SSL/TLS ciphers of an SMA (M-series) appliance

So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?
If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:
<ssl>
<ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
<ssl_gui_method>sslv3tlsv1</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
</ssl>
After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.
Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:
https://www.ssllabs.com/ssltest/analyze.html

I believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL
[]> FIPS:-aNULL
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
-Robert

Similar Messages

SSL/TLS POP/SMTP setting 6270 ?

Hi All,
I recently purchased Nokia 6270 and I do have GPRS connection working well for WAP sites and for Internet access on my laptop.
I have been trying to configure my GMAIL account on the email client provided with 6270. Gmail pop/smtp access required secure connection SSL/TLS and I could not find any place to set SSL or TLS YES. in personal configuration, there is everything to set except these.
It was there in old Motorola E398..The settings are really confusing.
If anybody has accessed/configured GMAIL on 6270, please help..
Cheers
Rajiv

you are right that I should have checked it before buying, I think you can expect such a small feature from a highend mobile. Nokia do claim it as highend mobile. I randomly looked at some of the mobile from different makes today and all of the high end mobiles have this feature.
And by the way all the email clients do contains feature for specifying SSL or TLS.
Does that means that 40 series is missing this feature because that is only provided in 60 series. Or is there any logical reason behind it.
Is there any software version update that can provide this feature. I have Version 03.65 19-12-05 RM-56

Web auth supporting fragmented SSL&TLS packets in 7.0.116?

Dear collegues and Cisco experts.
I hope anyone of you can reply if this is supported on thew current platform (WLC5508 sw rel 7.0.116)
I have not been able to reproduce this myself, but some problems have been reported after mid january, when KB2585542 might be the culprit.
Is the internal webauthentication portal in above platform able to handle this, or is s/w upgrade inevitable?
Does WLC guest portal w high cipeher option handle the Fragmentation of SSL/TLS application records, as described in the following RFCs:
TLS 1.0: http://www.ietf.org/rfc/rfc2246.txt paragraph 6.2.1
SSL 3.0: http://www.ietf.org/rfc/rfc6101.txt paragraph 5.2.1
Environment
Windows XP Professional SP3 clients with Internet Explorer 8
Wireless lan controller cluster with redundant(2) webauthentication anchors (all AIR-CT5508-XXX-K9 sw rel 7.0.116)
Microsoft statement
"After installing MS12-006, you may experience authentication failure or loss of connectivity to some HTTPS servers. This issue occurs because this security update changes the way that records are sent to HTTPS servers. To address an information disclosure vulnerability, SChannel now implements certain ciphers used in SSL 3.0 and TLS 1.0 in a more secure fashion. The updated behaviour is fully compliant with the RFCs, but it is something that has generally not been used on the internet before
There are two fixes involved: the SChannel fix makes the new behaviour available, and a fix included in the December Cumulative Update makes Internet Explorer request that more secure option. The behaviour will change only if both are present"
Sincere regards
Mats Nilson
AIR-CT5508-100-K9

Debug says your client is being requested to anchor but not moving passed that....
So from the looks of things, this has nothing to do with DHCP. Instead, you are either trying to Anchor your clients to a non-existant anchor, or something is royally hosed with mobility.
I'd suggest debug client and "debug mobility handoff enable" from this same WLC as well what ever other WLC your client is being sent to....

How do you disable SSL\ CBC Ciphers and Weak Algorythms in Windows Server 2003

Hello, and please accept my humble thanks in advance.The problem that I'm having is the protocols listed below must be disabled on my Windows 2003 (IIS) Servers before we can pass a PCI audit. Now I've taken care of all of this on Windows 2008R2, but not
without days and nights of searching the internet for information that is not only clear to understand but accurate, however, I'm not having much luck with 2003.
Vulnerabilities:
SSL Server Supports CBC Ciphers for SSLv3
SSL Server Supports CBC Ciphers for TLSv1
SSL Server Supports RC4 Ciphers for SSLv3
SSL Server Supports RC4 Ciphers for TLSv1
SSL Server Supports Weak MAC Algorithms for SSLv3
SSL Server Supports Weak MAC Algorithms for TLSv1
Here's what I've tried, I've done the registry edit as follows, it did not work;
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
Here's what I've tried, I've installed the Microsoft Security Bulletin MS12-006 - Important Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584), it did not work for those issues but it did close the SSLv2.0 problem.
Is there ANY reason why the registry edit would not work?
Again, thank you.
Don
Also,
Has anyone seen or used this Hotfix... what is it and how would it relate to this issue.
An update is available to adds support for the TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and the TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES cipher suites in Windows Server 2003
http://support.microsoft.com/kb/948963

