Understanding SSL Encrypted Connections

Good morning,
I'm currently struggling a bit understanding what's happening when testing out encrypting connections using SSL.
Can anybody tell me why/what's happening.
Using wireshark, you can “sniff” the network traffic. So, I created a SQL Server and a client server, setup everything as the default (using port 1502 on the SQL Server).
I then tried to connect to my database server using the “sa” password. I performed a couple of queries and it was possible to find unencrypted packets containing important information, including the actual resultset from the queries.
So, in order to test, I created a self-signed SSL certificate and applied it to the SQL Server Service, enabled "Enforce Encryption" and restarted the SQL Server Services.
I then closed and opened SSMS on my client computer and connected back to my database server. I did NOT tick "Encrypt Connection" under the connection options.
When I performed the same tests I did initially, I was unable to retrieve the query or resultset from the WireShark trace.
So, here's where I'm a bit confused. If we can, lets ignore the fact that the SSL is a self created one for now...
1) Is my connection ACTUALLY encrypted securely? I have not imported my certificate into the client's certificate store, so why does my connection trust this certificate as there's no trust chain that I can see?
2) I did not click "Encrypt Connection" so how come my connection was encrypted and didn't just error out saying "Sorry, force encryption is enabled, and this connection is not encrypted"? It appears to have accepted that all connections
NEED to be encrypted and automatically forced the encryption on the connection.
Is what I've described how it is meant to behave? I was expecting the certificate to be required by both server and client and also I was expecting to have to change my connection string to say "ENCRYPT=YES" or something and not
simply automatically encrypt.
Any advise or thoughts would be appreciated. I actually documented "what I did" as I went along, but didn't want to spam the blog with a host of images, but if more information is required, I can provide this.
Regards,

Hi AndyB1978,
When the Force Encryption option for the Database Engine is set to YES, all communications between client and server is encrypted no matter whether the “Encrypt connection” option (such as from SSMS) is checked or not. You
can check that whether connections are encrypted between server and clients using the following DMV statement.
USE master
GO
SELECT encrypt_option FROM sys.dm_exec_connections
GO
For more information about SSL encryption in SQL Server, please review the following article.
Encrypting Connections to SQL Server
For more details about client side setting and connection property options, please review the following blog.
Selectively using secure connection to SQL Server
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support

Similar Messages

Sending Mail from iPhone over SSL-encrypted connection

Hi,
when I synced my mail accounts to the iphone I had to accept the invalid certificate (it is self signed) once and that made imap work.
When I tried to send a mail over an encrypted connection to the smtp server, using the same certificate, it never asked me anything but refuses to send out the mail. It just stays in the outbox.
On server side I see in the logs:
lost connection after STARTTLS from <My Iphones Ip>
Is it possible to send mail using self signed certs with the iPhone these days. Or do I have to wait (or get an signed cert). Is there something like keychain management on the phone?
Thank you in advance.
Christian

Hi!
I am suffering from the same problem. Did you found a solution already?

ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN

Hi there, please forgive if I have missed any forum protocols as this is my first post.
I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
Inside              192.168.1.254/24
Outside           dhcp
VPN Pool        192.168.250.1-50/24
Inside LAN     192.168.1.0/24
: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.128
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4433
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username test password JAasdf434ey521ZCT encrypted privilege 15
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool vpn_pool
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:24bcba3c4124ab371297d52260135924
: end :

: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.0
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.2 255.255.255.255 management
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Anyconnect_VPN internal
group-policy GroupPolicy_Anyconnect_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username sander password f/J.5nLef/EqyPfy encrypted
username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
tunnel-group Anyconnect_VPN type remote-access
tunnel-group Anyconnect_VPN general-attributes
address-pool Anyconnect-pool
default-group-policy GroupPolicy_Anyconnect_VPN
tunnel-group Anyconnect_VPN webvpn-attributes
group-alias Anyconnect_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
: end:

Require Only SSL/TLS Connections

I would like to require that only SSL/TLS connections be allowed to my server. This is not to be confused with wanting SSL client authentication. I had initially thought I could do this with ACI using the authmethod="ssl", however after looking at the documentation closely and experimentation this refers to do client based SSL authentication as well. I do have SSL/TLS set up correctly, I just want to disallow non-encrypted traffic.
In OpenLDAP I would merely state "security ssf=128" to require SSL/TLS only connections.
Anyone know how to do this in Sun's Directory Server?

