Search Results

Search found 3707 results on 149 pages for 'secure'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 126/149 | < Previous Page | 122 123 124 125 126 127 128 129 130 131 132 133  | Next Page >

  • WCF/MSMQ Transport Security with Certificates

    - by user104295
    Hi there, my goal is to secure the communication between MSMQ Queue Managers – I don’t want unknown clients sending messages to my MSMQ server. I have spent many hours now trying to get Transport security working for the net.msmq binding in WCF, where MSMQ is in Workgroup mode and the client and server do not have Active Directory… so I’m using certificates. I have created a new X.509 certificate, called Kristan and put it into the “Trusted people” store on the server and into the My store of Current User of the client. The error I’m getting is: An error occurred while sending to the queue: Unrecognized error -1072824272 (0xc00e0030).Ensure that MSMQ is installed and running. If you are sending to a local queue, ensure the queue exists with the required access mode and authorization. Using smartsniff, I see that there’s no attempted connection with the remote MSMQ, however, it’s an error probably coming from the local queue manager. The stack trace is: at System.ServiceModel.Channels.MsmqOutputChannel.OnSend(Message message, TimeSpan timeout) at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.OutputChannelBinder.Send(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) The code:- EndpointAddress endpointAddress = new EndpointAddress(new Uri(endPointAddress)); NetMsmqBinding clientBinding = new NetMsmqBinding(); clientBinding.Security.Mode = NetMsmqSecurityMode.Transport; clientBinding.Security.Transport.MsmqAuthenticationMode = MsmqAuthenticationMode.Certificate; clientBinding.Security.Transport.MsmqProtectionLevel = System.Net.Security.ProtectionLevel.Sign; clientBinding.ExactlyOnce = false; clientBinding.UseActiveDirectory = false; // start new var channelFactory = new ChannelFactory<IAsyncImportApi>(clientBinding, endpointAddress); channelFactory.Credentials.ClientCertificate.SetCertificate("CN=Kristan", StoreLocation.CurrentUser, StoreName.My); The queue is flagged as ‘Authenticated’ on the server. I have checked the effect of this and if I turn off all security in the client send, then I get ‘Signature is invalid’ – which is understandable and shows that it’s definitely looking for a sig. Are there are special ports that I need to check are open for cert-based msmq auth? thanks Kris

    Read the article

  • Using SSL and SslStream for peer to peer authentication?

    - by Scott Whitlock
    I need to provide secure communication between various processes that are using TCP/IP sockets for communication. I want both authentication and encryption. Rather than re-invent the wheel I would really like to use SSL and the SslStream class and self-signed certificates. What I want to do is validate the remote process's certificate against a known copy in my local application. (There doesn't need to be a certificate authority because I intend for the certificates to be copied around manually). To do this, I want the application to be able to automatically generate a new certifiate the first time it is run. In addition to makecert.exe, it looks like this link shows a way to automatically generate self-signed certificates, so that's a start. I've looked at the AuthenticateAsServer and AuthenticateAsClient methods of SslStream. You can provide call-backs for verification, so it looks like it's possible. But now that I'm into the details of it, I really don't think it's possible to do this. Am I going in the right direction? Is there a better alternative? Has anyone done anything like this before (basically peer-to-peer SSL rather than client-server)?

    Read the article

  • WCF Mono - BasicHttpBinding with SSL

    - by TheNextman
    I'm trying to port an existing WCF client application to run on Linux under Mono. Right now I'm testing everything out, figuring out what works on Mono and what doesn't. The client makes a super simple call over basicHttpBinding. It works great, until I enable SSL (that is, specify BasicHttpSecurityMode.Transport in the binding). Running on .NET in Windows, it works great Running on Mono on Ubuntu 9.10 / Mono 2.6 I get the following error: Exception in async operation: System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure --- System.IO.IOException: The authentication or decryption has failed. --- Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a I've read the Mono security FAQ here: http://www.mono-project.com/FAQ:_Security; however the SSL certificate on the server is from a root CA (a purchased certificate) - issued by Equifax Secure Certificate Authority. I ran the TlsTest tool on the Ubuntu install against the .svc URL and there are no problems/errors. Also I can hit the service fine in Firefox (no security warnings). What am I missing? Thanks in advance, Richard

    Read the article

  • Web-based clients vs thick/rich clients?

