TLSv1

Similar Messages

• Windows Vista and Framework 4.5.1 compatibility with TLSv1.2

  Windows Vista OS by default does not come with TLSv1.1 and TLSv1.2. However the support is offered by installing .NET Framework 4.5.1.
  I have a c# Winforms application using .NET Framework 4.5.1. I use ServicePointManager to default the TLS level to TLSv1.2. This works fine on Windows 7 and above.
  Running my app gives the following error:
  Type : System.ComponentModel.Win32Exception, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
   Message : The client and server cannot communicate, because they do not possess a common algorithm
   Source : System
   Help link :
   NativeErrorCode : -2146893007
   ErrorCode : -2147467259
   Data : System.Collections.ListDictionaryInternal
   TargetSite : System.Net.SafeFreeCredentials AcquireCredentialsHandle(System.Net.SSPIInterface, System.String, System.Net.CredentialUse, System.Net.SecureCredential)
   HResult : -2147467259
   Stack Trace :    at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
      at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
      at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
      at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
      at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
      at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
      at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
      at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
      at System.Net.TlsStream.CallProcessAuthentication(Object state)
      at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
      at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
      at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
      at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
      at System.Net.ConnectStream.WriteHeaders(Boolean async)
  Is there a fixpack orsomething i need to install?
  I am using Windows Vista Business 32bit Service Pack 2.
  Thanks for the help

  Those two updates went away. The update history does not show them having succeeded in installing. They are just gone. But a new .Net update shows up in Windows Update: KB2858725. It also fails to install with error code 641.
  I tried running it manually (I'm trying to paste the whole file name here, but all that shows up is ENU.exe. Seriously!? What the fuck!?) and that fails. "Installation did not succeed. .Net framework 4.5.1 has not been installed because: the windows
  installer service could not be accessed." A dialog comes up that has a link to a log file, but clicking it does nothing.
  I tried following the suggestions in
  http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/need-to-reinstall-windows-installer-in-windows-7/4cb8e54c-5a4e-439d-9d46-1dcd387d2604
  I tried running sfc /scannow. It returned message:
  Beginning system scan.  This process will take some time.
  Beginning verification phase of system scan.
  Verification 18% complete.
  Windows Resource Protection could not perform the requested operation.
  The other changes didn't apply except unregistering and reregistering the Windows Installer. None of that made any difference.
  Today, an update to Windows Activation Technologies showed up: KB971033. I tried to install that and it says that it succeeded.
  KB2858725 still fails.
  Here's a link to the part of my WindowsUpdate.log file after I tried to run the update of KB2858725 once again from Windows Update:
  https://onedrive.live.com/redir?resid=6C4435A4094C794E!251&authkey=!AFGBKgKlV8eTFiE&ithint=file%2c.log

• ACE20 and TLSv1.0 extensions problem

  Hi,
  I have a problem with an ACE20 running software version A2(2.3) [build 3.0(0)A2(2.3)].
  We have a simple load-balancing arrangement for two Apache webservers. All we do is pass HTTP and HTTPS traffic through to one of two servers. we don't do SSL termination or initiation on the ACE - just passthrough.
  We now have a requirement to support connections that only use TLSv1.0 with no fallback to SSLv3. If I use IE8 the connection works. If I use IE9 or FF19 then the connection fails. I've traced this to the use of TLS extensions in the ClientHello packet - which came after the TLSv1.0 RFC. IE8 doesn't send extensions whereas the other browsers do.  I can replicate the problem with the OpenSSL s_client application. What surprises me is that the ACE checks the structure of the TLS negotiation even though I'm not asking it to make decisions about it. I can see why this would be done as a security feature if the ACE implemented a strict RFC2246-compliant server - the extensions having bee added post-RFC.
  Is there any way to tell the ACE to forward SSL packets and not worry too much about the contents? I've checked all the Release notes and can't find any relevant caveats.
  Thank you
  Cathy

  Hi Ajay,
  Disabling normalization made no difference. I thought it might help, but I think it only looks at the gross structure of the packets and doesn't worry about RFC2246 compliance.
  The relevant parts of the configuration are shown below:
  rserver host web-web1
    ip address a.b.c.d
    inservice
  rserver host web-web2
    ip address a.b.c.e
    inservice
  serverfarm host FARM-web2
    rserver web-web1
      inservice
    rserver web-web2
      inservice
  sticky ip-netmask 255.255.255.255 address source FARM-web2-Sticky
    timeout 99
    replicate sticky
    serverfarm FARM-web2 backup FARM-sorry
  class-map match-any L4VIPCLASS
    2 match virtual-address x.y.z.t tcp eq www
    3 match virtual-address x.y.z.t tcp eq https
    6 match virtual-address x.y.z.t tcp eq 81
  policy-map type loadbalance first-match LB-POLICY
    class class-default
      sticky-serverfarm FARM-web2-Sticky
  policy-map multi-match L4POLICY
    class L4VIPCLASS
      loadbalance vip inservice
      loadbalance policy LB-POLICY
      loadbalance vip icmp-reply active
      loadbalance vip advertise
  service-policy input L4POLICY
  As you see, the configuration is about as simple as it can be.
  Kind Regards
  Cathy

