SSL/TLS with Anonymous Diffie-Hellman example anywhere?
I'm trying to connect to a server using ssl or tls using TLS_DH_anon_WITH_AES_128_CBC_SHA as my cipher suite, and I'm running into problems (exceptions). Is there an example anywhere showing how this can be done? I have been Googling, and I cannot find something useful.
My code is:
try {
Security.addProvider(new SunJCE());
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, null, null);
SSLSocketFactory sslFact = ctx.getSocketFactory();
SSLSocket socket = (SSLSocket) sslFact.createSocket(getURL()
.getHost(), getURL().getPort());
socket.setEnabledCipherSuites(enabledCipherSuites);
socket.startHandshake();
} catch (Exception e) {
e.printStackTrace();
}and my errors are:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate secret
... (some stuff omitted)
Caused by: java.lang.RuntimeException: Could not generate secret
... (some stuff omitted)
Caused by: java.security.NoSuchAlgorithmException: DiffieHellman KeyFactory not availableAny suggestions, please?
Hmmmm ... not a lot of info in the following document from the Safari Development Center, and it's a bit dated too, but just in case it's of any use as a starting point:
[What encryption, authentication, and proxy technologies does Safari support?|http://developer.apple.com/safari/library/qa/qa2009/qa1537.html]
Similar Messages
-
Solaris 10 DS5.2Q4 with SSL/TLS with Replicaton
I have been working on configuring DS5.2Q4 on Solaris 10 11/06. I have been successful with Gary Tay's documentation (a few changes for new syntax and svcs). My current configuration only has one ldap server and using self signed certs.
I would now like to move to the next step of maintaining my ssl/tls but adding another master with replication.
Here are a couple of my questions.
1) How do I configure my clients to work with both replication master servers. I am a little confused since the certs in my client are assigned to only one of my masters. Do both masters need the same cert, or is there a way to allow for both certs to be loated on the client (/var/ldap).
2) Enable secure replication. I have not looked too deep into this yet, but that is my plan.
As a final note, I would like to thank Gary Tay for all of his feedback and documentation. I find that Sun often lacks step by step procedures for tasks such as this. Thanks!I have been working on configuring DS5.2Q4 on Solaris 10 11/06. I have been successful with Gary Tay's documentation (a few changes for new syntax and svcs). My current configuration only has one ldap server and using self signed certs.
I would now like to move to the next step of maintaining my ssl/tls but adding another master with replication.
Here are a couple of my questions.
1) How do I configure my clients to work with both replication master servers. I am a little confused since the certs in my client are assigned to only one of my masters. Do both masters need the same cert, or is there a way to allow for both certs to be loated on the client (/var/ldap).
2) Enable secure replication. I have not looked too deep into this yet, but that is my plan.
As a final note, I would like to thank Gary Tay for all of his feedback and documentation. I find that Sun often lacks step by step procedures for tasks such as this. Thanks! -
Creating a TCP connection with SSL/TLS
Hi,
I am working in a application that depends on the server. I need to estabilish a TCP connection with SSL/Tls secure connection with the server in order to get the datas.