    - by rudolfv
    My company is a software solutions provider to a major telecommunications company. The environment is currently IBM WebSphere-based with front-end IBM Portal servers talking to a cluster of back-end WebSphere Application Servers providing EJB services. Some of the portlets use our own home-grown MVC-pattern and some are written in JSF. Recently we did a proof-of-concept rich/thick-client application that communicates directly with the EJB's on the back-end servers. It was written in NetBeans Platform and uses the WebSphere application client library to establish communication with the EJB's. The really painful bit was getting the client to use secure JAAS/SSL communications. But, after that was resolved, we've found that the rich client has a number of advantages over the web-based portal client applications we've become accustomed to: Enormous performance advantage (CORBA vs. HTTP, cut out the Portal Server middle man) Development is simplified and faster due to use of NetBeans' visual designer and Swing's generally robust architecture The debug cycle is shortened by not having to deploy your client application to a test server No mishmash of technologies as with web-based development (Struts, JSF, JQuery, HTML, JSTL etc., etc.) After enduring the pain of web-based development (even JSF) for a while now, I've come to the following conclusion: Rich clients aren't right for every situation, but when you're developing an in-house intranet-based solution, then you'd be crazy not to consider NetBeans Platform or Eclipse RCP. Any comments/experiences with rich clients vs. web clients?

    Read the article

  • How to catch an expected (and intended) 302 response code with generic XmlHttpRequest?

    - by Anthony
    So, if you look back at my previous question about Exchange Autodiscover, you'll see that the easiet way to get the autodiscover URL is to send a non-secure, non-authenticated GET request to the server, ala: http://autodiscover.exchangeserver.org/autodiscover/autodiscover.xml The server will respond with a 302 redirect with the correct url in the Location header. I'm trying out something really simple at first with a Chrome extension, where I have: if (req.readyState==4 && req.status==302) { return req.getResponseHeader("Location"); } With another ajax call set up with the full XML Post and the user credentials, But instead Chrome hangs at this point, and a look at the developer panel shows that it is not returning back the response but instead is acting like no response was given, meanwhile showing a Uncaught Error: NETWORK_ERR: XMLHttpRequest Exception 101 in the error log. The way I see it, refering to the exact response status is about the same as "catching" it, but I'm not sure if the problem is with Chrome/WebKit or if this is how XHR requests always handle redirects. I'm not sure how to catch this so that I can get still get the headers from the response. Or would it be possible to set up a secondary XHR such that when it gets the 302, it sends a totally different request? Quick Update I just changed it so that it doesn't check the response code: if (req.readyState==4) { return req.getResponseHeader("Location"); } and instead when I alert out the value it's null. and there is still the same error and no response in the dev console. SO it seems like it either doesn't track 302 responses as responses, or something happens after that wipes that response out?

    Read the article

  • Can you use gzip over SSL? And Connection: Keep-Alive headers

    - by magenta
    I'm evaluating the front end performance of a secure (SSL) web app here at work and I'm wondering if it's possible to compress text files (html/css/javascript) over SSL. I've done some googling around but haven't found anything specifically related to SSL. If it's possible, is it even worth the extra CPU cycles since responses are also being encrypted? Would compressing responses hurt performance? Also, I'm wanting to make sure we're keeping the SSL connection alive so we're not making SSL handshakes over and over. I'm not seeing Connection: Keep-Alive in the response headers. I do see Keep-Alive: 115 in the request headers but that's only keeping the connection alive for 115 milliseconds (seems like the app server is closing the connection after a single request is processed?) Wouldn't you want the server to be setting that response header for as long as the session inactivity timeout is? I understand browsers don't cache SSL content to disk so we're serving the same files over and over and over on subsequent visits even though nothing has changed. The main optimization recommendations are reducing the number of http requests, minification, moving scripts to bottom, image optimization, possible domain sharding (though need to weigh the cost of another SSL handshake), things of that nature.

