SSL and Certficate CRL Check

Similar Messages

• Cisco ISE 1.1.2 and Certfication Revocation List (CRL) checking

  All,
  I have 4 ISE appliances version 1.1.2  running in my networ called nodeA, nodeB, nodeC and nodeD. 
  - NodeA is Primary Admin and Secondary Monitoring,
  - NodeB is Secondary Admin and Primary Monitoring,
  - NodeC is Policy node,
  - NodeD is Policy node,
  The ISE environment is tightly integrated with the company Microsoft Active Directory Windows 2008R2.  We import the company issue cert into the ISE for PEAP and CRL checking
  Question:  How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server? 
  I also have an ACS environment that also tightly integrated with Microsoft AD.   How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?
  What will happen to the ISE and ACS environment if the CA Server becomes un-available?
  I can't seem to find this question in either ISE or ACS documentation anywhere. 
  Thank you.

  How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server?
            ISE checks CRL based on how you configure it. Admin > Certificates > Cert Store  Select your CA. From there you'll be able to edit the cert info. The last option is the CRL Configuration. You can set the download frequency.
  How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?
           System Config > ACS Cert Setup > CRL    from there you'll be able to see/edit
  What will happen to the ISE and ACS environment if the CA Server becomes un-available?
           Most likely the end of the world, but to be honest I'm not really sure. My assumption is If both the client and the ISE/ACS server already have their respective certs, they should still be able to work. Just no new certs or CRLs would be issued.
  Documentation Sources:
  ACS: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sau.html
  ISE: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html
  HTH

• SaaS Sharepoint, ADFS claims and internal AD-CA: How to disable CRL check in Sharepoint?

  Hi all,
  We have an external SaaS provider with a Sharepoint 2010 server. In our AD, there is an ADFS server providing ADFS claims to Sharepoint and thus giving SSO functionality. For the ADFS service and its token-signing and encrypting, there is one certificate
  drawn from an internal AD Enterprise CA server.
  The problem is that, when the company user opens the Sharepoint URL, it is extreamly slow to open, however it does eventualy open. The SaaS provider has indicated its an issue with the CRL checking. I know on other Microsoft products there are ways to disable
  CRL checking but haven't found such information for sharepoint.
  We have provided the CRL files and the provider has added these and for as long as they are valid things work as expected. However the CRL then expires and we are back to square one.
  Can anyone help?
  I have found this question has been asked before here:
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/431bae5c-c502-4723-9de7-663abd46658e/saas-sharepoint-adfs-claims-and-internal-adca-how-to-disable-crl-check-in-sharepoint?forum=sharepointgeneralprevious
  Unfortunately the answer doesn't satisfy my situation. Also not sure I agree that self signed certificates should be used and it's quite a topic for debate in ADFS circles... However in my situation we don't have the option to change ADFS to use self signed
  certificates as the ADFS service is in use with 12+ other service providers all who have no issue using the Token Signing Certificate even though they cant access the CRL either.
  Thanks for your help,
  James

  Hi,
  As I understand, you want to disable CRL check in SharePoint.
  There are four workarounds:
  1. Give your servers an outbound Internet connection
  2. Edit the hosts file at “%SYSTEMROOT%\\System32\\drivers\\etc\\hosts” to fool the CRL check into thinking your local machine is crl.microsoft.com by pointing it at 127.0.0.1 (localhost).
  3. Edit the registry to disable CRL checking by setting the State DWORD to 146944 decimal (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing for both HKEY_USERS\\.DEFAULT and HKEY_CURRENT_USER) PowerShell.
  4. Edit the machine.configs and disable it there.
  The article gives you the details about the four workaround.
  More reference:
  http://basementjack.com/uncategorized/powershell-script-to-disable-certificate-revocation-list-crl/
  https://kb4sp.wordpress.com/2013/10/08/certificate-revocation-list-disable-check/
  Best regards,
  Sara Fan

• CRL check does not use proxy

  I am on an enterprise network which requires the use of a proxy to reach the internet.
  When attempting to open the iTunes Store I get the following error:
  We could not complete your iTunes Store request. An unknown error occurred (0x80092013)
  I did a packet trace and found that an SSL connection is opened and after the certificate negotiation a CRL check is done.  That check is being attempted directly against the Akamai IP rather than via the proxy.  Immediately after attempting and failing to connect to this IP 5 times the SSL connection is closed and the error message is generated.
  How do I force iTunes to perform this CRL check via the proxy?  Can CRL checking be disabled for only iTunes?  Disabling it on the entire PC is not a valid solution.

  "Either there is a firewall blocking the connection or the process that is hosting the service is not listening on that port, this may be because it is not running at all or because it is listening on a different port."
  Reference: [http://stackoverflow.com/questions/2972600/no-connection-could-be-made-because-the-target-machine-actively-refused-it]

• How do I bind to directory server with SSL and authentication?