I have the following code structure :
- (id)initWithHostAddressNSString*)_host andPortint)_port
[self clean];
self.host = _host;
self.port = _port;
CFWriteStreamRef writeStream;
CFReadStreamRef readStream;
return self;
-(BOOL)connect
if ( self.host != nil )
// Bind read/write streams to a new socket
CFStreamCreatePairWithSocketToHost(kCFAllocatorDef ault, (CFStringRef)self.host, self.port, &readStream, &writeStream);
return [self setupSocketStreams];
- (BOOL)setupSocketStreams
// Make sure streams were created correctly
if ( readStream == nil || writeStream == nil )
[self close];
return NO;
// Create buffers ---- has not been released , so need to check possible ways to release in future
incomingDataBuffer = [[NSMutableData alloc] init];
outgoingDataBuffer = [[NSMutableData alloc] init];
// Indicate that we want socket to be closed whenever streams are closed
CFReadStreamSetProperty(readStream, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
CFWriteStreamSetProperty(writeStream, kCFStreamPropertyShouldCloseNativeSocket, kCFBooleanTrue);
//Indicate that the connection needs to be done in secure manner
CFReadStreamSetProperty(readStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
CFWriteStreamSetProperty(writeStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelNegotiatedSSL);
// We will be handling the following stream events
CFOptionFlags registeredEvents = kCFStreamEventOpenCompleted |
kCFStreamEventHasBytesAvailable | kCFStreamEventCanAcceptBytes |
kCFStreamEventEndEncountered | kCFStreamEventErrorOccurred;
// Setup stream context - reference to 'self' will be passed to stream event handling callbacks
CFStreamClientContext ctx = {0, self, NULL, NULL, NULL};
// Specify callbacks that will be handling stream events
BOOL doSupportAsync = CFReadStreamSetClient(readStream, registeredEvents, readStreamEventHandler, &ctx);
BOOL doSupportAsync1 = CFWriteStreamSetClient(writeStream, registeredEvents, writeStreamEventHandler, &ctx);
NSLog(@"does supported in Asynchrnous format? : %d :%d", doSupportAsync, doSupportAsync1);
// Schedule streams with current run loop
CFReadStreamScheduleWithRunLoop(readStream, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);
CFWriteStreamScheduleWithRunLoop(writeStream, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);
// Open both streams
if ( ! CFReadStreamOpen(readStream) || ! CFWriteStreamOpen(writeStream))
// close the connection
return NO;
return YES;
// call back method for reading
void readStreamEventHandler(CFReadStreamRef stream,CFStreamEventType eventType, void *info)
Connection* connection = (Connection*)info;
[connection readStreamHandleEvent:eventType];
// call back method for writing
void writeStreamEventHandler(CFWriteStreamRef stream, CFStreamEventType eventType, void *info)
Connection* connection = (Connection*)info;
[connection writeStreamHandleEvent:eventType];
`
As above, I have used
CFReadStreamSetProperty(readStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelSSLv3);
CFWriteStreamSetProperty(writeStream, kCFStreamPropertySocketSecurityLevel, kCFStreamSocketSecurityLevelSSLv3);
in order to make a secured connection using sockets.
The url i am using is in the format "ssl://some domain.com"
But in my call back method i am always getting only kCFStreamEventErrorOccurred for CFStreamEventType .
I also tried with the url "https://some domain.com" ,but getting the same error.
i also commented out setting kCFStreamPropertySocketSecurityLevel, but still i am receiving the same error that i mentioned above.
I dont know how it returns the same error. I have followed the api's and docs , but they mentioned the same way of creating a connection as i had given above.
I tried to get the error using the following code :
CFStreamError error = CFWriteStreamGetError(writeStream);
CFStreamErrorDomain errDomain = error.domain;
SInt32 errCode = error.error;
The value for errCode is 61 and errDomain is kCFStreamErrorDomainPOSIX. so i checked out the "errno.h", it specifies errCode as "Connection refused"
I need a help to fix this issue.
If the above code is not the right one,
**(i)how to create a TCP connection with SSL/TLS with the server.**
**(ii)How the url format should be(i.e its "ssl://" or "https://").**
**(iii)If my above code is correct where lies the error.**
I hope the server is working properly. Because I can able to communicate with the server and get the datas properly using BlackBerry and android phones. They have used SecuredConnection api's built in java. Their url format is "ssl://" and also using the same port number that i have used in my code.
Any help would be greatly appreciated.
Regards,
Mohammed Sadiq.Hello Naxito. Welcome to the Apple Discussions!
Try the following ...