Hi,
Hope we could find helpful information in the below KB:
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
http://support.microsoft.com/kb/245030
Please go through it.
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
Regards, Yan Li

Configuração SLL/NFe - PI para recebimento de e-mails usando SSL/TLS

Usamos o GRC/SLL 10 NFe - SP16 para emissão / recebimento de NFes.
Estamos migrando nosso exchange 2003 para exchange 2010 e existe a necessidade de aumentarmos a segurança.
Alguem poderia nos ajudar ? temos que usar o SSL/TLS -
Existe alguma opção al´me de Plain/MD5 ? Podemos usar outro tipo de encriptação ?
Agradeço desde já a ajuda de todos

Boa tarde Daniela,
Ao meu ver, a configuração dos dois ambientes da SEFAZ (Hom/Prod) em um mesmo ambiente PI (Dev, por ex) é desnecessária e acaba dobrando o esforço de configuração e é passível de erro.
Após a primeira implementação, onde usei essa prática descrita por você, vi que não fazia sentido, já que após o transporte dos objetos de DEV para QAS, tive que refazer toda a configuração de canal de comunicação duas vezes (Homologação e Produção). Quando transportei para Produção, o mesmo tormento. Os canais produtivos em DEV/QAS nunca foram utilizados -- ainda bem, pois isto é o correto. O mesmo em produção -- canais de homologação nunca foram utilizados e apenas serviam de peso morto no ambiente.
Agora, se na sua empresa você possui alguma ferramenta de transporte dos objetos do Directory que leva todos os canais de comunicação com os seus devidos valores, sem ter a necessidade de preenchê-los logo após o transporte (tenho isso no cliente atual - viva a API do Directory), aí as coisas mudam de figura.
A recomendação que eu dou é de sempre configurar os cenários da maneira mais simples e genérica possível (Srv_SEFAZ_SP ao invés de Srv_SEFAZ_SP_HOM), utilizando a última versão do PI e configurar os cenários utilizando ICO.
[]'s
JN

The difference between SSL & TLS

dear experts,
i need to know The difference between SSL & TLS and in which situations i should i have to use them.
thanks
Labib Makar

Labib,
At a 10,000 foot level v3.0 was superceded by . v1.0.
TLSv1.0 (RFC 4346) was an upgrade to SSL v3.0 (but they don't interoperate)
This "Cisco.com document" describes the workings of both in some detail: SSL: Foundation for Web Security
it states this as some basic differences:
TLS uses slightly different cryptographic algorithms for such things as the MAC function generation of secret keys. TLS also includes more alert codes.
Also See: Wikipedia TLS
As far as which to use, it would depend on if both sides (server/client) support each? TLS v1.0 or v1.1 is newer.
Most modern Browsers tend to support both.
i.e.
Firefox 3.5.7 supported both SSL v3.0 and TLS v1.0
Internet Explorer v6 supported both SSLv2, SSLv3, TLS v1.0
etc.
Hope that helps.
Steve Ochmanski

TF215097: An error occurred while initializing a build for build definition : Could not establish trust relationship for the SSL/TLS secure channel