  I'm running Lion Server 10.7.3, Open Directory master. In Open Directory/Settings/LDAP, I've checked the box to Enable SSL and selected a (self-signed) certificate. In Policies/Binding, I've checked the box to Enable Authenticated Directory Binding.
  Testing with a client computer on which Snow Leopard has been freshly installed and fully updated, I went to System Prefs/Accounts to bind to the new directory server. The good news is, the binding was successful, and when the client initiates an AFP connection with the server, it uses Kerberos, creating a ticket as expected. (Which doesn't work with Lion clients, alas, but that's a seperate matter.)
  Here are the problems:
  1) It looks like the binding did not use SSL. By which I mean that when I opened Directory Utility and examined the LDAPv3 entry, the SSL checkbox was not checked. (If I then check the box, everything looks fine until I restart the client, after which I have a red dot. So I'm guessing that checking the box does nothing until after restart, and that it breaks the binding.)
  2) I was never prompted to authenticate for the directory binding.
  So I get that literally I'm *enabling* SSL and Authenticated Directory Binding, but it seems like the defaults are to bind without SSL or authentication, and there's no obvious-to-me way to force the binding to use those things. How do I do that?
  What I'd really like to do is *require* SSL and Authenticated Directory Binding. I want this because my belief (correct me if I'm wrong) is that if authentication is required to bind to the server, no one will be able to bind to my server without my permission, and that SSL offers a more secure connection to my server than not-SSL. How do I require these things, or do I not really want to?
  Thank you.

  You cannot connect to databases via Muse at the moment. Please refer: http://forums.adobe.com/message/5090145#5090145
  Cheers,
  Vikas

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• Business Connector problem with SSL and Web Services

  Hi,
  I have generated a Web Connector Service and tested this in our DEV and QA environment with http and no credentials.
  All is fine.
  I now switched to SSL and was provided with an https WSDL by our Web Server developers. The Web Connector service generates fine however as soon as I execute the service I get a NumberFormatException. Exact error is:
  java.io.IOException:java.lang.NumberFormatException: null
  The error occurs in pub.client:http
  I traced through the working (in QA) and non-workinfg versions and checked the pipeline prior to the call and can see no different apart from the difference in protocol.
  Does anyone have any idea what the cause is? I cannot determine what value is null.
  Thanks
  Brian

  Hi,
  I have generated a Web Connector Service and tested this in our DEV and QA environment with http and no credentials.
  All is fine.
  I now switched to SSL and was provided with an https WSDL by our Web Server developers. The Web Connector service generates fine however as soon as I execute the service I get a NumberFormatException. Exact error is:
  java.io.IOException:java.lang.NumberFormatException: null
  The error occurs in pub.client:http
  I traced through the working (in QA) and non-workinfg versions and checked the pipeline prior to the call and can see no different apart from the difference in protocol.
  Does anyone have any idea what the cause is? I cannot determine what value is null.
  Thanks
  Brian

• IE Aborting Image Download with src attribute when over SSL and getting Content-Type header value image/jpg

  Images are not downloaded at all and page looks broken.
  The same page works fine over HTTP but shows the problem over HTTPS. Works fine in firefox and chrome.
  Checked and found the problem in IE 9, 10, 11
  Is it some bug in IE, I have searched the forums and searched internet. Got following but are not relevant to this case.
  Resetting src of the img (Ruled out, not doing any reset)
  Do not save encrypted pages to disk  is checked in advanced security options (Ruled out, unchecked)
  Using TLS 1.2 with SSL 2.0 (Ruled out, SSL 2.0 unchecked)
  Cache-preventing headers: Cache-Control header with the tokens no-cache, no-store (Ruled out, no such headers)
  Restarts due to parser reset owing XML Namespace declaration, Meta tags etc. (Ruled out, image tags are afterwards)
  Thanks in advance for help!

  I probably encountered the same problem.
  What happens when you disable the 'Use TLS 1.0' checkbox in Internet Options, Advanced, Security, 'Use TLS 1.0'?
  The only enabled option I have in IE is 'Use SSL 3.0'.
  Source:
  http://social.msdn.microsoft.com/Forums/ie/en-US/88a58e78-ebb4-469d-a361-0d3762a4cf80/ie10-reports-aborted-js-and-css-downloads-randomly?forum=iewebdevelopment

• What is SSO , SSL, and other terms?

