TLS/SSL in Dreamweaver 5.5?

A client switched their hosting which only supports FTP with TLS/SSL. Our CS5 version of Dreamweaver (and their version of Contribute) will not connect.
The latests update for 5.5 says:
FTPS, FTPeS support
Deploy files more securely with enhanced FTP support. Dreamweaver CS5.5 now adds native support for the FTPS and FTPeS protocols.
Has anyone had success with connecting to servers running TLS/SSL using the update?

The short answer is 'yes'.
Dreamweaver CSS 5.5 does support TLS/SSL.
However, it seems that, as of now, Contribute does not.

Similar Messages

Dreamweaver CS 5.5 not working with Godaddy FTP with TLS/SSL

I've upgraded to CS 5.5 and tried to connect to a client's Godaddy account with FTP with TLS/SSL it fails. Works perfectly with my mac app Transmit every time as it always has. It doesn't work with implicit or explicit settings with authentication set to none or otherwise.
Can someone please let me know if Dreamweaver will ever be compatible with FTP with TLS/SSL and Godaddy? Or is there some setting I can try that will make it work now somehow?
Been waiting years for this....

SnakEyez02 wrote:
First, that's a Godaddy problem if their security isn't up to par.
That may be the case that Godaddy is also at fault, but every other FTP app I use with Godaddy works fine. It's just Dreamweaver and has always been just Dreamweaver not working with a secure connection to Godaddy. Considering Godaddy is the largest webhost in the USA, you'd think Adobe would have fixed this years ago. I should also mention I'm not endorsing Godaddy and I understand there's plenty of people that don't like Godaddy for very good reasons.
Sent you PM with FTP account with Godaddy yesterday. Thank you for taking a look!
UPDATE: Whoops, I see you responded via private message already. I'll paste most of it here in hopes it helps others to understand the issue:
via SnakEyez02 PM:
Ok this took a lot of digging. I won't say it's not a DW issue 100% and I will report a bug for your problem, but DW is not the problem alone Godaddy needs to share the blame here for a bad certificate. Here is what is happening:
I'll start with DW:
- The settings are correct that were in the post. Port 21, FTP explicit, and the authentication should be set to None (encyprtion only). This is where the transmission is encrypted using SSL, but the certificate is shared and not specific to the domain owner. That is the difference between DW's "none" and "trusted". It's a poor choice of words I'll give them that. However, Godaddy seems to want all connections to be trusted thus the other error you get when you turn on the None option. Now could DW do what Transmit does, warn you and write in an unsigned certificate into the Keychain app, probably, is it best practice for security reasons to "Trust" an unsigned certificate probably not.
Now Transmit:
- As explained above Transmit opens up a prompt to override and create a fake-trusted signed certificate. Thus by forcing the OS to think a legitimate certificate is there it gets you through albeit through unconventional methods.
The problem:
- A good portion of this problem lies with Godaddy. Now I use a shared hosting account and set one up on an independant host for a friend of mine and both of them accept the shared certificates (SSL explicit). The difference is the hostname of the certificate. I ran a traceroute (from Network Utility in Utilities folder) on your website and came up with the following address: 173.201.23x.x.
The problem is that the certificate on your server is actually not for that server which is the reason DW seems to have such an issue with it. The SSL certificate that Godaddy put on your shared server is for host - 173.201.19x.5x. As you can see, it's a certificate for another server. Honestly the fact that Panic's Transmit allows this override scares me a little bit and the fact that Godaddy never noticed this issue either scares me to. So while DW could write in a bad certificate I can see why this is happening.
I know there is not much solice in my answer because it still doesn't alleviate the problem that you have with DW connecting. Unfortunately I do not have a workaround despite my numerous attempts to try and gain access over a secure connection. One alternative you could ask Godaddy for in the meantime is an SSH connection which would allow you to use SFTP instead of FTPS. But that's a short-term solution to a long-term problem.
If you think of anything else feel free to bounce any ideas off me I don't mind. Good luck in getting this solved and I will post a bug report to make Adobe aware of the issue.
Thank you for looking into this issue in depth like you have!
I think the issue might be that Godaddy is applying cost saving measures to keep their prices down in the way they implement their certificates (but it also wouldn't surprise me to know it's simply ineptitude on Godaddy's part either). I'm not sure I fault Panic with Transmit much at all because it clearly warns you about the certificate and it's your choice to continue. And, as it stands now, it's much safer to continue to connect that way with Transmit than to stop and connect with no encryption at all at a public hotspot.
As it stands now, you really shouldn't connect to Godaddy with Dreamweaver at a public hotspot unless you set up an SSH tunnel with your connection first. But enabling SSH is an added expense in many ways including paying for the service, using more computer resources for tunneling and time setting it up and implementation... all because Dreamweaver won't just allow developers the option like Transmit does.
Once again, thank you for looking at this and I hope someone at Adobe finally address this issue for the security of its customers who use Godaddy (which is often not their choice and was, instead, the choice of their clients to use Godaddy as a webhost).
Just a side note, I contacted Godaddy support about this several years ago and they were unresponsive and even hostile about it - So that's definitely another vote against Godaddy from me as well.
Message was edited by: greenbluewave

TLS/SSL in Contribute CS 5?