Perform a "factory default" reset of the AX
o (ref: http://docs.info.apple.com/article.html?artnum=108044)
Setup the AX
Connect to the AX's wireless network, and then, using the AirPort Admin Utility, try these settings:
AirPort tab
o Base Station Name: <whatever you wish or use the default>
o AirPort Network Name: <whatever you wish or use the default>
o Create a closed network (unchecked)
o Wireless Security: Not enabled
o Channel: Automatic
o Mode: 802.11b/g Compatible
Internet tab
o Connect Using: Ethernet
o Configure: Manually
o IP address: <Enter your college-provided IP address>
o Subnet mask: <Enter your college-provided subnet mask IP address>
o Router address: <Enter your college-provided router IP address>
o DNS servers: <Enter your college-provided DNS server(s)
o WAN Ethernet Port: Automatic
<b>Network tab
o Distribute IP addresses (checked)
o Share a single IP address (using DHCP & NAT) (enabled) -
Checking the details of SSL/TLS
In most of common browsers you can check what cryptographic algorithms or security mechanisms are used (and choose them). For example in Firefox (or any other Mozilla software) there's about:config and you can find there things like these:
security.ssl3.dhersa_aes_128sha
security.ssl3.dhersa_aes_256sha
security.ssl3.dhersa_camellia_128sha
security.ssl3.dhersa_camellia_256sha
security.ssl3.ecdhecdsa_aes_128sha
security.ssl3.ecdhecdsa_aes_256sha
security.ssl3.ecdhecdsa_des_ede3sha
and so on.
Thanks to that i know which algorithms is my browser exactly using in SSL/TLS connections. If i think that for example "3DES with EC-Diffie-Hellman and SHA" isn't the most secure set of algorithms for me, i can turn it off. I'd like to know which algorithms do exactly Safari use? It's an important thing because for example FF still uses for example ARC4 algorithm which isn't highly secure.
How to check it?
Safari version: 4.0.4 (531.21.10)
Operating System: Windows XP
Best regards,
MichaelHmmmm ... not a lot of info in the following document from the Safari Development Center, and it's a bit dated too, but just in case it's of any use as a starting point:
[What encryption, authentication, and proxy technologies does Safari support?|http://developer.apple.com/safari/library/qa/qa2009/qa1537.html] -
Question on determining key strength (Diffie-Hellman Key Exchange)
Greetings everyone!
Im working on my thesis which implements the use of the Diffie-Hellman key exchange. One problem that I encounter was how to assess and evaluate its strength given N-size of the public keys used. Does anyone know what is the recommended key size to achieve security with the Diffie-Hellman key exchange? And in what way was it determined?
Sincerely,
Paolo FerrerWell, Diffie-Hellman is a key exchange protocol, not a cypher. If you mean RSA, then the recommended minimum is 2048 bits. This is determined by estimating the amount of time it would take to break a shorter key by brute force. 256 bits can be broken on a PC in hours. 512 can be broken on several hundred PCs over a couple of days (this is all very rough stuff). 1024 could theoretically be broken by a computer that might be built in the next decade or so in under a decade so - or something like that. So, 2048 is the rule of thumb - but it depends what you need it for. To send a secure message to your grandmother, it's unlikely the whole world will pool their resources to learn the text of your message in 10 years.
If, on the other hand, this is an email to your Justice department's Whitehouse liaison, you might want 4096 bits.
Look up "Diffie Hellman Key Exchange" and RSA on wikipedia.org for some good references. -
SSL/TLS security certificate data match with XML Payload in SAP PI
Hi,
We are working on a solution where we would want to use SSL/TLS or WS Security with client server mutual authentication using client server certificates.
But, once the sender is authenticated using the certificates, can the XML payload be matched for the correctness with the certificate information? Is this available to PI integration engine at any time? Like Sender A autheticated as A using certificates, must be stopped if his XML payload is saying that he is sender B (which is most unlikely if we trust the senders but did not want to leave a loophole).
Any ideas here?
Thanks and Regards,
VijayHi Wolfgang,
Cross-posting is discouraged and against the forum rules, because it is misused and makes a mess of the search due to distributed discussions and answers.
I will move it to the PI forum and add a watch on it as it is security forum related.
Unfortunately, the forum software does not have the option to "mirror" threads.