Hello,
We are facing an issue when triggering a new build using TFS 2013 Update 4, VS2013 Update 4 using TFVCTemplate.12.XAML template. All our other older build definitions just work fine but not the TFVCTemplate.12.XAML. It seems to me that some certificate
might be invalidated. Can anyone please point me in the right direction?
Thanks,
Mitul
TF215097: An error occurred while initializing a build for build definition :
Exception Message: One or more errors occurred. (type AggregateException)
Exception Stack Trace: at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFile(TfsTeamProjectCollection projectCollection, String itemPath, Stream outputStream)
at Microsoft.TeamFoundation.Build.Client.FileContainerHelper.GetFileAsString(TfsTeamProjectCollection projectCollection, String itemPath)
at Microsoft.TeamFoundation.Build.Client.ProcessTemplate.Download(String sourceGetVersion)
at Microsoft.TeamFoundation.Build.Hosting.BuildControllerWorkflowManager.PrepareRequestForBuild(WorkflowManagerActivity activity, IBuildDetail build, WorkflowRequest request, IDictionary`2 dataContext)
at Microsoft.TeamFoundation.Build.Hosting.BuildWorkflowManager.TryStartWorkflow(WorkflowRequest request, WorkflowManagerActivity activity, BuildWorkflowInstance& workflowInstance, Exception& error, Boolean& syncLockTaken)
Inner Exception Details:
Exception Message: An error occurred while sending the request. (type HttpRequestException)
Exception Stack Trace: at Microsoft.VisualStudio.Services.WebApi.VssHttpRetryMessageHandler.<SendAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.VisualStudio.Services.WebApi.HttpClientExtensions.<DownloadFileFromTfsAsync>d__2.MoveNext()
Inner Exception Details:
Exception Message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. (type WebException)Exception Stack Trace: at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
Inner Exception Details:
Exception Message: The remote certificate is invalid according to the validation procedure. (type AuthenticationException)
Exception Stack Trace: at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)

Hi Mitul,
Thanks for your reply.
It’s strange, if your old build definitions can work using the same TFS Build Server, that indicate your TFS Server configuration is correct and can works. But only new build definition with default TfvcTemplate.12.xaml template cannot build successful.
Please share your TFS Server detailed environment information here. And share your
Build Service Properties dialog screenshot here.
Try to clean the Cache for TFS 2013 manually(delete the content of the folder only, not the cache folder itself):
Clean the Cache folder on Server machine. The folder path is:
C:\Program Files\Microsoft Team Foundation Server 12.0\Application Tier\Web Services\_tfs_data.
After cleaned, on Server machine, click Start and select
Run… to open the dialog box, then input iisreset.exe and click OK, wait it run completely.
Additionally, you can run the TFS 2013 Power Tools BPA to scan the installation of your TFS Server.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

SSL/TLS clients binds fail to Solaris 10 06/06 DS5.2p4 Server

hello all,
this is a bizarre issue that i think is related to the solaris version that is running on the directory server, at least this appears to the the issue. i have 2 SunDS servers running solaris 10 06/06 and the other solaris 10 01/06 with DS5.2p4. both have SSL enabled, the certs i signed with my own CA which i maintain with tinyca2. the directory starts fine and is listening on both 389(ldap) and 636(ldaps). i am able to successfully bind to both servers on the non-secure ports fine, commands like getent, finger, id are pulling the people from the directory. when i enable the clients to use ssl/tls those same commands fail against the solaris 10 06/06 machine but NOT the solaris 10 01/06 server. on the linux machines i'm getting "nscd: pam_ldap: could not search LDAP server" errors and on the solaris machines "Mesg: openConnection: failed to initialize TLS security" and "libsldap: Status: 7 Mesg: Session error no available conn."
using "ldapsearch -x -ZZ" from the clients is successful to both systems, and i can use "openssl s_client" to view the certs fine. another bizzare occurance is when i do "getent passwd" i see the local and ldap users but "getent passwd ldap_user" will return nothing. again this are against the solaris 10 06/06 machine.
has anyone see this before? i'm going to open a service request for sun on this but i wanted to see if anyone else has run into this.

there was a problem with the certificate db which was causing this.

SSL/TLS security certificate data match with XML Payload in SAP PI

Hi,
We are working on a solution where we would want to use SSL/TLS or WS Security with client server mutual authentication using client server certificates.
But, once the sender is authenticated using the certificates, can the XML payload be matched for the correctness with the certificate information? Is this available to PI integration engine at any time? Like Sender A autheticated as A using certificates, must be stopped if his XML payload is saying that he is sender B (which is most unlikely if we trust the senders but did not want to leave a loophole).
Any ideas here?
Thanks and Regards,
Vijay

Hi Wolfgang,
Cross-posting is discouraged and against the forum rules, because it is misused and makes a mess of the search due to distributed discussions and answers.
I will move it to the PI forum and add a watch on it as it is security forum related.
Unfortunately, the forum software does not have the option to "mirror" threads.
Cheers,
Julius
Edited by: Julius Bussche on Sep 14, 2009 9:50 PM