There seems to be a disconnect between the FTP protocols used by Dreamweaver and Contribute.
I just downloaded the DM CS5.5 to see if it would work with FTP over SSL/TLS and it does.
However when you try to connect using Contribute, all you get is an SFTP option.
Am I missing somehting?
Has anyone found a work around?

The short answer is 'yes'.
Dreamweaver CSS 5.5 does support TLS/SSL.
However, it seems that, as of now, Contribute does not.

Apache TLS/SSL failing [SOLVED]

Hello everybody,
I'm trying to set up TLS/SSL for apache following the wiki : https://wiki.archlinux.org/index.php/Ap … #TLS.2FSSL
After restarting apache the simple connexion (whithout TLS/SSL) is working but when I change "http" to "https" before my domain name it doesn't respond.
I dunno where to start to fix this. Does someone knows better ?
Last edited by Sulice (2015-04-02 16:50:12)

Wen you said when I change "http" to "https" before my domain name it doesn't respond (where you are mixing up a few different protocols) I expected you were going to need a lot of guidance (which is why I mentioned I thought you were in over your head). Good to see you figured it out yourself anyway!
If someone is in over their head, they are out of the depth in something they are involved in, and may end up in a mess.
Last edited by Spider.007 (2015-04-02 16:53:54)

How do I reconnect using SSL/TLS security in Dreamweaver using Windows 7?

I am using an old version of Dreamweaver on Windows 7. When I try to upload a file, I get a message saying that I need to reconnect using SSL/TLS security mechanisms. Is this a setting in Dreamweaver or Windows 7? Thanks for any help or suggestions.

It sounds like it is a requirement of the server, not Dreamweaver or Windows7
Dreamweaver, even older versions, can connect using both FTP and SFTP. But SSL/TLS are on the HTTP protocol, not FTP, so I don't understand why you would get such an error using DW file upload.

Need to check tls/ssl but getting stuck with "You must provide a value expression on the right-hand side of the '-' operator."

I would like to disable ssl 3 but need to test what sites only support ssl 3. I keep getting stuck with an error that is over my head. I've tried manipulating the string a dozen different ways and keep getting the same error. I am not familiar with -notin
or how to specify which part of the property its checking: thanks a ton
http://blog.whatsupduck.net/2014/10/checking-ssl-and-tls-versions-with-powershell.html
line with issues:
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | where-object{$_.Name -notin @("Default","None") | %{$_.Name}
You must provide a value expression on the right-hand side of the '-' operator.
At S:\scripts\test23.ps1:50 char:126
+ $ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | where-object{$_.Name - <<<< noti
n @("Default","None") | %{$_.Name}
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : ExpectedValueExpression
<#
.DESCRIPTION
Outputs the SSL protocols that the client is able to successfully use to connect to a server.
.NOTES
Copyright 2014 Chris Duck
http://blog.whatsupduck.net
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
.PARAMETER ComputerName
The name of the remote computer to connect to.
.PARAMETER Port
The remote port to connect to. The default is 443.
.EXAMPLE
Test-SslProtocols -ComputerName "www.google.com"
ComputerName : www.google.com
Port : 443
KeyLength : 2048
SignatureAlgorithm : rsa-sha1
Ssl2 : False
Ssl3 : True
Tls : True
Tls11 : True
Tls12 : True
#>
function Test-SslProtocols {
param(
[Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true,ValueFromPipeline=$true)]
$ComputerName,
[Parameter(ValueFromPipelineByPropertyName=$true)]
[int]$Port = 443
begin {
$ProtocolNames = [System.Security.Authentication.SslProtocols] | gm -static -MemberType Property | where-object{$_.Name -notin @("Default","None") | %{$_.Name}
process {
$ProtocolStatus = [Ordered]@{}
$ProtocolStatus.Add("ComputerName", $ComputerName)
$ProtocolStatus.Add("Port", $Port)
$ProtocolStatus.Add("KeyLength", $null)
$ProtocolStatus.Add("SignatureAlgorithm", $null)
$ProtocolNames | %{
$ProtocolName = $_
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$ProtocolStatus["KeyLength"] = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus["SignatureAlgorithm"] = $RemoteCertificate.PublicKey.Key.SignatureAlgorithm.Split("#")[1]
$ProtocolStatus.Add($ProtocolName, $true)
} catch {
$ProtocolStatus.Add($ProtocolName, $false)
} finally {
$SslStream.Close()
[PSCustomObject]$ProtocolStatus
Test-SslProtocols -ComputerName "www.google.com"