Cheers,
Julius
Edited by: Julius Bussche on Sep 14, 2009 9:50 PM -
Hi, experts
I'm trying to configure a lab environment according tutorial http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part3.html
After completing configuration, I execute cmdlet Set-IRMConfiguration -InternalLicensingEnabled $true, but get error
The remote certificate is invalid according to the validation procedure. ---> The underlying connection was closed: Cou
ld not establish trust relationship for the SSL/TLS secure channel. ---> Failed to get Server Info from https://exhv-65
94/_wmcs/certification/server.asmx.
+ CategoryInfo : InvalidOperation: (:) [Set-IRMConfiguration], Exception
+ FullyQualifiedErrorId : C810E449,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration
Then I run cmdlet Test-IRMConfiguration -Sender [email protected] and get error
Results : Checking Exchange Server ...
- PASS: Exchange Server is running in Enterprise.
Loading IRM configuration ...
- PASS: IRM configuration loaded successfully.
Retrieving RMS Certification Uri ...
- PASS: RMS Certification Uri: https://server1/_wmcs/certification.
Verifying RMS version for https://server1/_wmcs/certification ...
- WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
or AD RMS on Windows Server 2008 R2.
Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
//server1/_wmcs/certification/server.asmx. ---> System.Net.WebException: The underlying connection was clos
ed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authenticatio
n.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest async
Request, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
Request)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequ
est asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Obje
ct state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
uests)
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
--- End of inner exception stack trace ---
at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
rviceType serviceType)
at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
OVERALL RESULT: PASS with warnings on disabled features
From the error message, this issue seem to related with SSL/TLS connection. So I go back to check configuration and find out a difference to tutorial. Current SCP url is https://server1/_wmcs/certification, but in tutorial it is https://server1:433/_wmcs/certification.
On my opinion, I don't think it is the real reason.
So, how can I resolve this error? Could you give me some suggestion? Thanks in advance.
System Info:
Windows Server 2008 R2 + Exchange Server 2010 SP3 RTMHi
Please have a try with the solution on this KB article
“Error message when you try to test access from the Microsoft Dynamics CRM E-mail Router: "Incoming Status: Failure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"”
http://support.microsoft.com/kb/954584/en-us
Cheers
Zi Feng
TechNet Community Support -
Could not establish trust relationship for the SSL/TLS secure channel with authority
Hello everyone, I need to establish a connection between my HTTPS WCF hosted in Windows Azure Web Role and my Windows Store App Client. The service is actually exposed for testing purposes using a self-signed certificate.
I have installed the certificate in Personal and Trusted Root Certification Authorities in Current User and Local Manchine.
In the Windows Store App, I create the service reference pointing to the cloud https service, then edit the manifest and create a new declaration to Add a New Certificate, I checked Exclusive Trust and Auto select, pointing to Root storage name and
my self-signed certificate.cer.
The result is the following exception in the IntelliTrace stack:
Exception:Caught: "The remote certificate is invalid according to the validation procedure." (System.Security.Authentication.AuthenticationException)
A System.Security.Authentication.AuthenticationException was caught: "The remote certificate is invalid according to the validation procedure."
Time: 19/01/2015 04:42:33 p. m.
Thread:Worker Thread[17080]
Exception:Thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'." (System.ServiceModel.Security.SecurityNegotiationException)
A System.ServiceModel.Security.SecurityNegotiationException was thrown: "Could not establish trust relationship for the SSL/TLS secure channel with authority 'appchallengewhi.cloudapp.net'."
Time: 19/01/2015 04:42:34 p. m.
Thread:Worker Thread[17080]
Appreciate any help, to solve this with the approach of WCF Service Reference in Windows Store App.