How Redirect browser(client) based on non-negotiable SSL/TLS protocol or cipher

Hi guys,
we have a security requirement wherein we have to force the browsers accessing our asp.net application hosted on windows server 2012 to have atleast tsl 1.1 , but we don't want to simply block the request, instead we would like to redirect the request
to a unsecured static html page with the instructions on how to get them onto tsl.
can any one help me here?>? actually i found a similar and exactly same thread on stackoverflow but i think that is probably directed towards linux family. http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher
please help me guys..
ps: i have posted the same question on IIS forum (http://forums.iis.net/t/1223352.aspx?How+Redirect+browser+client+based+on+non+negotiable+SSL+TLS+protocol+or+cipher+from+IIS)
and got a reply saying that it can be done at windows kernel level(possibly).

Hi,
As far as I know, once SSL handshake fails, no subsequent communication would occur between the server and client.
Therefore, as the way I see it, the goal cannot be achieved.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

Require Only SSL/TLS Connections

I would like to require that only SSL/TLS connections be allowed to my server. This is not to be confused with wanting SSL client authentication. I had initially thought I could do this with ACI using the authmethod="ssl", however after looking at the documentation closely and experimentation this refers to do client based SSL authentication as well. I do have SSL/TLS set up correctly, I just want to disallow non-encrypted traffic.
In OpenLDAP I would merely state "security ssf=128" to require SSL/TLS only connections.
Anyone know how to do this in Sun's Directory Server?

The reason I don't use a firewall (presumedly to block port 389) or set the non-secure port to 0 is that this would disallow TLS on port 389. Hence all I could do is SSL and only 636. I would like to be able to allow only TLS on 389 and not allow non-TLS traffic.

How do I reconnect using SSL/TLS security in Dreamweaver using Windows 7?

I am using an old version of Dreamweaver on Windows 7. When I try to upload a file, I get a message saying that I need to reconnect using SSL/TLS security mechanisms. Is this a setting in Dreamweaver or Windows 7? Thanks for any help or suggestions.

It sounds like it is a requirement of the server, not Dreamweaver or Windows7
Dreamweaver, even older versions, can connect using both FTP and SFTP. But SSL/TLS are on the HTTP protocol, not FTP, so I don't understand why you would get such an error using DW file upload.

WSUS Sync is not working Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --- System.Security.Authentication.AuthenticationException: The remote

I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
server is configured on http port 80
ERROR
Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
I've checked proxy server connectivity. I'm able browse following site from WSUS server
http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
I did telnet proxy server on the particular port (8080) and that is also fine.
I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
Any tips appreciated !
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM

Hi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
Your reply ("SSL is enabled/configured, and the certificate being used is invalid
(or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
Any other hints where I can prove them it's a sure shot problem from their side.
Thanks again !!
Anoop C Nair (My Blog www.AnoopCNair.com)
- Twitter @anoopmannur -
FaceBook Forum For SCCM

Sharepoint and SSRS report trust relationship ssl/tls secure channel remote certificate is invalid

I have no experience with sharepoint at all. but this is what I observed.
I intermittently getting this error message on my sharepoint. could not establish trust relationship for the ssl/tls secure channel. Remote Certificate is invalid according to the validation procedure.
Screnshot of the error
This is how the sharepoint page layout.
I have report.aspx. and below is the content of the aspx file.
The url is http://sharepoint.COMPANY.com/Pages/Report.aspx.
The URL is intranet only.
The sharepoint is hosted in SERVER1 and the SSRS is hosted in SERVER.
I observed this error happens on both HTTP and HTTPS http sharepoint COMPANY com/Pages/Report.aspx OR https sharepoint COMPANY com/Pages/Report.aspx
So far, the step I did was to follow this blog http://krishnasangani.blogspot.ca/2013/06/the-remote-certificate-is-invalid.html Restarted
IIS in SERVER1 AND SERVER2. but the problem persist. Another I have done is to click the certificate in internet explorer and everything looks ok on that side to (certificate is valid)
It seems to only happen earlier during the morning, then it fixes itself around 9 Oclock. It has been on going for about 2 weeks. Please help troubleshooting this.
<%@ Page Inherits="Microsoft.SharePoint.Publishing.TemplateRedirectionPage,Microsoft.SharePoint.Publishing,Version=14.0.0.0,Culture=neutral,PublicKeyToken=71e9bsasdasdasd9c" %> <%@ Reference VirtualPath="~TemplatePageUrl" %> <%@ Reference VirtualPath="~masterurl/custom.master" %><%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bsasdasdasd9c" %>
<html xmlns:mso="urn:schemas-microsoft-com:office:office" xmlns:msdt="uuid:547SF010-65B3-11d1-A29F-00457845FFSW"><head>