The reason I don't use a firewall (presumedly to block port 389) or set the non-secure port to 0 is that this would disallow TLS on port 389. Hence all I could do is SSL and only 636. I would like to be able to allow only TLS on 389 and not allow non-TLS traffic.

Does the 'Hotmail' option in IOS mail use SSL to connect to the hotmail servers?

Just wondering, when selecting the 'Hotmail' option when setting up email on IOS mail, whether this automatically uses SSL to connect to the hotmail servers - it doesn't show any server settings when you view the account.

Hi Drewscussions,
Thanks for the reply - I'm just wondering about the security measures in place behind those predefined settings I.e. does it use an encrypted SSL link. I would like to ensure, as I often access emails off public wifi, that I have it set correctly to use an encrypted connection to my hotmail account.
My emails have been working fine - it's more of a question about what security measures are in place in that preset mail option.
Cheers

SSL VPN Connection error with SA520

Hi there,
I have an SA520 setup and all my users can login to the SSL VPN tunnel except one user. The laptop is running windows 7 64bit and had IE9 installed. When I try to connect her to use an SSL VPN Tunnel, I get the following error: Cisco-SSLVPN-Tunnel Install Failed: Error in getting proxy settings!.
I have made sure the firewall was turned off. Any idea on how to get the ssl tunel connected?
Thanks

Hihi,
we have the same problem, running on Vista 32 bit, and IE9.
On the same machine, using virtual PC and emulating an XP environment it works, what a paradox!
It works also on Win 7 64 bit, although only with the 64 bit version of IE.
Coming back to our Vista issue, we did not find any way to make it work properly.
Tried to turn off firewall, disinstall a lot of stuff that may interphere, etc. , still same problem.
We are a bit annoyed there seems to be no documentation about this error nor troubleshooting help.
Anyone has any suggestion ??
Tks

Since the most recent Firefox update 3.6.8 by banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you g

Since the most recent Firefox update 3.6.8 my banking institution no longer shows as having a secure encrypted connection, however, my bank assures me all is well with their certificates and that is a problem with the new Firefox browser update, can you give me some idea why it is doing this?
== This happened ==
Every time Firefox opened
== Right after the new Firefox update

Hello Anne.
Can you please try it in a new (temporary) Firefox profile and see if the issue is still present? See [http://support.mozilla.com/en-US/kb/Managing+profiles this article] to know how to create a new Firefox profile. Please report back the results.

An encrypted connection to your mail server is not available.

I've seen various people that have experienced the issue of having the following message appear when setting up an email account in Outlook 2013 "An encrypted connection to your mail server is not available" however none of the solutions i've came
across have helped me so far.
The Windows 7 laptop I was installing office 2013 on previously ran office 2007 and the email worked fine on it (it's a Microsoft 365 email account). I had a spare license for office 2013 so I uninstalled office 2007 and installed office 2013. But when I
tried to set up the email got the message "An encrypted connection to your mail server is not available".
I tried the same email address in outlook web app and it works fine. I've tried setting it up on a Windows 8 pc and also another Windows 7 laptop both with Outlook 2013 and it works fine, so I knew it wasn't the email settings server side etc. that was causing
the problem, so I therefore thought it was a computer issue. I also tried manually setting the email up instead of using auto-discover but that didn't work either.
I have uninstalled and re-installed office again to see if that worked but experienced the same issue.
Yesterday on a whim I tried another email on the affected laptop (it's a colleagues and also same domain email and also a Microsoft 365 account) and it worked ok. I'm now thinking that there must be some file somewhere or something in the registry blocking
the email being set up again as it was previously used on the laptop.
Anyone with any suggestion I've been stuck on this for a couple of weeks now and it's really bugging me?
(I originally posted this in the office forum but they referred me here).