    Read the article

  • Regex query: how can I search PDFs for a phrase where words in that phrase appear on more than one l

    - by Alison
    I am trying to set up an index page for the weekly magazine I work on. It is to show readers the names of companies mentioned in that weeks' issue, plus the page numbers they are appear on. I want to search all the PDF files for the week, where one PDF = one magazine page (originally made in Adobe InDesign CS3 and Adobe InCopy CS3). I have set up a list of companies I want to search for and, using PowerGREP and using delimited regular expressions, I am able to find most page numbers where a company is mentioned. However, where a company name contains two or more words, the search I am running will not pick up instances where the name appears over more than one line. For example, when looking for "CB Richard Ellis" and "Cushman & Wakefield", I got no result when the text appeared like this: DTZ beat BNP PRE, CB [line break here] Richard Ellis and Cushman & [line break here] Wakefield to secure the contract. [line end here] Could someone advise me on how to write a regular expression that will ignore white space between words and ignore line endings OR one that will look for the words including all types of white space (ie uneven spaces between words; spaces at the end of lines or line endings; and tabs (I am guessing that this info is imbedded somehow in PDF files). Here is a sample of the set of terms I have asked PowerGREP to search for: \bCB Richard Ellis\b \bCB Richard Ellis Hotels\b \bCentaur Services\b \bChapman Herbert\b \bCharities Property Fund\b \bChetwoods Architects\b \bChurch Commissioners\b \bClive Emson\b \bClothworkers’ Company\b \bColliers CRE\b \bCombined English Stores Group\b \bCommercial Estates Group\b \bConnells\b \bCooke & Powell\b \bCordea Savills\b \bCrown Estate\b \bCushman & Wakefield\b \bCWM Retail Property Advisors\b [Note that there is a delimited hard return between each \b at the end of each phrase and beginnong of the next phrase.] By the way, I am a production journalist and not usually involved in finding IT-type solutions and am finding it difficult to get to grips with the technical language on the PowerGREP site. Thanks for assistance Alison

    Read the article

  • Trouble understanding SSL certificate chain verification

    - by Josh K
    My app uses SSL to communicate securely with a server and it's having trouble verifying the certificate chain. The chain looks like this: Entrust.net Secure Server Certification Authority - DigiCert Global CA - *.ourdomain.com We are using a certificate store pulled from Mozilla. It contains the Entrust.net certificate, but not the DigiCert Global CA one. My understanding is that an intermediate authority doesn't have to be trusted as long as the root authority is, but the verification fails: % openssl verify -CAfile mozilla-root-certs.crt ourdomain.com.crt error 20 at 0 depth lookup:unable to get local issuer certificate So do I need to explicitly trust the DigiCert Global CA in order for verification to pass? That seems wrong. But you tell me! EDIT: I now understand that the certificate file needs to be available to OpenSSL up front. Something like this works: % openssl verify -CAfile mozilla-root-certs.crt -untrusted digicert.crt ourdomain.com.crt ourdomain.com.crt: OK This allows me to provide a copy of the DigiCert CA without explicitly saying "I trust it", the whole chain still needs to be verified. But surely browsers like Firefox won't always ship with a copy of every single certificate it'll ever need. There's always going to be new CAs and the point is to use the security of the root certificate to make sure all intermediate CAs are valid. Right? So how does this work? Is it really as silly as it looks?

    Read the article

  • PHP session_write_close() causes empty response

    - by Xeoncross
    When using session_write_close() in a shutdown function at the end of my script - PHP just dies. There is no error logged, response headers (firebug), or data (even whitespace!) returned. I have full PHP error reporting on with STRICT enabled and PHP 5.2.1. My guess is that since session_write_close() is being called after shutdown - some fatal error is being encountered that crashes PHP before it has a chance to send the output or log anything. This only happens on the logout page where I first: ... //If there is no session to delete (not started) if ( ! session_id()) { return; } // Get the session name $name = session_name(); // Delete the session cookie (if exists) if ( ! empty($_COOKIE[$name])) { //Get the current cookie config $params = session_get_cookie_params(); // Delete the cookie from globals unset($_COOKIE[$name], $_SESSION); //Delete the cookie on the user_agent setcookie($name, '', time()-43200, $params['path'], $params['domain'], $params['secure']); } // Destroy the session session_destroy(); ... then 2) do some more stuff 3) issue a redirect and 4) finally, after the whole page is done the register_shutdown_function(); I placed earlier runs and calls session_write_close() which saves the session to the database. The end. Since this blank response only occurs on logout I'm guessing that I'm not restarting the session properly which is causing session_write_close() to die fatally at the end of the script.