Note:
If I call the HTTPS service using a Console App it works very good using the following the code:
ChannelFactory<IAgentService> factory = new ChannelFactory<IAgentService>("basicHttpBinding_IAgentService");
ServicePointManager.ServerCertificateValidationCallback = (sender, cert, chain, error) => true;
IAgentService wcfProxy = factory.CreateChannel();
Thanks in advance,
RCMaybe not implemented.
https://social.msdn.microsoft.com/Forums/windowsapps/en-US/2dab2818-8f4c-4474-a7a1-db2cbfb40d40/accepting-client-certificate-for-https-connections?forum=winappswithcsharp -
Hi All,
I am using SharePoint List Connectors to load the data from Sharepoint list to Sql server.
I have created an ssis package and attached to the SQL agent job in works fine
SharePoint Source dev url : http://company.dev.com (working fine)(http)
DB server:(server\instance)
I thought all i good and can test with the uat sharepoint url.
I have changed the configuration url yo point to uat.(https)
SharePoint Source dev url : https://companyuat.dev.com (working fine)
DB server:(server\instance)
Suddently it fails when with the following error:
In both the cases i am running the agent job from the same db server
DB server:(server\instance)
Error Message:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'companyuat.dev.com'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Source: Data Flow Task SharePoint List Source [1] Description: System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'companyuat.dev.com'. ---> System.Net.WebException:
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Is there is workaround to reslove this?Any inputs highly appreciated as it is time to move to production :(.
Thanks
Ravi
RaviThis is the important error: The remote certificate is invalid according to the validation procedure.
Your SharePoint server certificate is invalid. You have to either correct your certificate or make your SSIS client machine explicitly trust the server certificate.
SSIS Tasks Components Scripts Services | http://www.cozyroc.com/ -
" Could not create SSL/TLS secure channel " error with Webtest of VS 2013
hello !
I want to test my mvc web project with webtest tools of VS 2013 and I Record a test with Internet Explorer
but when I run test appear this error for me at result of test run : Could not create SSL/TLS secure channel
for some requested url , but i watch requests in developer tools of chrome browser and I don't see this error.
i have ssl certificate on the server.
thanksHi ArashGhf,
>>but when I run test appear this error for me at result of test run : Could not create SSL/TLS secure channel
Based on the error message, it looks like it might be a problem with your certificate not being set up correctly for web performance test.
Therefore, I suggest you could refer the autom8dTest's suggestion to convert the Web performance test to coded web performance test and then add the WebTestRequest ClientCertificates property to the ClientCertificates collection after the request
is set up.
For more information, please refer to it.
https://social.msdn.microsoft.com/Forums/en-US/49e8d188-90c3-4d72-b387-10b1d1adc4a0/ssl-in-webtests-request-failed?forum=vstswebtest
Hope it help you!
Best Regards,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Hi I am getting this error,
The Secure Store Service application Secure Store Service is not accessible
The full exception text is: Could not establish trust relationship for the SSL/TLS secure channel with authority 'sp:32844'.
Any help will be appreciatedYou may need to add the SSL to the SharePoint Trusted Root Authority.Get the root cert for the site you are securing with HTTPS/SSL and add in SharePoint Trusted Root Authority. As explained here -
https://social.technet.microsoft.com/Forums/office/en-US/2aed19c6-24df-4646-b946-f4365a05e32f/secure-store-service-stops-working-once-or-twice-every-day-could-not-establish-trust-relationship?forum=sharepointadmin
http://brainlitter.com/2012/03/13/sharepoint-2010-and-cert-trust-could-not-establish-trust-relationship-for-the-ssltls-secure-channel/
Thanks
Ganesh Jat [My Blog |
LinkedIn | Twitter ]
Please click 'Mark As Answer' if a post solves your problem or 'Vote As Helpful' if it was useful. -
What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH)
Hi,
I just want to know,
What version of SQL Server support ssl connection with TLS. 1.2 (SHA-256 HASH).
if support already,
how can i setting.
plz. help me!!!The following blog states that SQL Server "leverages the SChannel layer (the SSL/TLS layer provided
by Windows) for facilitating encryption. Furthermore, SQL Server will completely rely upon SChannel to determine the best encryption cipher suite to use." meaning that the version of SQL Server you are running has no bearing on which
encryption method is used to encrypt connections between SQL Server and clients.