Hi Dave-Houston,
According to your description, I notice that you cannot properly configure Outlook with your primary office 365 account after reinstall Outlook client.
If I have misunderstand your concern, please don’t hesitate to let me know.
If possible, please try to configure your e-mail account on another computer. If it works fine, it indicate that the issue is relate to your computer, for example residual registry information about primary account, incorrect username and password.
Please try to open Control Panel--> User Accounts---> Credential Manager, double check whether store some incorrect credential. If so, we can delete it and try again.
Additional, please try to re-create a user account for testing. More details about
Create a user account, please refer to:
http://windows.microsoft.com/en-us/windows/create-user-account#create-user-account=windows-7
If problem persists, please pay attention to the link below, for your reference:
https://support.microsoft.com/kb/2404385?wa=wsignin1.0
Best Regards,
Allen Wang

How to restore the appearance of this message? "Requested an encrypted connection to a page [...] Probability of read data [...] [Optional] Always warn me before [...]" Is disabled by default and now I have it shut off permanently.

Hello!
I have a problem, because when the message appeared:
(original)
"Zabezpieczenia
Zażądano połączenia szyfrowanego ze stroną, która zawiera elementy niezaszyfrowane.
Prawdopodobieństwo odczytania przesyłanych danych przez osoby trzecie jest duże.
[Opcja] Zawsze ostrzegaj przed nawiazaniem połączenia szyfrowanego ze stroną zawierającą elementy niezaszyfrowane."
(in translation)
"Security
Requested an encrypted connection to a page that contains the elements unencrypted.
Probability of read data transmitted by third parties is large.
[Optional] Always warn me before you make an encrypted connection to the page containing the unencrypted parts."
option "Always warn ..." is disabled by default and by chance it shut off permanently.
How to restore the appearance of this message?
Sincerely,
Jadwiga Zabagło

Hello!
I have a problem, because when the message appeared:
(original)
"Zabezpieczenia
Zażądano połączenia szyfrowanego ze stroną, która zawiera elementy niezaszyfrowane.
Prawdopodobieństwo odczytania przesyłanych danych przez osoby trzecie jest duże.
[Opcja] Zawsze ostrzegaj przed nawiazaniem połączenia szyfrowanego ze stroną zawierającą elementy niezaszyfrowane."
(in translation)
"Security
Requested an encrypted connection to a page that contains the elements unencrypted.
Probability of read data transmitted by third parties is large.
[Optional] Always warn me before you make an encrypted connection to the page containing the unencrypted parts."
option "Always warn ..." is disabled by default and by chance it shut off permanently.
How to restore the appearance of this message?
Sincerely,
Jadwiga Zabagło

On my iPad 2, how can I verify a secure (SSL, TLS) connection?

After performing a search with the Google Search app and clicking on one of the "result" hyperlinks, I've just made an online purchase from my iPad 2. Soon as I committed to the transaction, I began to look around for some indication that the Google Search browser had actually established an encrypted connection. I became very nervous when I was unable to find something like the "padlock" icon, or even the "https" scheme in the first part of the URL — I guess Google thought such feedback to us users is superfluous or unnecessary information, but that supposition could really get me into trouble if it's not, in fact, true. So, then, how is one to know whether it's safe to conduct sensitive business that includes the sharing of personally identifying information, credit card numbers, etc., with an iPad 2?
NOTE: To be clear, this question assumes that I am working from my own, secure network, not from a public hotspot such as a coffee shop, library, hotel, etc.]

Hi, JimHdk!
In the case of doing a Google search from within the Safari app you're correct that the entire URL will display (including the https) and the padlock will display to the left of the page name. However, when doing a Google search using the Google Search app, my iPad's default browser (Safari) is not opened. Instead, the Google Search app runs its own browser that neither displays a padlock icon when it's on a secure connection nor does it display the entire URL — i.e. it "hides" the first scheme (http://) of every URL, displaying only the latter part "www.enterprise.com."
Bill

SSL encryption for Apex 4.1

Hi Guys,
I am trying to set up SSL encryption for my local install.
I am running APEX 4.1 in Windows 7 (32 bit) , Oracle XE 11G with embedded plsql gateway setup.
The APEX documentation I looked at that deals with SSL:
http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21678/adm_mg_service_set.htm#AEADM297
instructs to turn HTTPS on in APEX_ADMIN (Internal schema) under security.
It didn't work as APEX was visible still under http://localhost:8080/apex and using HTTPS gave page not found error. On top of that It locked out my Admin account for INTERNAL workspace. So I had to switch it back via SQL query in SQL plus.
From limited experience in doing something similar in Tomcat, I believe one needs certificates etc before proceeding with this.
Anyone who has done this before, can you please point to a any documenation/blog post, tutorial etc that shows how its done? Many thanks.