• RECV TLSv1 ALERT: fatal, handshake_failure in Java 1.7

  I have two Java applications. Both were originally running Java 1.6. The applications communicate via an HTTPS call. The client is being converted to Java 1.7 while the server is being left at Java 1.6 for now.
  When the client is run using Java 1.7 it gets an exception, javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure. The client works fine using Java 1.6. The client running on Java 1.7 can communicate with other applications such as https://www.google.com/ without any problem.
  The debug log indicates that the client is accepting the server certificate without any problem. It is the server that is sending the handshake_failure response.
  The only significant difference I can see between the two logs is that using Java 1.6 client, the server selects the SSL_RSA_WITH_RC4_128_MD5 cipher suite while with the Java 1.7 client the server selects the TLS_RSA_WITH_AES_256_CBC_SHA cipher suite.
  I can re-create the problem using a simple program and running it twice, once with Java 1.6 and once with Java 1.7.
  package testhttps;
  import java.io.IOException;
  import java.io.InputStream;
  import java.net.URL;
  import java.net.URLConnection;
  public class Main {
       private static final String JAVA_VERSION = "java.version";
       private static final String JAVAX_NET_DEBUG = "javax.net.debug";
       private static final String JAVAX_NET_SSL_TRUSTSTORE = "javax.net.ssl.trustStore";
       private static final String DEBUG_OPTS = "ssl,handshake";
       private static final String LOCAL_KS = "C:/Users/USER/Desktop/SERVERcert";
       private static final String LOCAL_URL = "https://SERVER/invoke/tools.employees.apps:APPNAME";
       private static final String GOOGLE_URL = "https://www.google.com/";
       public static void main(String[] args) throws IOException {
            System.out.println("Java Version: " + System.getProperty(JAVA_VERSION));
            printSep();
            System.setProperty(JAVAX_NET_DEBUG, DEBUG_OPTS);
            System.setProperty(JAVAX_NET_SSL_TRUSTSTORE, LOCAL_KS);
            runTest(LOCAL_URL);
            printSep();
            runTest(GOOGLE_URL);
       private static void printSep() {
            System.out.println("----------------------------------------");
            System.out.println();
       private static void runTest(String urlStr) {
            System.out.println("URL: " + urlStr);
            System.out.println();
            try {
                 URL url = new URL(urlStr);
                 URLConnection connection = url.openConnection();
                 connection.connect();
                 InputStream stream = connection.getInputStream();
                 while (true) {
                      int n = stream.read();
                      if (n == -1)
                           break;
                      System.out.write(n);
                 stream.close();
                 System.out.println();
            } catch (IOException e) {
                 System.out.println();
                 e.printStackTrace();
  }