    Read the article

  • Using HttpClient with the RightScale API

    - by Ameer Deen
    I'm trying to use the WCF Rest Starter Kit with the RightScale's Login API which seems fairly simple to use. Edit - Here's a blog entry I wrote on using Powershell to consume the API. Edit - Created a generic .NET wrapper for the RightScale API - NRightAPI It's exactly as simple as it looks while using CURL. In order for me to obtain a login cookie all I need to do is: curl -v -c rightcookie -u username:password "https://my.rightscale.com/api/acct/accountid/login?api_version=1.0" And I receive the following cookie: HTTP/1.1 204 No Content Date: Fri, 25 Dec 2009 12:29:24 GMT Server: Mongrel 1.1.3 Status: 204 No Content X-Runtime: 0.06121 Content-Type: text/html; charset=utf-8 Content-Length: 0 Cache-Control: no-cache Added cookie _session_id="488a8d9493579b9473fbcfb94b3a7b8e5e3" for domain my.rightscale.com, path /, expire 0 Set-Cookie: _session_id=488a8d9493579b9473fbcfb94b3a7b8e5e3; path=/; secure Vary: Accept-Encoding However, when I use the following C# code: HttpClient http = new HttpClient("https://my.rightscale.com/api/accountid/login?api_version=1.0"); http.TransportSettings.UseDefaultCredentials = false; http.TransportSettings.MaximumAutomaticRedirections = 0; http.TransportSettings.Credentials = new NetworkCredential("username", "password"); Console.WriteLine(http.Get().Content.ReadAsString()); Instead of a HTTP 204, I get a redirect: You are being <a> href="https://my.rightscale.com/dashboard"redirected <a> How do I get the WCF REST starter kit working with the RighScale API ?

    Read the article

  • dojox.grid.DataGrid populated from Servlet

    - by jeff porter
    I'd like to hava a Dojo dojox.grid.DataGrid with its data from a servlet. Problem: The data returned from the servlet does not get displayed, just the message "Sorry, an error has occured". If I just place the JSON string into the HTML, it works. ARRRRGGH. Can anyone please help me! Thanks Jeff Porter Servlet code... public void doGet(HttpServletRequest req, HttpServletResponse resp) { res.setContentType("json"); PrintWriter pw = new PrintWriter(res.getOutputStream()); if (response != null) pw.println("[{'batchId':'2001','batchRef':'146'}]"); pw.close(); } HtmL code... <div id="gridDD" dojoType="dojox.grid.DataGrid" jsId="gridDD" style="height: 600x; width: 100%;" store="ddInfo" structure="layoutHtmlTableDDDeltaSets"> </div> var rawdataDDInfo = ""; // empty at start ddInfo = new dojo.data.ItemFileWriteStore({ data: { identifier: 'batchId', label: 'batchId', items: rawdataDDInfo } }); <script> function doSelectBatchsAfterDate() { var xhrArgs = { url: "../secure/jsonServlet", handleAs: "json", preventCache: true, load: function(data) { var xx =dojo.toJson(data); var ddInfoX = new dojo.data.ItemFileWriteStore({data: xx}); dijit.byId('gridDD').setStore(ddInfoX); }, error: function(error) { alert("error:" + error); } } //Call the asynchronous xhrGet var deferred = dojo.xhrGet(xhrArgs); } </script> <img src="go.gif" onclick="doSelectBatchsAfterDate();"/>

    Read the article

  • Classic ASP Session not working in IIS 7 Windows Server 2008 R2 x64

    - by user553361
    Hi, I've been googleing and searching here info about this but so far couldn't find anything relevant to my problem. We have a website currently working on II6 and Windows Server 2003 (x86) without any problem. Now we want to migrate our server to a Virtual Machine with Windows Server 2008 R2 (x64) and IIS7. Out current app is built in Classic ASP and SQL Server (This one located on a 2nd Server but this is staying the way it is now). The website is configured as a WebSite, not a virtual directory. Using DefaultAppPool with 4 applications. Now, the problem I'm getting is with the Sessions, or at least that's what I think since I created a simple hello.asp with this code <% response.write "Hello" response.write Session.SessionID %> And this is giving us this result: Hello error '8002801d' /hello.asp, line 3 ASP Sessions Properties Enable Session State : True Maximum Sessions : 2147483647 New ID On Secure Connection : True Time-out : 20 min This is the log in Event Viewer Warning 24/12/2010 14:03:42 Active Server Pages 9 None FailedReqLog Url http://apps.shocklogic.com:80/hello.asp App Pool DefaultAppPool Authentication anonymous User from token NT AUTHORITY\IUSR Activity ID {00000000-0000-0000-1400-0080000000F8} Site 1 Process 3312 Failure Reason STATUS_CODE Trigger Status 500 Final Status 500 Time Taken 110 msec Would be great if anyone has any ideas. Thanks, Federico