V2 version:
function Test-SslProtocols {
param(
[Parameter(
Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
ValueFromPipeline=$true
)]$ComputerName,
[Parameter(
ValueFromPipelineByPropertyName=$true
)][int]$Port = 443
begin {
$protocols=[enum]::GetNames([System.Security.Authentication.SslProtocols])|?{$_ -notmatch 'none|default'}
process {
foreach($protocol in $protocols){
$ProtocolStatus = @{
ComputerName=$ComputerName
Port=$Port
KeyLength=$null
SignatureAlgorithm=$null
Protocol=$protocol
Active=$false
$Socket = New-Object System.Net.Sockets.Socket('Internetwork','Stream', 'Tcp')
$Socket.Connect($ComputerName, $Port)
try {
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $protocol, $false )
$RemoteCertificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]$SslStream.RemoteCertificate
$protocolstatus.Active=$true
$ProtocolStatus.KeyLength = $RemoteCertificate.PublicKey.Key.KeySize
$ProtocolStatus.SignatureAlgorithm = $RemoteCertificate.PublicKey.Key.SignatureAlgorithm.Split("#")[1]
catch {
Write-Host 'Failed'
finally {
New-Object PsObject -Property $ProtocolStatus
$SslStream.Close()
Test-SslProtocols -ComputerName www.google.com
¯\_(ツ)_/¯

How do i temporarily disable TLS/SSL port 443 going to server on CSS

We are having issues with truncating packets that go through the CSS
I did a capture after the CSS and there is truncation............however i cant read it before the since everything is encrypted.
They hit vip address 172.20.120.16. on the CSS and get redirected to 2 servers depening on what the url says
They server team would like to turn it off just to test..i tried removing
"add service ARR-public-ssl" from the contetn below and we lost http and https to the server
so in essence i want to try and turn the 443 connection to a port 80---than it goes to port 7777 backend to 172.20.212.6
content BYE-WEB-SSL
   vip address 172.20.120.16
   protocol tcp
   port 443
   advanced-balance ssl
   application ssl
   add service ARR-public-ssl
   active
ssl-server 40
ssl-server 40 rsacert byetest
ssl-server 40 vip address 172.20.120.16
ssl-server 40 cipher rsa-with-rc4-128-sha 172.20.120.17 80
ssl-server 40 cipher rsa-with-rc4-128-md5 172.20.120.17 80
ssl-server 40 urlrewrite 1 *
ssl-server 40 cipher rsa-with-3des-ede-cbc-sha 172.20.120.17 80
ssl-server 40 rsakey byekey
backend-server 50
backend-server 50 type initiation
backend-server 50 server-ip 69.xxx.xxx.xxx
backend-server 50 ip address 69.xxx.181.xxx
backend-server 50 rsacert byetest
backend-server 50 rsakey byekey
active
!************************** SERVICE **************************
service TIE-SSLINIT
protocol tcp
ip address 69.xxx.xxx.xxx
keepalive type tcp
keepalive port 443
slot 2
type ssl-init
add ssl-proxy-list HR-SSL
active
owner PublicBYE
content BYE-WEB-ARRR
    vip address 172.20.120.17
    protocol tcp
    port 80
    url "/arr*"
    advanced-balance arrowpoint-cookie
    balance aca
    arpt-lct http-100-reinsert
    add service BYE-ods-web1
    active
content BY-WEB-TIX
    protocol tcp
    port 80
    url "/tix*"
    advanced-balance arrowpoint-cookie
    balance aca
    arpt-lct http-100-reinsert
    add service BYE-ods-web2
    vip address 172.20.120.17
    active
content BYE-WEB-TIX-CLEARTEXT
    add service TIX-SSLINIT
    vip address 172.20.120.19
    protocol tcp
    port 80
    active
content BYE-WEB-Nav
vip address 172.20.120.17
protocol tcp
port 80
url "/na*"
balance aca
arpt-lct http-100-reinsert
add service BYE-ods-web1
active
content BYE-WEB-SSL
vip address 172.20.120.16
protocol tcp
port 443
advanced-balance ssl
application ssl
add service ARR-public-ssl
active
service BYE-ds-web1-ssl
ip address 172.20.212.5
port 443
keepalive type ssl
active
service BYE-ds-web2
ip address 172.20.212.6
port 7777
keepalive port 7777
keepalive type tcp
active
service BYE-ds-web2
ip address 172.20.212.6
port 7777
keepalive port 7777
keepalive type tcp
active
service BYEos-web2-ssl
ip address 172.20.212.6
port 443
keepalive type ssl
active