  Debug log for Java 1.7 client. Gets handshake_failure.
  Java Version: 1.7.0_17
  URL: https://SERVER/invoke/tools.employees.apps:APPNAME
  keyStore is :
  keyStore type is : jks
  keyStore provider is :
  init keystore
  init keymanager of type SunX509
  trustStore is: C:\Users\USER\Desktop\SERVERcert
  trustStore type is : jks
  trustStore provider is :
  init truststore
  adding as trusted cert:
  Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
  Issuer: CN=Google Internet Authority, O=Google Inc, C=US
  Algorithm: RSA; Serial number: 0x14850d9e000000007d40
  Valid from Wed Feb 20 06:34:56 MST 2013 until Fri Jun 07 13:43:27 MDT 2013
  adding as trusted cert:
  Subject: [email protected], CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
  Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
  Algorithm: RSA; Serial number: 0x4208795e000000000d7d
  Valid from Fri Mar 15 07:44:35 MDT 2013 until Sun Mar 15 07:44:35 MDT 2015
  trigger seeding of SecureRandom
  done seeding SecureRandom
  Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
  Allow unsafe renegotiation: false
  Allow legacy hello messages: true
  Is initial handshake: true
  Is secure renegotiation: false
  main, setSoTimeout(0) called
  %% No cached client session
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1363720456 bytes = { 113, 24, 242, 51, 45, 18, 117, 236, 52, 147, 16, 22, 151, 59, 151, 33, 56, 187, 24, 145, 231, 25, 84, 44, 176, 112, 61, 79 }
  Session ID: {}
  Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
  Compression Methods: { 0 }
  Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
  Extension ec_point_formats, formats: [uncompressed]
  main, WRITE: TLSv1 Handshake, length = 163
  main, READ: TLSv1 Handshake, length = 3437
  *** ServerHello, TLSv1
  RandomCookie: GMT: 1363720456 bytes = { 115, 135, 78, 234, 92, 217, 33, 197, 14, 143, 108, 244, 200, 229, 61, 239, 136, 174, 40, 109, 70, 165, 24, 112, 160, 149, 80, 196 }
  Session ID: {186, 54, 109, 12, 100, 9, 3, 187, 38, 58, 152, 239, 137, 244, 79, 87}
  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA
  Compression Method: 0
  Extension renegotiation_info, renegotiated_connection: <empty>
  %% Initialized: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
  ** TLS_RSA_WITH_AES_256_CBC_SHA
  *** Certificate chain
  chain [0] = [
  Version: V3
  Subject: [email protected], CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: Sun RSA public key, 2048 bits
  modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
  public exponent: 65537
  Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                 To: Sun Mar 15 07:44:35 MDT 2015]
  Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
  SerialNumber: [    4208795e 00000000 0d7d]
  Certificate Extensions: 8
  [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......
  [2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
  0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
  0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
  0030: 01 09 ..
  [3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  AuthorityInfoAccess [
  accessMethod: caIssuers
  accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority
  accessMethod: caIssuers
  accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt
  [4]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
  0010: 2B 75 DB 71 +u.q
  [5]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  [DistributionPoint:
  [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
  [6]: ObjectId: 2.5.29.37 Criticality=false
  ExtendedKeyUsages [
  serverAuth
  [7]: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
  DigitalSignature
  Key_Encipherment
  [8]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
  0010: 97 93 B2 9E ....
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
  0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
  0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
  0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
  0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
  0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
  0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
  0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
  0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
  0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
  00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
  00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
  00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
  00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
  00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
  00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......
  chain [1] = [
  Version: V3
  Subject: CN=XXXX Issuing CA 1, DC=PARENT, DC=local
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: Sun RSA public key, 4096 bits
  modulus: 710747583573312574266490133477718883175487276449197913367026878246770193366457918874117476848478441807997531601094195095347346667689692353006504772944438996992450206899974172461254170122772439064429800711214524654866811730387219923130077806688460698464420214016926635867290603880408310617196928261244715828938301877231716326135074613866166266159259934139101921704779393181418255236792357734373593843718044094652636084163613474834609513843820562318123712380380149595812702759706362225520298197347612448307537891820678903130283982229075610354246846288916706947063755002331306861708051010714413368970384817146977404909469979632866552303188492277584433342593521141366135313838512466732534501590138191730280137881018224930733224059655122933806684532601188457885427610523069862515778641416852689946070635946964424320750853912644963820761441121054160612741706028476665999908623924083348202525432243752651038591517730169571766303195624990856696540820396758325375089424534352671820926638511083232512074733251774179961972469706146941508467638490252757323558523275340769098076309821000325759423874166279533532418396039620418656504638481199111216522253786699411470101677803106926554982288403832319169109858989451431608015520012872771792487551381