  Hi,
  I always hear the terms SSO, SSL and some other terms, but I am not aware of the exact meaning of them.
  Can anyone focus some light on this ?
  Thanks!
  Yogini

  Hi Yogini,
  if you are referring SSO( Single sign on ) and SSL ( security socket layer) for Discoverer, check out the link below.
  http://download.oracle.com/docs/html/B13918_03/security2.htm#BABGEIEC
  Here topics on 14.6 Using Discoverer with OracleAS Framework Security
  14.7 Using Discoverer with Oracle Identity Management Infrastructure

• Delete or disable ssl and https on exchange web url

  Hi,
  I disable by clear check box on Default Web Site --> SSL Settiings --> Require SSL
  and also inseret my domain name example: http://mail.myexchange.com/owa in Exchange admin center Console --> Servers --> Virtual Directory -->  owa
  and also i change     <add key="UseHttpsForWacUrl" value="true" />    to     <add key="UseHttpsForWacUrl" value="false" /> in C:\Program Files\Microsoft\Exchange
  Server\V15\ClientAccess\Owa\web
  But, after this steps for removing https on my url i can use it. and after loggin in https mode i can delete https on my url manually but did't work good and i get this error when i want see my email body "Error: Your
  request can't be completed right now. Please try again later."

  Hi S.Ali,
  Have you restarted IIS after changing all the settings?
  If not, please try to restart iis and check again.
  Best regards,
  Niko Cheng
  TechNet Community Support

• Apache, ssl, and php problem

  i just added ssl support to my apache website running php. before i added ssl i had a php flash script that has always worked fine until i altered the httpd.conf file to forbid access to this directory unless it was an encrypted connection. i used the code
  <Directory "/home/httpd/html/folder">
      AuthType Basic
      AuthName "user"
      AuthUserFile /home/httpd/passwords/folder
      Require user user
      SSLRequireSSL
  </Directory>
  i tested the ssl with the directory running php before i altered the code and it worked fine. now that i altered the code to require ssl, the folder's index shows up a blank page. what went wrong, is there some bug or something i did wrong?

  steps to use ssl in arch with apache.
  1) pacman -S openssl apache
  2) Read /etc/httpd/conf/mod_ssl.txt
  2a) Edit /etc/conf.d/httpd and set HTTPD_USE_SSL to "yes"
  2b) Create an ssl key, request, and certificate.
  # This generates the cert and key (valid for 3650 days)
    # Be sure to enter the FQDN of your apache server as the "Common Name".
    openssl req -new -x509 -newkey rsa:1024 -days 3650
      -keyout server.key -out server.crt
    # This will remove the passphrase
    openssl rsa -in server.key -out server.key
  2c) Modify /etc/httpd/conf/ssl.conf to use your new certificate.
  SSLCertificateFile /etc/httpd/conf/server.crt
  SSLCertificateKeyFile /etc/httpd/conf/server.key
  3) Edit /etc/httpd/conf/ssl.conf
  Define an appropriate virtualhost for your ssl site
  4) Restart apache (/etc/rc.d/httpd restart)
  If it hangs or fails to start, check the /var/log/httpd/error_log or try running
  '/usr/sbin/apachectl startssl' and looking for errors/prompts.
  NOTE: Using the same dir for ssl and non-ssl does not make sense, as someone could just use non-ssl to access the same information. Instead, create a new directory (something like /home/httpd/ssl), and use that dir for ssl web activities. Adjust /etc/httpd/conf/ssl.conf accordingly

• AIM Server Settings "Use SSL" option not staying checked

  In order to login to AIM on my network, I need to use SSL (not sure of the reason, but SSL works). But whenever I check "Use SSL" in the AIM account "Server Settings" panel, I find that it unchecks itself after a day. At night, I go home, and use a different Wi-Fi network with my MacBook Pro, and I'm not sure if changing the network has anything to do with it, but when I come into work the next morning, "Use SSL" is unchecked in the iChat Preferences.
  Do anyone know what's going on here? I'd like to configure AIM to always use SSL but it doesn't seem to be sticking.

  This seems to be an issue when sitting behind a Wi-Fi hotspot with a click-through landing page (where HTTP connections are redirected to an intermediary page). SSL isn't maintained after the redirect, and iChat seems to reset this setting after failing to connect via SSL and failing.

• SSL and "Hostname Verifier" field

  Hi
  I try to use SSL with WLS6.1 with examples of SSLCLient. When we want to launch
  this client,
  we must to pass in parameter -Dweblogic.security.SSL.hostnameVerifier=examples.security.sslclient.NulledHostnameVerifier
  to weblogic.
  In the console of Weblogic, we have in SSL page, a filed named "Hostname Verifier",
  what is the use of this field, I try to put the class
  in the field and nothing in param to client but it doesn't work.
  May be someone can tell how use the field in console and else what is its interest.
  Thanks
  Christophe