CSS11506# sh ver
Version:               sg0810205 (08.10.2.05)
Flash (Locked):        08.10.1.06
Flash (Operational):   08.10.2.05
Type:                  PRIMARY
Licensed Cmd Set(s):   Standard Feature Set
                       Secure Management
Yeah..if done a packet trace before it hits the CSS and after......the only issue is that everything is engrypted before it hits the LB so i cant really read anythign....i did a pacet trace after the LB and on the Server itself its seems we get this
I thought i saw some bug info from cisco but i cant tell if its related
CSCsx05640—When you configure the CSS for a Layer 5 (L5) content rule and it receives an HTTP method POST with the HTTP header in one packet that is quickly followed by many packets of POST data or payload, it could fail to deliver all the data to the back-end server. The CSS Flow Manager (FM) application could incorrectly handle the POST and the data packet as a spanned content request and could cause the data to be mishandled. Workaround: Use less than 1-Gb connections in the network; a 100-Mb link does not exhibit this issue.
As you can see after the content-length..........nothing comes across........sometimes addtional stuff will come in ...but usually nothing
Is there a bug related to this on the CSS?
POST /TIXX/DocumentRepository_Service HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/soap+xml;charset=UTF-8;action="urn:ihe:iti:2007:ProvideAndRegisterDocumentSet-b"
User-Agent: Jakarta Commons-HttpClient/3.1
Host: www.xxxxxxxxxxxx.net
Content-Length: 9044

Ldap -tls/ssl

Could I setup Solaris 9 as ldap/tls client while ldap server is solaris8.
Thanks. Slawa

Could I setup Solaris 9 as ldap/tls client while ldap server is solaris8.
Thanks. Slawa

Solaris 10 - ldap client - tls/ssl - password change

we have configured solaris 10 as a ldap client to sun directory server 6.3.1, on enabling tls:simple, password change operation is just failing with following error message.
passwd -r user1
passwd: Changing password for user1
passwd: Sorry, wrong passwd
Permission denied
where user1 is just in ldap and not in unix local. this function works if the authentication mechanism is just simple, but on enabling tls:simple, we get the error message.
any ideas will be highly appreciated.

Not that it helps any but I am getting his same error. I am also using 6.3.1

Will Verizon Online ever offer SMTPS & POP3S (TLS/SSL) for message submission/retrieval?

Login in with credentials (login name and password) in clear text (POP3) or even base64 encoded (SMTP) is not secure.
Yup, that's right, every time your POP3 client checks for new mail you are sending your user name and password over the network and/or internet in clear plain readable text.
Sending email via your SMTP client is not much better. Probably base64 encoded which is quick and easy to decode to plain readable text.
Verizon, Please provide us with SMTPS and POP3S capability.
Comast, I hear/read have done this for years. Why not Verizon?
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

tzomatz wrote:
srckurs.no have two email accounts. Both working fine, and I can send and recve mail between them, and the outside.
However, for the tholden.no domain, reciving of emails does not work. I can send them though.
What can be the problem?
virtual_mailbox_domains = srckurs.no
But tholden.no is not configured (except in hostname which is for local @aurora.tholden.no users).

ACS 5.3.40 is there patch available to support TLS 1.1 and 1.2 regarding SSL termination?

Hi,
We are trying to reduce our susceptibility to SSL BEAST information disclosure vulnerability regarding our ACS 5.3.40 system.
It's been suggested that we consider some defensive measures such as cipher suite selection.
Wherever possible, we should ensure that servers and clients that support TLS/SSL are configured to support TLS versions 1.1 and 1.2, not just SSLv3 and TLSv1.0 which is often the default configuration.
Can you advise how this is done within the ACS 5.3.40 application? Is it just a case of patching to another level?
(Default SSLv3 and TLSv1.0 defaults are not deemed strong enough).
Thanks.

same Question~
I believe we come from the same university~
Tsinghua, isn't it?