http://blogs.msdn.com/b/sql_protocols/archive/2007/06/30/ssl-cipher-suites-used-with-sql-server.aspx
So the question then becomes which versions of Windows Server support TLS 1.2. The following article indicates that Windows Server 2008 R2 and beyond support TLS 1.2.
http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
So if you are running SQL Server on Windows Server 2008 R2 or later you should be able to enable TLS 1.2 and install a TLS 1.2 certificate. By following the instructions in the following article you should then be able to enable TLS 1.2 encryption
for connections between SQL Server and your clients:
http://support.microsoft.com/kb/316898
I hope that helps. -
Native Solaris 10 with DSEE 6.3.1 (or JSDS) with SSL (tls:simple)
Hello There,
I need some help from DSEE or LDAP experts.
I am trying to configure DSEE 6.3.1 to use SSL(tls:simple).
*{color:#0000ff}I have Simple(non-SSL) method working just fine and*
**Also ldapsearch command works fine with simple and SSL methods*{color}**. So I know my certs are good but I just can not make ldap clien to work*
*I followed this document [http://brandonhutchinson.com/wiki/Soup_To_Nuts_Sun_DSEE#Solaris_10_instructions]*
I am using
ldapclient -v init -a profileName=profile3 -a certificatePath=/var/ldap -a domainName=mydomain.com -a proxyDN="cn=proxyagent,ou=pro*file,dc=mydomain,dc=com" -a proxyPassword=XXXXX ldap200.mydomain.com*
Here is the output
+Parsing profileName=profile3+
+Parsing certificatePath=/var/ldap+
+Parsing domainName=mydomain.com+
+Parsing proxyDN=cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+Parsing proxyPassword=xxxxx+
+Arguments parsed:+
+domainName: mydomain.com+
+proxyDN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+profileName: profile3+
+proxyPassword: xxxxx+
+defaultServerList: ldap200.mydomain.com+
+certificatePath: /var/ldap+
+Handling init option+
+About to configure machine by downloading a profile+
+findBaseDN: begins+
+findBaseDN: ldap not running+
+findBaseDN: calling __ns_ldap_default_config()+
+found 1 namingcontexts+
+findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=mydomain.com))"+
+rootDN[0] dc=mydomain,dc=com+
+found baseDN dc=mydomain,dc=com for domain mydomain.com+
+Proxy DN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
+Proxy password: {NS1}67eb0f447bc0f619+
+Credential level: 1+
+Authentication method: 3+
+About to modify this machines configuration by writing the files+
+Stopping network services+
+sendmail not running+
+nscd not running+
+autofs not running+
+ldap not running+
+nisd not running+
+nis(yp) not running+
+file_backup: stat(/etc/nsswitch.conf)=0+
+file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)+
+file_backup: stat(/etc/defaultdomain)=0+
+file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)+
+file_backup: stat(/var/nis/NIS_COLD_START)=-1+
+file_backup: No /var/nis/NIS_COLD_START file.+
+file_backup: nis domain is "mydomain.com"+
+file_backup: stat(/var/yp/binding/mydomain.com)=-1+
+file_backup: No /var/yp/binding/mydomain.com directory.+
+file_backup: stat(/var/ldap/ldap_client_file)=-1+
+file_backup: No /var/ldap/ldap_client_file file.+
+Starting network services+
+start: /usr/bin/domainname mydomain.com... success+
+start: sleep 100000 microseconds+
+start: sleep 200000 microseconds+
+start: network/ldap/client:default... success+
+restart: sleep 100000 microseconds+
+restart: sleep 200000 microseconds+
+restart: milestone/name-services:default... success+
+System successfully configured+
+When I run+
*It takes long time and then*
*+ldaplist: Object not found (Session error no available conn.+*
*+)+*
{color:#0000ff}The command logins also takes long time and does not show any LDAP users.{color}
*+{color:#ff6600}Here is the output from cachemgr.log on client*+*
*+{color}+*