  public exponent: 65537
  Validity: [From: Thu Mar 13 14:05:43 MDT 2008,
                 To: Tue Mar 13 14:15:43 MDT 2018]
  Issuer: CN=XXXX Root CA, DC="PARENT.DC=local"
  SerialNumber: [    19e8d467 00000000 0008]
  Certificate Extensions: 7
  [1]: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 0C 1E 0A 00 53 00 75 00 62 00 43 00 41 .....S.u.b.C.A
  [2]: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 05 02 03 01 00 01 .......
  [3]: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 16 04 14 D5 C8 60 1F D4 BC C8 F4 29 18 65 55 ......`.....).eU
  0010: 71 89 08 08 6E C4 1C B1 q...n...
  [4]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 37 65 99 AA A5 52 A4 DD F4 97 50 DA B5 6A 46 B1 7e...R....P..jF.
  0010: EC F3 21 30 ..!0
  [5]: ObjectId: 2.5.29.19 Criticality=true
  BasicConstraints:[
  CA:true
  PathLen:2147483647
  [6]: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
  [7]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: 73 7B 89 88 B8 20 C4 74 0E E9 15 70 F2 AA B5 93 s.... .t...p....
  0010: 95 4B EF 10 .K..
  Unparseable certificate extensions: 2
  [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  Unparseable AuthorityInfoAccess extension due to
  java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\tyson_XXXX Root CA.crt
  0000: 30 82 01 24 30 81 A3 06 08 2B 06 01 05 05 07 30 0..$0....+.....0
  0010: 02 86 81 96 6C 64 61 70 3A 2F 2F 2F 43 4E 3D XX ....ldap:///CN=X
  0020: XX XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2C XXX%20Root%20CA,
  0030: 43 4E 3D 41 49 41 2C 43 4E 3D 50 75 62 6C 69 63 CN=AIA,CN=Public
  0040: 25 32 30 4B 65 79 25 32 30 53 65 72 76 69 63 65 %20Key%20Service
  0050: 73 2C 43 4E 3D 53 65 72 76 69 63 65 73 2C 44 43 s,CN=Services,DC
  0060: 3D 55 6E 61 76 61 69 6C 61 62 6C 65 43 6F 6E 66 =UnavailableConf
  0070: 69 67 44 4E 3F 63 41 43 65 72 74 69 66 69 63 61 igDN?cACertifica
  0080: 74 65 3F 62 61 73 65 3F 6F 62 6A 65 63 74 43 6C te?base?objectCl
  0090: 61 73 73 3D 63 65 72 74 69 66 69 63 61 74 69 6F ass=certificatio
  00A0: 6E 41 75 74 68 6F 72 69 74 79 30 3E 06 08 2B 06 nAuthority0>..+.
  00B0: 01 05 05 07 30 02 86 32 68 74 74 70 3A 2F 2F 74 ....0..2http://t
  00C0: 79 73 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F yson/CertEnroll/
  00D0: 74 79 73 6F 6E 5F XX XX XX XX 25 32 30 52 6F 6F tyson_XXXX%20Roo
  00E0: 74 25 32 30 43 41 2E 63 72 74 30 3C 06 08 2B 06 t%20CA.crt0<..+.
  00F0: 01 05 05 07 30 02 86 30 66 69 6C 65 3A 2F 2F 5C ....0..0file://\
  0100: 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 6F 6C \tyson\CertEnrol
  0110: 6C 5C 74 79 73 6F 6E 5F XX XX XX XX 20 52 6F 6F l\tyson_XXXX Roo
  0120: 74 20 43 41 2E 63 72 74 t CA.crt
  [2]: ObjectId: 2.5.29.31 Criticality=false
  Unparseable CRLDistributionPoints extension due to
  java.io.IOException: invalid URI name:file://\\tyson\CertEnroll\XXXX Root CA.crl
  0000: 30 60 30 5E A0 5C A0 5A 86 2A 66 69 6C 65 3A 2F 0`0^.\.Z.*file:/
  0010: 2F 5C 5C 74 79 73 6F 6E 5C 43 65 72 74 45 6E 72 /\\tyson\CertEnr
  0020: 6F 6C 6C 5C XX XX XX XX 20 52 6F 6F 74 20 43 41 oll\XXXX Root CA
  0030: 2E 63 72 6C 86 2C 68 74 74 70 3A 2F 2F 74 79 73 .crl.,http://tys
  0040: 6F 6E 2F 43 65 72 74 45 6E 72 6F 6C 6C 2F XX XX on/CertEnroll/XX
  0050: XX XX 25 32 30 52 6F 6F 74 25 32 30 43 41 2E 63 XX%20Root%20CA.c
  0060: 72 6C rl
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 3A 61 58 BB DE D8 ED 30 97 EF C0 CB 2C 2D 87 E4 :aX....0....,-..
  0010: DE 74 0E F1 74 DC 97 EF BD E4 F7 40 D0 31 F6 D6 [email protected]..
  0020: 9B B6 D5 6A AF E3 E7 14 F7 24 69 48 C4 71 50 63 ...j.....$iH.qPc
  0030: 96 51 62 D6 BD BE AB 36 DB 9C 5E C2 7B 6F ED 0D .Qb....6..^..o..
  0040: 63 FF 26 DE 0A EE 86 5B 43 B0 E4 E1 EE 4D 50 0A c.&....[C....MP.
  0050: FE 58 27 4C 2A 06 94 22 5B 17 A4 99 FE F3 39 FE .X'L*.."[.....9.
  0060: 66 52 E3 00 94 18 F0 CA A0 8D 30 F9 69 34 A2 BB fR........0.i4..
  0070: 7F FC 50 BF 24 25 23 17 68 A1 8E B2 72 A3 C7 B1 ..P.$%#.h...r...
  0080: C0 F7 CE 79 E2 A3 99 AE 4C 2B C4 C3 4B D5 DE 15 ...y....L+..K...
  0090: B8 02 29 C6 8D 7D E6 FD 83 ED 56 E8 37 6A A7 96 ..).......V.7j..
  00A0: 6F D0 B1 9D 39 CC E1 0E BB 59 79 22 01 CF 5C 2E o...9....Yy"..\.
  00B0: D9 A7 11 FD CE 6E 47 0E 68 FE 3F AE CE 02 E4 45 .....nG.h.?....E
  00C0: 64 2F 39 29 DB 30 82 B7 98 B0 D8 7B 81 0A A5 EB d/9).0..........
  00D0: 87 95 12 BC A3 D1 27 3E E7 05 83 A3 BD 42 FC 7B ......'>.....B..
  00E0: BD 9F 69 1A 2B 59 77 1C 90 04 E8 E1 F2 C5 9A 55 ..i.+Yw........U
  00F0: CF B4 11 D0 D9 28 F3 C7 EB 58 7F 6B DE DE 33 5A .....(...X.k..3Z
  Found trusted certificate:
  Version: V3
  Subject: [email protected], CN=SERVER, OU=Web Team, O=COMPANY NAME, L=CITY, ST=STATE, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: Sun RSA public key, 2048 bits
  modulus: 31516488916856175993354388556520068293794356693242681182245201286667548063641640358313574888462489933475402864236800262460826430243488030753558168637830135426373840447558297285290406873898984898413863294812616756309132288938801104047345625475355654376426138494767988080314969827787605621823083455352331480850948116669339339048031040543939696472504286395458369701032317090387365961443301475102633799830067724032223647096133387365632477706202020365811242759581209534410179060268963901969481769329740356404722306624236516162225426247695795946763666223293969793336832548340134282004822442343909786198074157323202609655959
  public exponent: 65537
  Validity: [From: Fri Mar 15 07:44:35 MDT 2013,