Dreamweaver, summer time, and synchronisation

One of the minor but irritating and recurrent problems with
Dreamweaver's synchronise function is that, after a change to/from
British Summer Time (Daylight Saving Time for those of you across
the Pond), any synchronise operation will inform you that the file
on the server has changed since the last synchronisation and ask
you what you want to do, even when the file is plainly the same.
You can tell that it's a BST problem because the timestamp differs
by exactly one hour. I'm guessing that the synch info is stored in
the _notes/dwsync.xml in each directory. So my Q is: how can I
reset all synch info for a site? Searching for "synch" in the fine
help file returns nothing useful.
This isn't something I want to spend any time on as it's
relatively trivial, but it is annoying and renders the synch
feature semi-useless until I manually synch all files in a site,
and can also lead to wrong up/downloads with the danger of
overwriting later versions. I'm using DW CS3 (aka v9) under Windows
eXtra Pathetic. TIA for any tips.
Cheers
Fred

I'm having the same problem and its about time Adobe sorted it. Still trying to work out if its a Mac client with windows server problem. Is there a way to notify Adobe without spending my life on the phone? Using CS5.5 and FTP over TLS/SSL Explicit connection

Using JSSE : "Invalid Netscape CertType extension for SSL client" Error

Hi all,
Im using the sample code given sun site for JSSE with Client Authentication. The sample as such it worked with the testkeys provided in that. But it didn't workout when I tried using other certificates.
Both client and server certificates I generated from our internal Netscape Certificate Manager.
Function of the server :
The server will read a private key from the given keystore and starts listening on a port. This server will server only GET request.
Function of the client :
The Client sends a GET request to the server and gets the response back.
I simply changed the key store name alone in the working sample code.
It is not working.
The Exception thrown on client side :
D:\users\Jp\java\jssesamples\sockets\client\class>java SSLSocketClientWithClientAuth1 localhost 1089 /urls
localhost
1089
/urls
java.net.SocketException: Software caused connection abort: socket write error
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
at java.net.SocketOutputStream.write(SocketOutputStream.java:136)
at com.sun.net.ssl.internal.ssl.OutputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at SSLSocketClientWithClientAuth1.main(SSLSocketClientWithClientAuth1.java:119)
Exception thrown on server side :
D:\users\Jp\java\jssesamples\sockets\server\class>java ClassFileServer 1089 . TLS true
USAGE: java ClassFileServer port docroot [TLS [true]]
If the third argument is TLS, it will start as
a TLS/SSL file server, otherwise, it will be
an ordinary file server.
If the fourth argument is true,it will require
client authentication as well.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
at java.io.InputStreamReader.read(InputStreamReader.java:167)
at java.io.BufferedReader.fill(BufferedReader.java:136)
at java.io.BufferedReader.readLine(BufferedReader.java:299)
at java.io.BufferedReader.readLine(BufferedReader.java:362)
at ClassServer.getPath(ClassServer.java:162)
at ClassServer.run(ClassServer.java:109)
at java.lang.Thread.run(Thread.java:536)
Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
... 17 more
error writing response: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExce
ption: Invalid Netscape CertType extension for SSL client
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: java.security.cert.Certificate
Exception: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.e(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
at java.io.DataOutputStream.writeBytes(DataOutputStream.java:256)
at ClassServer.run(ClassServer.java:128)
at java.lang.Thread.run(Thread.java:536)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Invalid Netscape CertType extension
for SSL client
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
at java.io.InputStreamReader.read(InputStreamReader.java:167)
at java.io.BufferedReader.fill(BufferedReader.java:136)
at java.io.BufferedReader.readLine(BufferedReader.java:299)
at java.io.BufferedReader.readLine(BufferedReader.java:362)
at ClassServer.getPath(ClassServer.java:162)
at ClassServer.run(ClassServer.java:109)
... 1 more
Caused by: java.security.cert.CertificateException: Invalid Netscape CertType extension for SSL client
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(DashoA6275)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkClientTrusted(DashoA6275)
... 17 more
The Client code :
* @(#)SSLSocketClientWithClientAuth.java 1.5 01/05/10
* Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
* Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met:
* -Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* -Redistribution in binary form must reproduct the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* Neither the name of Sun Microsystems, Inc. or the names of
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
* This software is provided "AS IS," without a warranty of any
* kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
* WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
* EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
* DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
* RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
* ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
* FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
* SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
* CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
* THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
* You acknowledge that Software is not designed, licensed or
* intended for use in the design, construction, operation or
* maintenance of any nuclear facility.
import java.net.*;
import java.io.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import java.security.KeyStore;
* This example shows how to set up a key manager to do client
* authentication if required by server.
* This program assumes that the client is not inside a firewall.
* The application can be modified to connect to a server outside
* the firewall by following SSLSocketClientWithTunneling.java.
public class SSLSocketClientWithClientAuth1 {
public static void main(String[] args) throws Exception {
 String host = null;
 int port = -1;
 String path = null;
 for (int i = 0; i < args.length; i++)
 System.out.println(args);
 if (args.length < 3) {
 System.out.println(
 "USAGE: java SSLSocketClientWithClientAuth " +
 "host port requestedfilepath");
 System.exit(-1);
 try {
 host = args[0];
 port = Integer.parseInt(args[1]);