  I did some more research for the issue mentioned which I yet to get rid of.
  1) I wrote a REST web service which makes a call to another REST service deployed on another weblogic using HTTPs (same code as mentioned above is used). I delpoyed the war and made a http call to the first webservice, the other REST service was invoked successfully using HTTPs. So this confirmed that there is no problem with the certificates or keystore or hostname verifictaion.
  2) My actual application still throws the handshake exception as below -
  <Warning> <Security> <BEA-090542> <Certificate chain received from xx.yy.zz.rrr - xx.yy.zz.rrr was not trusted causing SSL handshake failure. Check the certificate chain to determine if it should be trusted or not. If it should be trusted, then update the client trusted CA configuration to trust the CA certificate that signed the peer certificate chain. If you are connecting to a WLS server that is using demo certificates (the default WLS server behavior), and you want this client to trust demo certificates, then specify -Dweblogic.security.TrustKeyStore=DemoTrust on the command line for this client.>
  So I think the problem is something else but weblogic is priniting the exception message wrong.
  The process hierarchy ( in UNIX ) is as shown below -
  bea 31914 31913 0 14:29 ? 00:00:00 /bin/sh <DOMAIN HOME>//bin/startWebLogic.sh
  bea 31989 31914 0 14:29 ? 00:01:25 /opt/bea/jdk160_24/bin/java <The weblogic start server process> started by startWebLogic.sh
  bea 32107 31989 0 14:29 ? 00:00:09 /opt/bea/jdk160_24/bin/java <One of custom process>
  bea 2038 32107 0 18:38 ? 00:00:15 /opt/bea/jdk160_24/bin/java <Another custom process which contains my java classes containing the REST client>
  The problem is there in both Weblogic 11 and 10.3 version.
  I will be grateful if someone gives any clue about the problem.

• Bypass CRL check in Expressway client cert check

  When using the Client Certificate Testing feature on an Expressway, is there a way to bypass the CRL check?  I currently don't use one and I get this error when trying to test, "Invalid: unable to get certificate CRL, please ensure that you have uploaded a CRL for the CA that signed this client certificate"  
  Thanks,  Mike

  On Tue, 4 Feb 2014 16:18:48 +0000, samp76 wrote:
  Mike... when you say..."please check if you the CDP is accessible with public network and open port 443 for CDP from firewall. "
  Are you talking about doing something else other then going to
  http://CA.mydomain.com/CertEnroll/CA.mydomain.com.crl and downloading the CRL? Because I can get the CRL that way.
  The problem is with your AIA, not the CRL. The two AIA locations are only
  accessible internally so a valid chain from the end entity certificate to
  the root CA certificate can't be built.
  What does your CA hierarchy look like (1 tier? 2 tier?)
  Paul Adare - FIM CM MVP
  If you have any trouble sounding condescending, find a Unix user
  to show you how it's done. -- Scott Adams

• SSL and problems serving images.

  We've recently begun testing our application through SSL (we've
  concluded non-SSL testing and all issues have been resolved.)
  When running through SSL, some images fail to load properly but
  re-appear with a "refresh" or an explicit "show picture" from the
  browser. This doesn't happen to any images in particular but does occur
  frequently -- one or two images for every couple pages served.
  Our installation specifics are as follows:
  NT
  Weblogic 5.1 (sp4) running through DOS batch file
  Oracle 8.1
  JSP / EJB
  VeriSign certificate.
  Any help you can provide will be appreciated.
  Thanks - Jackson

  Thanks for the response.
  I am serving all of the images myself through the SSL connection (i.e., we don't
  have a mixture secure and non-secure images on the page.)
  I agree that we shouldn't require ANY app-side changes as we move from non-SSL
  to SSL.
  Has anyone else experienced this type of problem?
  Sunil Kuchipudi wrote:
  Jackson:
  Whether your images appear or not should be transperent to the application.
  What I mean, when you move from non ssl to ssl mode,
  there should be no changes required for the application code.
  Having said that I would check the following
  Does your page contain and mixture of SSL (ie images served from https) and
  non ssl links (ie image or links served like http:). If the page
  contains a mixture of SSL and non SSL tags then you would run into the
  problems. Netscape would not display the images properly and IE
  would warn you with a dialog box. I would recommend that you go through the
  generated HTML or JSP and check the http and https links.
  I hope this helps.
  -Sunil . K
  Jackson Wilson <[email protected]> wrote in message
  news:[email protected]..
  We've recently begun testing our application through SSL (we've
  concluded non-SSL testing and all issues have been resolved.)
  When running through SSL, some images fail to load properly but
  re-appear with a "refresh" or an explicit "show picture" from the
  browser. This doesn't happen to any images in particular but does occur
  frequently -- one or two images for every couple pages served.
  Our installation specifics are as follows:
  NT
  Weblogic 5.1 (sp4) running through DOS batch file
  Oracle 8.1
  JSP / EJB
  VeriSign certificate.
  Any help you can provide will be appreciated.
  Thanks - Jackson