                 To: Sun Mar 15 07:44:35 MDT 2015]
  Issuer: CN=COMPANY NAME Internal Issuing CA, DC=PARENT, DC=local
  SerialNumber: [    4208795e 00000000 0d7d]
  Certificate Extensions: 8
  [1]: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 0E 30 0C 30 0A 06 08 2B 06 01 05 05 07 03 01 ..0.0...+.......
  [2]: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 30 30 2E 06 26 2B 06 01 04 01 82 37 15 08 86 .00..&+.....7...
  0010: D5 D8 7B 86 FA 8D 54 86 85 9F 20 87 92 89 64 CB ......T... ...d.
  0020: D5 69 81 57 84 D5 FB 1A 84 99 9C 1D 02 01 64 02 .i.W..........d.
  0030: 01 09 ..
  [3]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  AuthorityInfoAccess [
  accessMethod: caIssuers
  accessLocation: URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?cACertificate?base?objectClass=certificationAuthority
  accessMethod: caIssuers
  accessLocation: URIName: http://grc/CertEnroll/CASERVER.PARENT.local_COMPANY%20NAME%20Internal%20Issuing%20CA.crt
  [4]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 26 0F F4 17 D4 4A 12 51 1A 7F FC 77 A9 FB 4D 9F &....J.Q...w..M.
  0010: 2B 75 DB 71 +u.q
  [5]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  [DistributionPoint:
  [URIName: ldap:///CN=COMPANY%20NAME%20Internal%20Issuing%20CA,CN=CASERVER,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=PARENT,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://grc/CertEnroll/COMPANY%20NAME%20Internal%20Issuing%20CA.crl]
  [6]: ObjectId: 2.5.29.37 Criticality=false
  ExtendedKeyUsages [
  serverAuth
  [7]: ObjectId: 2.5.29.15 Criticality=false
  KeyUsage [
  DigitalSignature
  Key_Encipherment
  [8]: ObjectId: 2.5.29.14 Criticality=false
  SubjectKeyIdentifier [
  KeyIdentifier [
  0000: B5 10 57 84 BB 7F A0 ED BA E5 0C D3 00 06 A3 67 ..W............g
  0010: 97 93 B2 9E ....
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 0E 24 50 64 FF A6 50 29 B8 AF 61 0F 37 9D 63 2F .$Pd..P)..a.7.c/
  0010: 2A BD 90 7E 50 C2 2A 0C B8 16 09 2E FB 0A 0E A6 *...P.*.........
  0020: 15 82 0F 1E AD DA 64 DD 36 31 6E 3C C7 33 55 7E ......d.61n<.3U.
  0030: 35 0A 4E 49 3B 96 EC C4 4A 01 3F 39 9F 6A E8 11 5.NI;...J.?9.j..
  0040: C9 22 45 16 51 9A 15 D6 C3 B3 50 BA FB 56 D3 62 ."E.Q.....P..V.b
  0050: 42 D4 CF 76 2B 0B 04 1A 80 87 99 0C B7 97 C1 CE B..v+...........
  0060: D5 93 90 E0 1B 84 31 EB 9F 75 A3 2C 52 00 CA 62 ......1..u.,R..b
  0070: FE C8 55 23 45 D5 FE 67 D4 A0 30 61 FC 26 08 0B ..U#E..g..0a.&..
  0080: 77 D1 26 61 60 31 CD 9A 76 5E 8E 66 85 C6 35 9B w.&a`1..v^.f..5.
  0090: 61 41 C5 05 C9 04 42 F2 8D 3D DA F8 80 22 AA AA aA....B..=..."..
  00A0: 92 50 CF 17 31 B6 93 CA 5E 85 5D B0 5F D2 77 07 .P..1...^.]._.w.
  00B0: 32 D7 69 5A 14 DD 12 62 91 BA 4F 75 19 80 F8 C2 2.iZ...b..Ou....
  00C0: 17 19 67 63 4A FF F3 A6 96 35 47 FC 22 2F 76 BA ..gcJ....5G."/v.
  00D0: 37 ED EE B2 90 AC 30 C7 7A F9 E6 2E 59 10 8F 2A 7.....0.z...Y..*
  00E0: 9E 03 54 18 A5 EB AD 48 3A 78 56 4F 22 BF 8D F7 ..T....H:xVO"...
  00F0: 8E C8 21 D4 92 30 A8 FC BE 76 98 15 FB D1 1D C1 ..!..0...v......
  *** ServerHelloDone
  *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
  main, WRITE: TLSv1 Handshake, length = 262
  SESSION KEYGEN:
  PreMaster Secret:
  0000: 03 01 E0 87 7E 29 17 FC A3 FC F6 69 75 A2 52 36 .....).....iu.R6
  0010: 3F DB C3 32 C5 86 6F DA 8A 5A BC 65 2F 4E 7B 2D ?..2..o..Z.e/N.-
  0020: E8 BF 3B E2 1E 3D B0 F0 A1 4E F4 A4 5F CD 83 AF ..;..=...N.._...
  CONNECTION KEYGEN:
  Client Nonce:
  0000: 51 49 B9 08 71 18 F2 33 2D 12 75 EC 34 93 10 16 QI..q..3-.u.4...
  0010: 97 3B 97 21 38 BB 18 91 E7 19 54 2C B0 70 3D 4F .;.!8.....T,.p=O
  Server Nonce:
  0000: 51 49 B9 08 73 87 4E EA 5C D9 21 C5 0E 8F 6C F4 QI..s.N.\.!...l.
  0010: C8 E5 3D EF 88 AE 28 6D 46 A5 18 70 A0 95 50 C4 ..=...(mF..p..P.
  Master Secret:
  0000: 21 F1 45 A0 E1 2A 86 A9 44 5A 3F 7E 3D E4 FA 13 !.E..*..DZ?.=...
  0010: 58 BE D3 DE F9 DD 1E E6 2D DF 72 B1 29 11 32 B3 X.......-.r.).2.
  0020: 68 3C 26 B8 1C 7D 04 FC 93 E8 3B 98 FC 1A 2A 24 h<&.......;...*$
  Client MAC write Secret:
  0000: 30 01 3F 51 6A 18 05 A7 DC C4 79 01 FD 70 FE 34 0.?Qj.....y..p.4
  0010: CA F3 2F 8A ../.
  Server MAC write Secret:
  0000: 9F 17 95 16 F6 29 D4 04 C2 13 A2 98 74 E6 95 9A .....)......t...
  0010: E3 AF 3D 97 ..=.
  Client write key:
  0000: 03 59 5D D7 BE D9 B7 25 27 AA 86 79 62 57 15 76 .Y]....%'..ybW.v
  0010: AA D6 71 73 29 2F 95 1A 75 33 E8 D2 62 55 E0 85 ..qs)/..u3..bU..
  Server write key:
  0000: 0E 31 B3 07 D7 F7 B8 02 5B F4 24 BE AD 71 4D 3F .1......[.$..qM?
  0010: 5F F3 A7 55 05 93 06 BA 41 5E E9 A0 E7 A8 49 7C _..U....A^....I.
  Client write IV:
  0000: 71 92 6D AE AB 1B 0D EC 51 D5 2E C4 56 33 18 F3 q.m.....Q...V3..
  Server write IV:
  0000: 5E AA 39 43 C6 8C 6F B0 58 B9 DF 82 77 E2 B1 8A ^.9C..o.X...w...
  main, WRITE: TLSv1 Change Cipher Spec, length = 1
  *** Finished
  verify_data: { 114, 227, 19, 222, 162, 73, 80, 229, 15, 199, 23, 154 }
  main, WRITE: TLSv1 Handshake, length = 48
  main, READ: TLSv1 Alert, length = 2
  main, RECV TLSv1 ALERT: fatal, handshake_failure
  %% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
  main, called closeSocket()
  main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
       at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
       at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
       at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1961)
       at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
       at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
       at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
       at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
       at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
       at testhttps.Main.runTest(Main.java:39)
       at testhttps.Main.main(Main.java:23)