 path = args[2];
 } catch (IllegalArgumentException e) {
 System.out.println("USAGE: java SSLSocketClientWithClientAuth " +
 "host port requestedfilepath");
 System.exit(-1);
 try {
 * Set up a key manager for client authentication
 * if asked by the server. Use the implementation's
 * default TrustStore and secureRandom routines.
 SSLSocketFactory factory = null;
 try {
 SSLContext ctx;
 KeyManagerFactory kmf;
 KeyStore ks;
 char[] passphrase = "passphrase".toCharArray();
 ctx = SSLContext.getInstance("TLS");
 kmf = KeyManagerFactory.getInstance("SunX509");
 ks = KeyStore.getInstance("JKS");
// ks.load(new FileInputStream("testkeys"), passphrase);
 ks.load(new FileInputStream("clientkey"), passphrase);
 kmf.init(ks, passphrase);
 ctx.init(kmf.getKeyManagers(), null, null);
 factory = ctx.getSocketFactory();
 } catch (Exception e) {
 throw new IOException(e.getMessage());
 SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
 * send http request
 * See SSLSocketClient.java for more information about why
 * there is a forced handshake here when using PrintWriters.
 socket.startHandshake();
 PrintWriter out = new PrintWriter(
 new BufferedWriter(
 new OutputStreamWriter(
 socket.getOutputStream())));
 out.println("GET " + path + " HTTP/1.1");
 /* Some internet sites throw bad request error for HTTP/1.1 req if hostname is not specified so the foll line */
 out.println("Host: " + host);
 out.println();
 out.flush();
 * Make sure there were no surprises
 if (out.checkError())
 System.out.println(
 "SSLSocketClient: java.io.PrintWriter error");
 /* read response */
 BufferedReader in = new BufferedReader(
 new InputStreamReader(
 socket.getInputStream()));
 String inputLine;
 while ((inputLine = in.readLine()) != null)
 System.out.println(inputLine);
 in.close();
 out.close();
 socket.close();
 } catch (Exception e) {
 e.printStackTrace();
The Server code :
* @(#)ClassFileServer.java 1.5 01/05/10
* Copyright 1995-2002 Sun Microsystems, Inc. All Rights Reserved.
* Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met:
* -Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* -Redistribution in binary form must reproduct the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
* Neither the name of Sun Microsystems, Inc. or the names of
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
* This software is provided "AS IS," without a warranty of any
* kind. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND
* WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE HEREBY
* EXCLUDED. SUN AND ITS LICENSORS SHALL NOT BE LIABLE FOR ANY
* DAMAGES OR LIABILITIES SUFFERED BY LICENSEE AS A RESULT OF OR
* RELATING TO USE, MODIFICATION OR DISTRIBUTION OF THE SOFTWARE OR
* ITS DERIVATIVES. IN NO EVENT WILL SUN OR ITS LICENSORS BE LIABLE
* FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, INDIRECT,
* SPECIAL, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER
* CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, ARISING OUT OF
* THE USE OF OR INABILITY TO USE SOFTWARE, EVEN IF SUN HAS BEEN
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
* You acknowledge that Software is not designed, licensed or
* intended for use in the design, construction, operation or
* maintenance of any nuclear facility.
import java.io.*;
import java.net.*;
import java.security.KeyStore;
import javax.net.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
/* ClassFileServer.java -- a simple file server that can server
* Http get request in both clear and secure channel
* The ClassFileServer implements a ClassServer that
* reads files from the file system. See the
* doc for the "Main" method for how to run this
* server.
public class ClassFileServer extends ClassServer {
private String docroot;
private static int DefaultServerPort = 2001;
* Constructs a ClassFileServer.
* @param path the path where the server locates files
public ClassFileServer(ServerSocket ss, String docroot) throws IOException
 super(ss);
 this.docroot = docroot;
* Returns an array of bytes containing the bytes for
* the file represented by the argument path.
* @return the bytes for the file
* @exception FileNotFoundException if the file corresponding
* to path could not be loaded.
public byte[] getBytes(String path)
 throws IOException
 System.out.println("reading: " + path);
 File f = new File(docroot + File.separator + path);
 int length = (int)(f.length());
 if (length == 0) {
 throw new IOException("File length is zero: " + path);
 } else {
 FileInputStream fin = new FileInputStream(f);
 DataInputStream in = new DataInputStream(fin);
 byte[] bytecodes = new byte[length];
 in.readFully(bytecodes);
 return bytecodes;
* Main method to create the class server that reads
* files. This takes two command line arguments, the
* port on which the server accepts requests and the
* root of the path. To start up the server: 
* <code> java ClassFileServer <port> <path>
* </code> 
* <code> new ClassFileServer(port, docroot);
* </code>
public static void main(String args[])
 System.out.println(
 "USAGE: java ClassFileServer port docroot [TLS [true]]");
 System.out.println("");
 System.out.println(
 "If the third argument is TLS, it will start as\n" +
 "a TLS/SSL file server, otherwise, it will be\n" +
 "an ordinary file server. \n" +
 "If the fourth argument is true,it will require\n" +
 "client authentication as well.");
 int port = DefaultServerPort;
 String docroot = "";
 if (args.length >= 1) {
 port = Integer.parseInt(args[0]);
 if (args.length >= 2) {
 docroot = args[1];
 String type = "PlainSocket";
 if (args.length >= 3) {
 type = args[2];
 try {
 ServerSocketFactory ssf =
 ClassFileServer.getServerSocketFactory(type);
 ServerSocket ss = ssf.createServerSocket(port);
 if (args.length >= 4 && args[3].equals("true")) {
 ((SSLServerSocket)ss).setNeedClientAuth(true);
 new ClassFileServer(ss, docroot);
 } catch (IOException e) {
 System.out.println("Unable to start ClassServer: " +
 e.getMessage());
 e.printStackTrace();
private static ServerSocketFactory getServerSocketFactory(String type) {
 if (type.equals("TLS")) {
 SSLServerSocketFactory ssf = null;
 try {
 // set up key manager to do server authentication
 SSLContext ctx;
 KeyManagerFactory kmf;
 KeyStore ks;
 char[] passphrase = "passphrase".toCharArray();
 ctx = SSLContext.getInstance("TLS");
 kmf = KeyManagerFactory.getInstance("SunX509");
 ks = KeyStore.getInstance("JKS");
// ks.load(new FileInputStream("testkeys"), passphrase);
 ks.load(new FileInputStream("serverkey"), passphrase);
 kmf.init(ks, passphrase);
 ctx.init(kmf.getKeyManagers(), null, null);
 ssf = ctx.getServerSocketFactory();
 return ssf;
 } catch (Exception e) {
 e.printStackTrace();
 } else {
 return ServerSocketFactory.getDefault();
 return null;
Could anyone help ?
thanks in advance
Jayaprakash