    Read the article

  • Android: Dialog themed activity not visible

    - by Vincent
    I have an activity which, when started, needs to check if the user is authenticated. If not, I need to display an interface to authenticate. I do this with another activity, which has a dialog theme, and I start it in onResume() with flags NO_HISTORY and EXCLUDE_FROM_RECENTS. Everything works fine when starting the application for the first time. But I have a feature that resets login after some time, if the user is not in an activity. When I test this, I start the applicatio, enter the password, then move back to home. Then when I enter the application again, the background darkens as if the dialog would show, but it doesn't. At this point, if I press the back button, the darkening from the background activity disappears for a second, then the dialog finally appears. I used logcat to investigate the case, and the activity lifecycle functions get called properly: //For the first start: onCreate background activity onStart background activity onResume background activity onPause background activity onCreate dialog onStart dialog onResume dialog //Enter password onPause dialog onResume background activity onStop dialog onDestroy dialog //navigating to homescreen onPause background activity onStop background activity //starting again onRestart background activity onStart background activity onResume background activity onPause background activity onCreate dialog onStart dialog onResume dialog //no dialog shown, only darkened background activity recieving no input //pressing back button onPause dialog onResume background activity onPause background activity onCreate NEW dialog onStart NEW dialog onResume NEW dialog onStop OLD dialog onDestroy OLD dialog //now the dialog is properly shown //entering password onPause NEW dialog onResume background activity onStop NEW dialog onDestroy NEW dialog Using the SINGLE_TOP flag makes no change. However, if I remove the dialog theme from the dialog activity, it IS shown after the restart. So far I didn't want to use a Dialog instead of an Activity, because I consider them problematic sometimes and less encapsulated and this part has to be quite secure. You may be able to convince me though.. Thank you in advance!

    Read the article

  • Log in using Java where server's authentication could be sso or web applcation container's basic

    - by Ed
    Hi, I have a situation where ideally I want to be able to log-in to a secure area using a Java application. I would like to make an HTTP request and check the response to see if I need to do some kind of authenication before I can actually get the response expected, instead of effectively some login page. The complication is that the server that responds will not always be the same - the user of the Java app specifies the URL - and the server may be using some kind of single sign on authentication or the web container's. I don't know the field names for the username and password fields or the action of the form, is there a simple way to obtain this kind of information from the URL? I see the URLConnection object has methods getPermission() which has a method getActions() but are not suitable, anything that might be? I guess example things I am looking to determine: Does the response require authentication? If so; what type / which servlet? e.g. j_security_check, josso single sign on, ... And then some way of authenticating the client And finally managing the state of the authenticated user for other requests Do I need to know the attributes of the login form before attemping to login? And then, is the onoly way of verifying permission to the requested resource to manually manage the cookies? Thanks in advance.

    Read the article

  • Deploying software on compromised machines

    - by Martin
    I've been involved in a discussion about how to build internet voting software for a general election. We've reached a general consensus that there exist plenty of secure methods for two way authentication and communication. However, someone came along and pointed out that in a general election some of the machines being used are almost certainly going to be compromised. To quote: Let me be an evil electoral fraudster. I want to sample peoples votes as they vote and hope I get something scandalous. I hire a bot-net from some really shady dudes who control 1000 compromised machines in the UK just for election day. I capture the voting habits of 1000 voters on election day. I notice 5 of them have voted BNP. I look these users up and check out their machines, I look through their documents on their machine and find out their names and addresses. I find out one of them is the wife of a tory MP. I leak 'wife of tory mp is a fascist!' to some blogger I know. It hits the internet and goes viral, swings an election. That's a serious problem! So, what are the best techniques for running software where user interactions with the software must be kept secret, on a machine which is possibly compromised?