Hi,
http://docs.oracle.com/cd/E17781_01/install.112/e18802/toc.htm#BABGCDJJ
>
HTTPS is not supported natively with the HTTP listener built into Oracle Database XE. If you want HTTPS support, use an alternative Web listener, such as Apache, that does provide HTTPS support, and provide proxies for the URLs provided by Oracle Database XE.
>
Regards,
Jari
http://dbswh.webhop.net/dbswh/f?p=BLOG:HOME:0
Edited by: jarola on Jan 25, 2012 9:42 AM
That APEX instance admin parameter you have change do not enable HTTPS. It require that you use HTTPS on your web listener.
Here is how reverse HTTPS Requirement for APEX instance admin
http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21678/adm_mg_service_set.htm#autoId17

SSL authentication Connectivity using Oracle JDK1.3

Please let me know whether Oracle JDK1.3 will support the SSL authentication Connectivity.
If not what is the workaround to make the SSL authentication connectivity work
in oracle JDK 1.3
since this urgent,Please let us know this information at the earliest

Hi,
Oracle furnish an embedded Java VM with the database but does not furnish JDKs; there is no such a thing as Oracle JDK 1.3.
You are probably referring to JDBC but which release?
SSL Authentication is supported in JDBC-Thin 11g and JDBC-OCI pre-11g.
Kuassi http://db360.blogspot.com

Sql Server 2012 Encrypted Connection Accept only Internal IP

Hi Friends,
As we are using sqlserver 2012 is it possible we can configure Sql Server to Accept connection only internal ip (local) network as wel encrypted connections only , if possible please let me know how we can A chive this .
thank you.
Regards,
asad

Hello,
SQL Server TCP/IP protocol is a common protocol widely used over the Internet. It communicates across interconnected networks of computers that have diverse hardware architectures and various operating systems. Named Pipes is a protocol developed for
local area networks. In this case, you can configure SQL Server only use Named Pipes protocol via SQL Server Configuration Manager.
Choosing a Network Protocol:
http://technet.microsoft.com/en-us/library/ms187892(v=sql.105).aspx
Regards,
Elvis Long
TechNet Community Support

SSL encrypted webmail won't run

I am having a problem getting a SSL encrypted GroupWise WebAccess to load the Login page in Safari on Vista (it works in Safari on XP). GW WebAccess works just fine in Firefox if I turn off TLS, and works in IE 7 if I turn ON SSL 2.0. In Safari there is no granular control over Web encryption. Does anyone have any idea how to get it to work? I really am trying to make Safari my primary browser, but GW WebAccess is very important for me to use it... It times out and I get, "Safari could not open the page “https://groupwise.bronsonhg.org/gw/webacc” because the server is not responding." What's interesting, is that I actually use http://groupwise.bronsonhg.org but it does resolve to the above SSL address - its then that it sits there and times out. Also, I tried it on Safari on a MacBook, and it works fine. Vista is the only OS this website doesn't work on Safari. Any idea's?

Sounds like Safari is an unsupported browser for this web application.
Try this: click Develop -> User Agent -> Internet Explorer 7.0

HT4865 Does iCloud email use 1024 bit or 2048 SSL encryption?

In Security Now! Podcast #441, http://twit.tv/show/security-now/411 they discuss the need for SSL encryption to move to 2048 bit to be more secure. What level of encryption is iCloud email using?

Sorry I didn't make my question specific enough. I'm referring to the encryption used in the browser while using the mail app on iCloud. I believe gmail currently uses 1024 SSL but will be changing to 2048 in several months. The reason being that a 1024 bit key can theoretically be broken my dedicated hardware (costing millions of dollars, I might add) in around one year. Listen to the link above for more details. This takes an extreme effort to crack, but given that it is possible I wanted to know what Apple does.

Understanding SSL Encrypted Connections

Similar Messages

Maybe you are looking for