• Configuring JRE 1.4.2 plugin for TLSv1 only server

  Hi,
  I have apache server configured that talks only TLSv1. I wasn't able to load an applet from IE on JRE 1.4.2_05 plugin. so I did the following
  1.Edited the file Documents and Settings\<<username>>\Application Data\Sun\Java\Deployment\deployment.properties file and added an entry "deployment.security.TLSv1=true"
  The applet wasn't loading even then , so in JRE control panel --> Advanced tab in Java Runtime parameters , I added -Dhtps.protocols=TLSv1, It was failing again
  When I tried the same on JRE 1.5 , after the step 1, I was able to load the applet, but on JRE 1.4.2 ,I am not able to load the applet for TLS only server
  Please let me know , if there is any any workaround, or this is JRE bug,The error which i got on the console is
  at java.net.SocketInputStream.read(Unknown Source)
  at com.sun.net.ssl.internal.ssl.InputRecord.a(Unknown Source)
  Thanks

  I am seeing similar behaviour with JRE 1.4.2 and it appears to be a bug as it does not take the value specified in https.protocols.
  You may want to try 1.5.0_05 as it has the enable TLS option in the Java Control Panel under Security.

• Support for TLSv1.1

  Hello,
  Because "TLSv1.1" is listed as a SSLContext Algorithm (https://cis.med.ucalgary.ca/http/java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext)
  i have been trying to specify it in my code as shown below:
  SSLContext sc = SSLContext.getInstance("TLSv1.1");
  sc.init(kmFact.getKeyManagers(), tmFact.getTrustManagers(), null);
  But i get the following instead:
  java.security.NoSuchAlgorithmException: TLSv1.1 SSLContext not available
       at sun.security.jca.GetInstance.getInstance(Unknown Source)
       at javax.net.ssl.SSLContext.getInstance(Unknown Source)
  I am using JDK1.6.0_4. Does it support TLSv1.1? Or do I find another provider (if there is one)?
  Thanks

  I am sorry.... in fact i was reading the wrong doc.... here is the one from java6 spec
  The JSSE API is capable of supporting SSL versions 2.0 and 3.0 and Transport Layer Security (TLS) 1.0. These security protocols encapsulate a normal bidirectional stream socket and the JSSE API adds transparent support for authentication, encryption, and integrity protection. The JSSE implementation shipped with Sun's JRE supports SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.
  Link
  nevertheless TLS1.1 is not implemented by java1.6 as well....
  thanks ejp... for the correction....

• SSL Server Supports CBC Ciphers for TLSv1

  I have SSL VPN  configured on my ASA firewall.how i can disable CBC ciphers

  According to the link
  http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html
  This has been fixed in TLSv1.2. You can change that if you use TLSv1.2
  Please check the following for more information:
  https://supportforums.cisco.com/discussion/12496926/tlsv11
  Also you need to use anyconnect 4.x to connect using the new ciphers.

• ActiveX and IE using https and TLSv1

  I'm starting with the ActiveX - Internet Explorer example found in C:\Program Files\National Instruments\LabVIEW 2009\examples\comm\ axevent.llb.  In the Navigate2::URL parameter, I can type in the IP address of a device I'm trying to talk to and it will serve up some web pages.  In the WebBrowser in the front panel, I can see the pages, fill in form data and send it, and get stuff back (in the form of more html pages).  My problem is that I need to automate this interface, and in the final app, the server is going to send me XML, and not html.  So, what I want to do is to perform GET/POST commands, capture the data, parse/analyze the XML, repeat.  Also, this is all done in secure mode.  In the example above, I can type in https://xx.xx.xx.xx and after the login, I'm in.  I see the opening (secure) page in the webBrowser on the front panel.  What I need is
  (1) to understand how to send in more specific commands.  Right now, after I type in the initial https link, my labview code really isn't doing anything.  It's all in the front panel's webBrowser.  I need to be able to send in specific GET commands, like GET https://xx.xx.xx.xx/setupRfData.asp HTTP/1.1.  And specific POST commands like POST https://xx.xx.xx.xx/setupRfData.cgi HTTP/1.1.  What I'm not sure about is how to pass in those parameters to the ActiveX Navigate(2) command.  I see the API at
  http://msdn.microsoft.com/en-us/library/aa752093(VS.85).aspx
  but it's not really clear how use it with LabVIEW.
  (2) In the POST commands, I have to send in data, which I assume goes in the POSTdata field, but the format is unclear.
  (3) And the Headers field also is where I'd like to specify certain things like "Connection::Keep-Alive"
  (4) Finally, this may not have been clear above, but I need to send this device http commands, and it can send me either html or XML based on an input parameter I provide when I send it commands.  If I say "html" then I would just control the device via the web pages it sends back to me.  When it sends back XML, however, instead of a webBrowser, I could probably just have the XML displayed in an edit box?  My concern, though, is that the WebBrowser is what is taking care of all the secure handshaking for me.  How do I keep the link established and still receive/analyze XML?