    Read the article

  • Best method of achieving bi-directional communication between Apple iPad "clients" and a Windows Ser

    - by user361910
    We are currently starting to build a client-server system which will see 10 or more Apple iPad client devices communicating to a central Windows server over a wireless LAN. We wanted to some existing plumbing (.NET remoting/WCF/web services/etc) that would allow us to implement a reliable, secure solution without having to start at a low level (e.g. sockets) and recreate the wheel. One of the major requirements that complicates this scenario is that unlike a traditional web service, the windows server needs to be able to arbitrarily notify the clients whenever certain events occur -- so it is not a simple request/response scenario like the web. Initially, we were going to use Windows clients, so our plan was to use the full-duplex mode of .NET WCF over HTTP|TCP. But now using the iPad, we don't have any of the WCF infrastructure. So my question is: what is the best way to allow an iPad and a Windows server to (securely) communicate over a LAN, with each device able to initiate communication to the other? Am I stuck writing low-level socket code? Thanks!

    Read the article

  • What is the most important thing you weren't taught in school?

    - by Alexandre Brisebois
    What is the most important thing you weren't taught in school? What topics are missing from the CS/IS education? Posted so far How to sell an idea Principles: Often, good enough is better than perfect. Making mistakes is actually a Good Thing™ -- as long as they're new mistakes. If a user can break your code they will. In the Real World™ they're all open-book exams Self confidence is way more important in getting ahead than intelligence. Always prefer simplicity over complexity. The best code is the code that you don't write. You never know when you'll meet someone again ... or where. It's always worthwhile to treat people with respect and kindness. Be aware of what you don't know and don't be afraid to ask questions when you need to Missing knowledge: How to communicate effectively. Lack of source control Lack of Softskills experience How to productize code How to write secure code How to formulate problems How to self-measurement. To evaluate ones true competences and market worth. How to debug code How important is backup How to read code on a large scale (being able to adapt and build upon existing projects) Good Regular expressions comprehension How to teach others effectively TDD/Unit testing Critical thinking How to integrate different skills and languages in a single project

    Read the article

  • SMTP on C: STARTTLS via OpenSSL

    - by Jackell
    Hi all! I am using openssl to build secure smtp connections to gmail.com:25. So I can successfully connect to the server and sends a command STARTTLS (I receive 220 2.0.0 Ready to start TLS). Then execute the following code without disconnecting: SSL_METHOD* method = NULL; SSL_library_init(); SSL_load_error_strings(); method = SSLv23_client_method(); ctx = SSL_CTX_new(method); if (ctx == NULL) { ERR_print_errors_fp(stderr); } SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); ssl = SSL_new(ctx); if (!SSL_set_fd(ssl, socket)) { ERR_print_errors_fp(stderr); return; } if (ssl) { if (SSL_connect((SSL*)ssl) < 1) { ERR_print_errors_fp(stderr); } // then i think i need to send EHLO } But after calling SSL_connect I get an error: 24953:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601: If I use SSLv3_client_method I get an error: 18143:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284. And If TLSv1_client_method: 21293:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284: Why? What I do wrong?

    Read the article

  • A Question about .net Rfc2898DeriveBytes class?

    - by IbrarMumtaz
    What is the difference in this class? as posed to just using Encoding.ASCII.GetBytes(string object); I have had relative success with either approach, the former is a more long winded approach where as the latter is simple and to the point. Both seem to allow you to do the same thing eventually but I am struggling to the see the point in using the former over the latter. The basic concept I have been able to grasp is that you can convert string passwords into byte arrays to be used for e.g a symmetric encryption class, AesManaged. Via the RFC class but you get to use SaltValues and password when creating your rfc object. I assume its more secure but still thats an uneducated guess at best ! Also that it allows you to return byte arrays of a certain size, well something like that. heres a few examples to show you where I am coming from? byte[] myPassinBytes = Encoding.ASCII.GetBytes("some password"); or string password = "P@%5w0r]>"; byte[] saltArray = Encoding.ASCII.GetBytes("this is my salt"); Rfc2898DeriveBytes rfcKey = new Rfc2898DeriveBytes(password, saltArray); The 'rfcKey' object can now be used towards setting up the the .Key or .IV properties on a Symmetric Encryption Algorithm class. ie. RijndaelManaged rj = new RijndaelManaged (); rj.Key = rfcKey.Getbytes(rj.KeySize / 8); rj.IV = rfcKey.Getbytes(rj.Blocksize / 8); 'rj' should be ready to go ! The confusing part ... so rather than using the 'rfcKey' object can I not just use my 'myPassInBytes' array to help set-up my 'rj' object???? I have tried doing this in VS2008 and the immediate answer is NO ! but have you guys got a better educated answer as to why the RFC class is used over the other alternative I have mentioned above and why????