+Tue Jul 14 12:16:07.8984 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log+
+Tue Jul 14 12:16:07.9391 sig_ok_to_exit(): parent exiting...+
+Tue Jul 14 12:16:17.9511 getldap_set_refresh_ttl:(6) refresh ttl is 300 seconds+
+Tue Jul 14 12:16:38.0741 getldap_set_refresh_ttl:(6) refresh ttl is 150 seconds+
+Tue Jul 14 12:16:38.0755 Error: Unable to refresh profile:profile3:Session error no available conn.+
+Tue Jul 14 12:16:38.0756 Error: Unable to update from profile+
+{color:#ff6600}Here is the out from /var/adm/messages.+
+{color:#000000}Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind fai{color}+{color:#000000}+led - Can't contact LDAP server+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.+
+Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 186574 daemon.error] Error: Unable to refresh profile:profile3: Session error no available conn.+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple+ +bind failed - Can't contact LDAP server+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
+Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no avaible conn.+
*ANY HELP IS GREATLY APPRECIATED*
*THANKS*
Edited by: PranavPatel on Jul 14, 2009 12:41 PM
Edited by: PranavPatel on Jul 14, 2009 12:46 PMHere is the the profile from Server
Non-editable attributes
dn: cn=profile3,ou=profile,dc=mydomain,dc=com
authenticationmethod: tls:simple
bindtimelimit: 10
cn: profile3
credentiallevel: proxy
defaultsearchbase: dc=mydomain,dc=com
defaultsearchscope: one
defaultserverlist: 192.168.190.146 192.168.11.221
followreferrals: FALSE
objectclass: top
objectclass: DUAConfigProfile
profilettl: 43200
searchtimelimit: 30
serviceauthenticationmethod: passwd-cmd:tls:simple
serviceauthenticationmethod: keyserv:tls:simple
serviceauthenticationmethod: pam_ldap:tls:simple
Editable attributes:
createtimestamp: 20090714180638Z
creatorsname: cn=directory manager
entrydn: cn=profile3,ou=profile,dc=mydomain,dc=com
entryid: 26
hassubordinates: FALSE
modifiersname: cn=directory manager
modifytimestamp: 20090714180638Z
nsuniqueid: f37fa281-70a011de-80b5f403-069e0ba9
numsubordinates: 0
parentid: 13
subschemasubentry: cn=schema
And here is the output of
*# ldapclient list*
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=mydomain,dc=com
+NS_LDAP_BINDPASSWD= {NS1}67eb0f447bc0f619+
NS_LDAP_SERVERS= 192.168.190.146, 192.168.11.221
NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= profile3
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= keyserv:tls:simple
NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simple
NS_LDAP_HOST_CERTPATH= /var/ldap
Edited by: PranavPatel on Jul 14, 2009 1:08 PM -
Broken SSL/TLS SMTP authentication with Outlook Express
Hi All,
I've created two ports for SMTP-Authentication with required SSL/TLS : port 25 and port 587. Everythings work fine on port 25 (both smtp-auth and ssl/tls works).
But when using Outlook Express with port 587, the problems happens:
Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'pop.cbn.net.id', Server: 'smtps.cbn.net.id', Protocol: SMTP, Port: 587, Secure(SSL): Yes, Error Number: 0x800CCC0F
I've already disable windows firewall, Desktop Antivirus etc. but still not works.
Does anyone has the same problem? Thank you.Sorry I'm a little late to the party.
This is a bug in OE. It is attempting to do an SSL negotiation immediately when the connection opens, like what a web browser does for HTTPS connections, rather than using the STARTTLS mechanism to start TLS in the middle of the connection. In other words, it's attempting to use the old, never actually standardized SMTPS protocol if you attempt to do secure SMTP on any port other than 25. When we deployed mandatory SSL/TLS here, we had to deploy an SMTPS server on port 465, just for OE users (our mail relay server is not an IronPort).