  BCho wrote:
  Hey mrbean,
  To address your first question; the web page continues to update even though the VI may not be running because
  when you did run the VI you loaded the script for that page. This script continues to loop even though the VI
  is not running. With an IE ActiveX container, it is a lot like you have a normal IE page open; it just happens
  to also be a part of your front panel. If you negative, say, www.ni.com, you will notice that even though
  the page is fully loaded and IE is not still attempting to load the page, it still 'updates'. You may also notice
  that links still work, even though the VI is not still running. So, one way to think about and IE ActiveX
  container is like a normal IE window that happens to also be in your VI.
  In regards to how to send specific GET and POST commands; unfortunately, I am not very familiar with the ins and
  outs of that particular ActiveX control. Judging by the msdn page that you pointed out, I would make the same
  assumptions about GET and POST transactions. If you don't wire anything to the POSTData input you do a GET
  transaction.
  What happens if you send the entire URL https://10.4.17.1/setupRfData.axp HTTP/1.1? If you were
  to do this same routine in a normal IE window, what URL would you use? What happens if you do include the HTTP/1.1? How about if you include it, do you get a different response? Here is a Thread that gives a little bit of relevant information.
  When I type in the entire URL above, I get a message saying "The Web page you are viewing is trying to close the window (yes/no)".  I've read several forums about this, but most make mention of java script updates and IE7.  I'm using IE6 and I'm not doing any scripting.  I did see another post that said that it's possible I need to specify the "Referer", so I'm going to try that shortly by adding it to the Headers input of the Navigate2.
  My underlying problem is that the in the current app, the user (me right now) only sees the html pages that the server is serving up (via https/TLSv1).  With that interface, you can enter info into various fields and send them to the server, or click a different tab which behind the scenes performs a GET, but no one has to type any of that.  In our app, we're trying to replace the IE with a labVIEW ActiveX IE and manually build/send these commands so that we can create automated sequences for a production test.  Therefore, I've used a sniffer (WireShark) and have determined what commands/fields are going across the ethernet to the server (and coming back). 
  As I mentioned, I tried sending the fully qualified GET message ( URL https://10.4.17.1/setupRfData.axp HTTP/1.1) and saw the ...trying to close message.  Assuming I can get past this, my next issue is accessing the response information coming back from the server.  Right now it's html, but in the final product it's going to be XML.  (1) What is the LabVIEW Invoke Method that allows me access to the response information and (2) Is there a way to setup an Event that would notify me when a response came in.  (3) Can the same WebBrowser that currently displays html be used to display XML

• SSLv3 error message on site with TLSv1. Version 34.0 security settings at default.

  Trying to utilize online billpay feature of T-Mobile site. Generates ssl_error_no_cypher_overlap. Talked to T-Mobile. They claim site has TLSv1 enabled. Config TLS settings are left at default (fallback limit 1, min 1, max 3).
  Firefox v34.0, OS Win7 64-bit
  Thanks in advance for any help you may offer.
  Susan

  Thank you very much for your response. Unfortunately I honestly didn't understand your statement:
  "This should be disabled in FIrefox by default, unless there were changes made. This can be checked in the about:config or it may be easier to Reset Firefox to its defaults."
  I don't know what you meant by "this" should be disabled.....what "this" are you referring to? SSLv3 or TLSv1? Whatever, I stated both in the subject line and in the message text that Firefox v34.0 security settings are at default.
  Anyway, I solved my problem.....but not with Firefox. I'm still running IE on one of my other computers (IE has SSLv3 disabled) so I used that one to access the T-Mobile page that I needed.
  BTW, that was the ONLY site I had problems with using Firefox v34. So far It has been behaving quite well with other secure financial-transaction sites.... and with Christmastime approaching I'm having to use a LOT of those :-).
  Thank you again. This is really a nice site. And it speaks well for Firefox that in all the time I've used it, this was the first time I've needed help.
  Susan

• Does JSSE implementation of TLSv1 falls back to SSLv3 or SSLv2 if server re

  Does JSSE implementation of TLSv1 falls back to SSLv3 or SSLv2 if server requests.
  I am planning to use TLSv3 protocol for our SSL client implementation. My worry is if I use TLSv3 which being the latest and the new standard, does the Sun's JSSE implementation fallsback to SSLv3 or SSLv2 if the server doesn't accept TLS.
  Can anyone let me know and point me to the right link.
  This highly required as I am not sure what clients use their webserver as.

  If you specify 'TLS' you will get TLS, if you specify 'SSL' you will get TLS or a fallback to SSLV3. You'll never get a fallback to SSLv2 because Sun doesn't support SSLv2 at all except for the initial Hello message.