The same thing.
I have found the place where the exception throws.
It is com.sun.net.ssl.internal.ssl.AVA class.
It has a constructor AVA(StringReader)
There is a check in this constructor of different certificate extensions
(if-else). If it sees no familiar extension it throws exception and handshake fails.
It is not difficult to fix this problem: just ignore unknown extension.
Everything works fine with this "improved" class (under VA 3.5).
But the problem is - the using of this class in applets.
How can I say the browser to use my "improved" class and not the one it downloaded with java plug-in?

Encountered an internal error in the SSL library

Hi,
We need to harden our environment according CIS standards. After applying those policies I am encountering following issue:
Unix/Linux agents managed by the interal Unix/Linux resource (Management Servers domain joined) pool turn grey with the
WS-Management Certificate Health in critical state. Some return healthy after a while... to fail again after a while.
When I resign the certificate through Discovery Wizard the agent turns healthy again... to return to a grey state again after a while.
Error in Health Explorer below:
ErrorMessage
WSManFault The server certificate on the destination computer (flexprod1.mydomain.net:1270) has the following errors:
Encountered an internal error in the SSL library.
While troubleshooting I found out that executing following results in an error
winrm e http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_Agent?__cimnamespace=root/scx -r:https://flexprod1.mydomain.net:1270
-u:scomuser -p:pswd -auth:basic -encoding:utf-8
WSManFault
Message = The server certificate on the destination computer (flexprod1.mydomain.net:1270) has the following errors:
Encountered an internal error in the SSL library.
Error number: -2147012721 0x80072F8F
A security error occurred
When I re-execute the command right afterwards... it succeeds! :-/ When I run the command 10 minutes afterwards, it fails again the
first time it is executed.
My guess the possibility it is related to above issue is likely.
I'm not having this issue on the gateway servers (not domain joined) where the policies are not applied.
P.s. Unfortunately I installed security and critical updates a few hours before applying the gpo so it could well be related to that
also.
Before I try to revert the changes made by the gpo... can anyone verify if a setting in the gpo can cause this issue?
Relevant part (I think) of the gpo below. Or does anyone know what this might be caused by or how to further troubleshoot this?
Thanks!
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft Network Server
Policy Setting
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Network Access
Policy Setting
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network Security
Policy Setting
Network security: LAN Manager authentication level Send NTLMv2 response only. Refuse LM & NTLM
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Enabled
System Cryptography
Policy Setting
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Enabled
System Settings
Policy Setting
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Enabled
User Account Control
Policy Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent for non-Windows binaries
User Account Control: Switch to the secure desktop when prompting for elevation Enabled
Other
Policy Setting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled
Registry Values
Policy Setting
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod "0"
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode 1
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting 2
MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting 2