SMTPS was never standardized, never even made it past one Internet-Draft. It's allocation of port 465 was later revoked by IANA and reassigned to another protocol. Yet it was treated as gospel by many mail client authors. I refused to support it on our mail server until it became obvious that OE simply wouldn't work otherwise (getting correct STARTTLS operation by using port 25 is not always available because of ISPs doing port 25 blocking). I don't blame IronPort in the least for not supporting it, although it does make this situation harder to resolve.
I have learned to hate OE. -
Hi everyone,
A somewhat similar question has been asked before by others but none of the answers given has helped me.I am attempting a DPM 2012 installation, which is failing at the "deploying reports" stage.My analysis of logs seems to point me in the direction of an SSL
error, which does not make sense since the configuration files say SSL is disabled (or at least, should be).
Here are the symptoms:
1.I am able to browse http://FQDN/Reports_MSDPM2012 folder from internet explorer
2.I am also able to browse http://FQDN/ReportServer_MSDPM2012 from internet explorer
3.The information given in the logs and relevant config files is shown below:
<<RSREPORTSERVER.CONFIG>>
<ConnectionType>Default</ConnectionType>
<LogonUser></LogonUser>
<LogonDomain></LogonDomain>
<LogonCred></LogonCred>
<InstanceId>MSRS10_50.MSDPM2012</InstanceId>
<InstallationID>{d9b1c335-5842-4a81-9148-79184c38bf09}</InstallationID>
<Add Key="SecureConnectionLevel" Value="0"/>
<Add Key="CleanupCycleMinutes" Value="10"/>
<Add Key="MaxActiveReqForOneUser" Value="20"/>
<Add Key="DatabaseQueryTimeout" Value="120"/>
<Add Key="RunningRequestsScavengerCycle" Value="60"/>
<Add Key="RunningRequestsDbCycle" Value="60"/>
<Add Key="RunningRequestsAge" Value="30"/>
<Add Key="MaxScheduleWait" Value="5"/>
<Add Key="DisplayErrorLink" Value="true"/>
<Add Key="WebServiceUseFileShareStorage" Value="false"/>
<!-- <Add Key="ProcessTimeout" Value="150" /> -->
<!-- <Add Key="ProcessTimeoutGcExtension" Value="30" /> -->
<!-- <Add Key="WatsonFlags" Value="0x0430" /> full dump-->
<!-- <Add Key="WatsonFlags" Value="0x0428" /> minidump -->
<!-- <Add Key="WatsonFlags" Value="0x0002" /> no dump-->
<Add Key="WatsonFlags" Value="0x0428"/>
<Add Key="WatsonDumpOnExceptions"
4.The DPM log file still appears to be using SSL even though i used reporting services configuration to remove SSL bindings:
running.Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.BackEndErrorException: exception ---> Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.ReportDeploymentException:
exception ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException:
The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest,
Exception exception)
5:I do have an SCCM site on the default web site used by SMS clients but on different ports
I am stumped.Somebody please give some advice
Thank youHi
This is an old post but did you come right?
Maybe you are looking for
-
Initiate process from Worklist
Hi! i'm working in a BPEL human workflow, with some escalation policies, i start de service from the BPEL console, but the process must be initiated by a user, there is a way to initiate/instance the process from the WorkList, the lower level employe
-
All, I am interested in configuring psotfix + any related stuff needed for allowing my home system (198.162.1.105) to send email (not concerned if it can receive) to my yahoo/gmail accounts. This is because I would like to set up APEX to send emails,
-
Iphone 4s on ios7 will not open or save ics email attachment
My iphone 4s on ios7 will not open or save ics email attachments so I can update my calendar. I have to open them on my PC and then iCloud will sync my updated calendar across all my devices with no problem. However, when I don't have access to my PC
-
How do I import photos to my iPad from a Nikon s10?
-
How to handle transaction SWEC
Hi All , I need to understand how and what transaction SWEC does.Please kindly help me. and Also , specifically I need to know what is FIELD RESTRICTION for. Please reply.