• TLSv1 through asa 5520

  Hi,                  
  There is a site that we are trying to connect to that appears to only accept TLSv1.  When we try to connect from broadband, it is fine but behind the firewall it  does not load.  it looks like TLS is not being permitted.  Based on a packet capture, it looks like the client is only trying SSL, which is then denied at the server because it's disabled.
  When I try from outside the firewall, it works fine.
  What on the ASA could prevent a web client from trying to negotiate TLS?

  Hi,
  I think there is a bit progress in that; when i removed the "Inspect SIP" the traffic is successfully passed through the VPN tunnel (# of bytes increased in the tunnel) where this was a problem before this change. But the call is still not successful & the below output is received (Different from the first output in my first post):
  6|Nov 24 2008|08:11:34|305011|10.43.11.86|5060|62.Y.98.30|31875|Built dynamic UDP translation from Voice:10.43.11.86/5060 to outside(Voice_nat_outbound):62.Y.98.30/31875
  6|Nov 24 2008|08:11:36|302015|63.x.0.102|5060|10.43.11.86|39421|Built outbound UDP connection 511462 for outside:63.x.0.102/5060 (63.x.0.102/5060) to Voice:10.43.11.86/39421 (62.Y.98.30/22931)
  6|Nov 24 2008|08:11:38|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511702 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
  6|Nov 24 2008|08:11:42|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511703 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
  6|Nov 24 2008|08:11:46|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511705 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
  6|Nov 24 2008|08:11:50|302016|63.x.0.102|5060|62.Y.98.30|5060|Teardown UDP connection 511709 for outside:63.x.0.102/5060 to outside:62.Y.98.30/5060 duration 0:00:00 bytes 0
  The difference is that I send only one (Built outbound UDP connection) and then multiple (Teardown) while before it was one (Build) then one (Teardown).
  I still don't get it!!...

• JavaMail 1.4.3 Failed @ ClientHello Phase (TLSv1)

  I've implemented this code below based on JavaMail 1.4.3 and successfully sent mails using Gmail and some other SMTP servers that enables SSL/TLS secured smtp protocal.
  But when I try to run this code to send mail via mail.sgcc.com.cn, problems occured.
  Here's the debug info:
  init context
  trigger seeding of SecureRandom
  done seeding SecureRandom
  %% No cached client session
  ClientHello, TLSv1
  RandomCookie:  GMT: 1282519260 bytes = { 97, 225, 120, 34, 21, 188, 197, 46, 157, 206, 150, 148, 176, 144, 171, 78, 155, 15, 174, 186, 120, 169, 151, 238, 178, 6, 185, 187 }
  Session ID:  {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
  Compression Methods: 
  main, WRITE: TLSv1 Handshake, length = 73
  main, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
  main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
  main, WRITE: TLSv1 Alert, length = 2
  main, called closeSocket()
  It seems that the connection failed at the ClientHello phase.
  I don't know what has caused this failure.
  Would you please give me some hits or suggestions?
  Thanks in advance!

  It seems that not too many people have noticed the missing results so far
  Maybe this time it turns to be an advantage that the SDN forum seach is  - hmmm - not the best search in the world...
  I used your post here to bump the issue, pointing to the growing public unrest...
  In the discussion of Otto Gold's Blog "SCN infrastructure 2.0", Harald Boeing asked the question "But what value does SAP see in SCN?"  For me,  a quick fix of this issue would be a good sign for a high significance. (Or the other way round: I really wonder why you have to bump it at all.)
  Rolf

• Starttls: TLSv1 - no authentication

  Hi all,
  I've seen these errors in my mail log as long as I can remember:
  imaps[xxxx]: starttls: TLSv1 with cipher AES128-SHA (128/128 bits reused) no authentication
  And right after, mail goes through fine:
  imaps[xxxx]: login: host [IP] useraccount plaintext+TLS User logged in
  I have SSL setup on the machine, the certificate works well via https in browser, and using port 993 gets mail fine in mail, yet that error all the time. I've tried using tlscipherlist in imapd.conf to no avail.
  Any ideas?

  This may help you understand AP groups a bit better... I
  posted a nugget video on my site some time ago..
  http://www.my80211.com/cisco-wlc-labs/2009/3/22/cisco-ap-group-nugget.html

• Cannot enable TLSv1 only for 1.4.2 and beyond

  Hi,
  I have a webserver that talks TLSv1 only. When the JVM tries to download the jar files for an applet, the JVM only talks SSLv2. I tried to change the "deployment.properties" file to add "https.protocols=TLSv1", and also tried to add "-Dhttps.protocols=TLSv1" for launch parameters. But so far it only worked on one XP machine.
  I have JVM 1.4.2 and 1.5.0 on these machines.
  Also on Mac and Linux I tried similar things and none worked.
  This is a serious issue because some people may want to use TLSv1 only for their https server to enforce more security.
  Anyone has some suggestions? Thanks.
  Fred

  Check out the following thread for details on this issue.
  http://forum.java.sun.com/thread.jspa?forumID=60&threadID=612313

• Java 1.3 with JSSE 1.0.3 and TLSv1

  We have a customer who wants to restrict ssl connections to only use TLSv1. Unfortunately, our lower end platform still runs a java 1.3 equivalent with JSSE 1.0.3_04 which doesn't have setEnabledProcotols(...) on the SSLSocket and SSLServerSocket classes. Is there another way to enforce this type of restriction?
  Regards,
  Bill

  Unfortunately our code is both client and server. The hardware limits us currently to supporting a 1.3 vm. Our new products support newer vms but we still have to support our legacy hardware. It's typical that embedded platforms trail the mainstream.