? You could try the usenet newsgroups, the Metalink web site, or you could call Oracle Support.
  Alison

• SSL Redirect Port ?

  Hello All,
  Im a litle confuse, and im not getting there.
  I had this config scheme, and it works fine:
  Every SSL Traffic is ended in SSL Module, and give it back to content as port 80.
  It matchs the content HTTP-Aplj, and sends traffic to service esl0011-7777.
  It works fine, with http and https.
  Then i had tryed many unsucessefully times the following:
  I want that http traffic goes just like the actual config, ending on backend servers on port 7777, but want the https traffic to be redirected to 4443.
  I have done some trys on several parts of the configs, adding new services for 4443 port, ssl-proxy-list, and adding a new content.
  I even got this message, when was trying to active the content SSL.Aplj:
  %% Not all content VIP:Port combinations are configured in a ssl-proxy-list for sslAccel type of services
  Please give me some ideias to achieve this goal.
  The following config is the basic config for the 1st step. The working one.
  Best Regards,
  Bruno Petrónio
  ************** SSL-Proxy-List **************
  ssl-server 90 vip address 10.1.2.136
  ssl-server 90 urlrewrite 1 https:\\10.1.2.136
  ssl-server 90 rsacert xxxxcert
  ssl-server 90 rsakey xxxxkey
  ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 80
  ************** SERVICE **************
  service MODSSL
  slot 2
  type ssl-accel
  keepalive type none
  add ssl-proxy-list ssl1
  active
  service esl0011-7777
  ip address 10.1.1.120
  port 7777
  keepalive type http
  keepalive port 7777
  keepalive uri "/"
  active
  ************** OWNER **************
  owner Test
  content HTTP-Aplj
  vip address 10.1.2.136
  port 80
  protocol tcp
  add service esl0011-7777
  redundancy-l4-stateless
  active
  content SSL-Aplj
  vip address 10.1.2.136
  add service MODSSL
  application ssl
  advanced-balance ssl
  protocol tcp
  port 443
  url "/*"
  redundancy-l4-stateless
  active

  try the following
  ssl-server 90 vip address 10.1.2.136
  ssl-server 90 urlrewrite 1 10.1.2.136
  ssl-server 90 rsacert xxxxcert
  ssl-server 90 rsakey xxxxkey
  ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 4443
  service esl0011-4443
  ip address 10.1.1.120
  port 4443
  keepalive type http
  keepalive uri "/"
  active
  content HTTP-4443
  vip address 10.1.2.136
  port 4443
  protocol tcp
  add service esl0011-4443
  active
  BTW, I also corrected your urlrewrite command as it was incorrect. You need to specify the host. So not http or https in front.
  Gilles.

• How to Direct open Website link to https: ( port 443)

  In my web server i host website on port 443 using SSl certificate. when my user try to access this website they nee to put manually address like https://siteneme..? how to open this website direct without type https

  You can configure a redirection from http to https so that when the user types www.contoso.com it will get redirected to https://www.contoso.com.
  You can do that on your load balancer if you are using one or on the Website configuration.
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• How to open port 443?, How to open port 443?

  Hey, an online broking software wants connection to my mac. How can i open a special ssl port like 443,
  i allrady did the routerconfiguration, how can i change the mac firewall?

  afromfrankfurt,
  I came here for help on this subject and MAY have an idea why you are still having the problem after turning off the firewall on your Mac. Assuming your router works the same way mine does, you have to do something to create a path between the outside world and your Mac for traffic on port 443. I know there are ways to do this where the computer can dynamically do this but that is not something I have figured out at this point. The ONLY way I know to make it work is to make sure the Mac has the same IP address every time it uses that router and to tell the router to direct traffic coming in from the web to go to the address you have assigned your Mac.
  Hopefully someone more knowldegable than I am will speak up and say how to do it dynamically because, if this is a laptop, assigning it a fixed address on your network can create problems when you take it someplace else.
  Steven

• Mutiple servers using port 443

  Hi,
  I am looking to set up several websites that utilise port 443 for SSL
  behind
  my firewall.
  I understand that the reverse proxy in BM will only forward from port
  443 to
  port 443.
  As I only have one public IP address I was looking to use ports such
  as
  51443, 52443 and redirect to port 443 on the various internal servers.
  Is this possible using the generic TCP proxy or is there another way
  of
  doing this I am using BM 3.6
  All suggestions gratefully rec'd
  David

  presumably if that failed I could use a hardware firewall such as a
  cisco
  PIX to do the job.
  set up some sort of DMZ and put the servers in there.
  "Craig Johnson" <[email protected]> wrote in message
  news:[email protected]..
  > In article <skPnb.461$[email protected]>, David
  > Quickfall wrote:
  > > Is this possible using the generic TCP proxy or is there another
  way of
  > > doing this I am using BM 3.6
  > >
  > Generic proxy will work fine, (and in fact it probably works better
  than
  > using reverse proxy for 443). Set up one generic proxy for each
  port.
  >
  > I don't know if you can successfully use the port translation
  ability of
  > generic proxy here. (Proxy port 444 to 443). I don't think that
  works
  > for SSL.
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  > *** For a current patch list, tips, handy files and books on
  > BorderManager, go to http://www.craigjconsulting.com ***
  >

• ACL Entries to allow port 443 to

  Hi, just wondering if anyone else has had a problem with a BM 3.7 server
  not allowing SSL connections. I have created an ACL rule allowing anyone
  to connect to port 443 to specified detinations. I have tried the hostname
  (with wildcard extensions for webpages) and the IP address of the servers.
  But on every attempt I always get a 403 forbidden error. Any info as to
  why this is happening would be helpful.
  Also, should the server address be in the common HTTP rule as well.
  Currently I am running BM 3.7 SP2 with the FP3 patches applied. on a NW5.1
  sp5 server.
  Thanks,

  In article <PNPWd.137$[email protected]>, wrote:
  > But on every attempt I always get a 403 forbidden error. Any info as to
  > why this is happening would be helpful.
  >
  Sounds like you may have access rules configured for port 80 instead of
  URL.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to http://www.craigjconsulting.com ***

• Port 443 content rule, can the CSS see inside the cookie ?

  Hi Gilles/everyone,
  With a content rule using port 443, can we use cookie based stickiness or is the cookie also encrpyted ?
  cheers,
  Mike

  also encrypted.
  No way to see it without an SSL module to decrypt.
  Gilles.

• WRVS4400N & Port 443

  Hi,
  I just purchased WRVS4400N and tested, port 443 is not secure and I was wondering is there any way of blocking that **bleep**?
  Tryed everything (port forwarding etc.) nothing helps!!
  Please help!
  Elf
  The Elf Cleric

  When you say it is not secure, what exactly do you mean?  If you have the firewall enabled it should only allow packets in that are in response to a legitimate request from your computer (i.e. when you access a secure web site).  To block any incoming traffic for that port (or any other for that matter), click on the firewall link, click on IP based ACL and create a firewall rule that blocks any 443 (or whatever port you want to block) traffic from the WAN.  Be advised that if you block 443 you will not be able to access web sites using ssl. (https:// sites).  Port forwarding actually opens the port to inbound traffic, so you'll want to remove the port from port forwarding.