<title>Report</title></head>
A few questions I have in mind is Any pointer to troubleshoot this problem AND By looking at the ASPX file, Would you be able to determine what method is my Sharepoint page calling the SSRS report , integrated mode, native mode? IEFrame? The reason I am asking
this is that maybe IF I google using the right terminology I can get to the similar problem and solution.
Thanks

Please let us know if you are using
SharePoint communicates to an external service via HTTPS
Please try perform following steps:
Fix is to setup a trust between SharePoint and the server requiring certificate validation.
In SharePoint Central Administration site, go to “Security” and then “Manage Trust”. Upload the certificates to SharePoint. The key is to get both the root and subordinate certificates on to SharePoint.
The steps to get the certificates from the remote server hosting the WCF service are as follows:
1. Browse from IE to the WCF service (e.g., https://remotehost/service.svc?wsdl)
2. Right click on the browser body and choose “Properties” and then “Certificates” and then “Certificate Path”.
This tells you the certificate chain that’s required by the other server in order to communicate with it properly. You can double-click on each level in the certificate chain to go to that particular certificate, then click on “Details” tab, “Copy to
File” to save the certificate with the default settings.
As an example, get both VeriSign & VeriSign Class 3 Extended Validation SSL CA.
reference : http://blogs.technet.com/b/sharepointdevelopersupport/archive/2013/06/13/could-not-establish-trust-relationship-for-ssl-tls-secure-channel.aspx
If my contribution helps you, please click Mark As Answer on that post and
Vote as Helpful
Thanks, ShankarSingh(MCP)

Reporting services with R2 on DPM2012 - Could not establish trust relationship for the SSL/TLS secure channel

Hi everyone,
A somewhat similar question has been asked before by others but none of the answers given has helped me.I am attempting a DPM 2012 installation, which is failing at the "deploying reports" stage.My analysis of logs seems to point me in the direction of an SSL
error, which does not make sense since the configuration files say SSL is disabled (or at least, should be).
Here are the symptoms:
1.I am able to browse http://FQDN/Reports_MSDPM2012 folder from internet explorer
2.I am also able to browse http://FQDN/ReportServer_MSDPM2012 from internet explorer
3.The information given in the logs and relevant config files is shown below:
<<RSREPORTSERVER.CONFIG>>
<ConnectionType>Default</ConnectionType>
<LogonUser></LogonUser>
<LogonDomain></LogonDomain>
<LogonCred></LogonCred>
<InstanceId>MSRS10_50.MSDPM2012</InstanceId>
<InstallationID>{d9b1c335-5842-4a81-9148-79184c38bf09}</InstallationID>
<Add Key="SecureConnectionLevel" Value="0"/>
<Add Key="CleanupCycleMinutes" Value="10"/>
<Add Key="MaxActiveReqForOneUser" Value="20"/>
<Add Key="DatabaseQueryTimeout" Value="120"/>
<Add Key="RunningRequestsScavengerCycle" Value="60"/>
<Add Key="RunningRequestsDbCycle" Value="60"/>
<Add Key="RunningRequestsAge" Value="30"/>
<Add Key="MaxScheduleWait" Value="5"/>
<Add Key="DisplayErrorLink" Value="true"/>
<Add Key="WebServiceUseFileShareStorage" Value="false"/>





<Add Key="WatsonFlags" Value="0x0428"/>
<Add Key="WatsonDumpOnExceptions"
4.The DPM log file still appears to be using SSL even though i used reporting services configuration to remove SSL bindings:
running.Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.BackEndErrorException: exception ---> Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.ReportDeploymentException:
exception ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest,
Exception exception)
5:I do have an SCCM site on the default web site used by SMS clients but on different ports
I am stumped.Somebody please give some advice
Thank you

Hi
This is an old post but did you come right?

SSL/TLS ciphers of an SMA (M-series) appliance

Similar Messages

Maybe you are looking for