Hi Steve,
Thanks for your reply.
I've managed to pinpoint the issue to the following gpo setting:
System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms
Description: For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this
setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication,
and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.
Disabled the setting in a new gpo and everything returned to normal.
Grts.

FTP/File Sender Adapter over SSL - 500 Illegal PORT command.

Hello Experts!
I'm trying to configure FTP Sender Adapter over SSL. This is the configuration I'm using:
Server: server01
Port: 21
Data Connection: Active
Timeout: 100
Connection Security: FTPS (FTP Using SSL/TLS) for Control and Data Connection
Command Order: AUTH TLS, USER, PASS, PBSZ, PROT
I have imported ftp server certificate into TrustedCAs key store. When the sender adapter tries to connect it receives the error 500 Illegal PORT command when getting files list.
This is an excerpt of the logs of connection steps:
#Plain##ftp server returns reply '220 Restricted Access. All Actions are monitored.'#
#Plain##Detected 'AUTH TLS' command: Preparing TLS/SSL connection upgrade#
#Plain##'AUTH TLS' successful: Upgrading control channel to TLS/SSL#
#Plain##ftp server returns reply '234 Proceed with negotiation.'#
#Plain##ftp server returns reply '331 Please specify the password.'#
#Plain##ftp server returns reply '230 Login successful.'#
#Plain##ftp server returns reply '200 PBSZ set to 0.'#
#Plain##ftp server returns reply '200 PROT now Private.'#
#Plain##ftp server returns reply '215 UNIX Type: L8'#
#Plain##ftp server returns reply '200 Switching to ASCII mode.'#
#Plain##ftp server returns reply '250 Directory successfully changed.'#
#Plain##ftp server returns reply '500 Illegal PORT command.'#
Does anybody know how to solve it?
Thank you in advance!
Roger Allué i Vall

Ok! This is the maximum i could obtain:
Fri Dec 11 15:28:12 2009 [pid 15206] FTP response: Client "10.58.42.108", "220 Restricted Access. All Actions are monitored."
Fri Dec 11 15:28:12 2009 [pid 15206] FTP command: Client "10.58.42.108", "AUTH TLS"
Fri Dec 11 15:28:12 2009 [pid 15206] FTP response: Client "10.58.42.108", "234 Proceed with negotiation."
Fri Dec 11 15:28:12 2009 [pid 15206] FTP command: Client "10.58.42.108", "USER iubsint"
Fri Dec 11 15:28:12 2009 [pid 15206] [iubsint] FTP response: Client "10.58.42.108", "331 Please specify the password."
Fri Dec 11 15:28:12 2009 [pid 15206] [iubsint] FTP command: Client "10.58.42.108", "PASS <password>"
Fri Dec 11 15:28:12 2009 [pid 15205] [iubsint] OK LOGIN: Client "10.58.42.108"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "230 Login successful."
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PBSZ 0"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "200 PBSZ set to 0."
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PROT P"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "200 PROT now Private."
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "SYST"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "215 UNIX Type: L8"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "TYPE I"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "200 Switching to Binary mode."
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "CWD /interfaces"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "250 Directory successfully changed."
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PORT 10,58,45,108,159,112"
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP response: Client "10.58.42.108", "500 Illegal PORT command."
I think we found the problem though. FTP Administrator says this is wrong:
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PORT 10,58,45,108,159,112"
it should be
Fri Dec 11 15:28:12 2009 [pid 15207] [iubsint] FTP command: Client "10.58.42.108", "PORT 10,58,42,108,159,112"
Something is making SAP PI to take a wrong ip address (This server has two).
I'll let you know if we solve it!!
Thank you!!!

TLS/SSL in Dreamweaver 5.5?

Similar Messages

Maybe you are looking for