    Read the article

  • Problem with asp.net function syntax (not returning values correctly)

    - by Phil
    I have an active directory search function: Function GetAdInfo(ByVal ADDN As String, ByVal ADCommonName As String, ByVal ADGivenName As String, ByVal ADStaffNum As String, ByVal ADEmail As String, ByVal ADDescription As String, ByVal ADTelephone As String, ByVal ADOffice As String, ByVal ADEmployeeID As String) As String Dim netBIOSname As String = Me.Request.LogonUserIdentity.Name Dim sAMAccountName As String = netBIOSname.Substring(netBIOSname.LastIndexOf("\"c) + 1) Dim defaultNamingContext As String Using rootDSE As DirectoryServices.DirectoryEntry = New DirectoryServices.DirectoryEntry("LDAP://RootDSE") defaultNamingContext = rootDSE.Properties("defaultNamingContext").Value.ToString() End Using Using searchRoot As DirectoryServices.DirectoryEntry = _ New DirectoryServices.DirectoryEntry("LDAP://" + defaultNamingContext, _ "kingkong", "kingkong", DirectoryServices.AuthenticationTypes.Secure) Using ds As DirectoryServices.DirectorySearcher = New DirectoryServices.DirectorySearcher(searchRoot) ds.Filter = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))", sAMAccountName) Dim sr As DirectoryServices.SearchResult = ds.FindOne() 'If sr.Properties("displayName").Count = 0 Then whatever = string.empty '' (how to check nulls when required) ' End If ADDN = (sr.Properties("displayName")(0).ToString()) ADCommonName = (sr.Properties("cn")(0).ToString()) ADGivenName = (sr.Properties("givenname")(0).ToString()) ADStaffNum = (sr.Properties("sn")(0).ToString()) ADEmail = (sr.Properties("mail")(0).ToString()) ADDescription = (sr.Properties("description")(0).ToString()) ADTelephone = (sr.Properties("telephonenumber")(0).ToString()) ADOffice = (sr.Properties("physicalDeliveryOfficeName")(0).ToString()) ' ADEmployeeID = (sr.Properties("employeeID")(0).ToString()) End Using End Using Return ADDN Return ADCommonName Return ADGivenName Return ADStaffNum Return ADEmail Return ADDescription Return ADTelephone Return ADOffice ' Return ADEmployeeID 'have commented out employee id as i dont have one so it is throwing null errors. ' im not ready to put labels on the frontend or catch this info yet End Function The function appears to work, as when I put a breakpoint at the end, the variables such as ADDN do have the correct values. Then I call the function in my page_load like this: GetAdInfo(ADDN, ADCommonName, ADGivenName, ADStaffnum, ADEmail, ADDescription, ADTelephone, ADOffice, ADEmployeeID) Then I try to response.write out one of the vars to test like this: Response.Write(ADDN) But the value is empty. Please can someone tell me what I am doing wrong. Thanks

    Read the article

  • java RMI newbie-- some basic questions about SSL and auth/.rate limiting an RMI service

    - by Arvind
    I am trying to work to secure a java based RMI service using SSL. I have some basic questions about the capabilities of using SSL. Specifically, from what I understand, the client and server connecting via SSL will need to have appropriate credential certificates in both client and server, for a client to be granted access to the server. Am I correct in my understanding? Also, what I want to know is, can a person who is already using my RMI service and has access to a client machine , make a copy of the certificate in the client machine to other client machines-- and then invoke my RMI service from those other machines as well? How do I prevent such a situation from occurring? I mean, in a REST API you can use OAuth authentication, can we have some kind of authentication in an RMI Service? Also, can I possibly limit usage of the RMI service? For eg, a specific client may be allowed to make only 5000 calls per day to my RMI service, and if he makes more calls the calls occurring after the 5000 calls limit are all denied? How do I do such rate limiting and/or authentication for my RMI Service?

    Read the article

  • Password Cracking Windows Accounts

    - by Kevin
    At work we have laptops with encrypted harddrives. Most developers here (on occasion I have been guilty of it too) leave their laptops in hibernate mode when they take them home at night. Obviously, Windows (i.e. there is a program running in the background which does it for windows) must have a method to unencrypt the data on the drive, or it wouldn't be able to access it. That being said, I always thought that leaving a windows machine on in hibernate mode in a non-secure place (not at work on a lock) is a security threat, because someone could take the machine, leave it running, hack the windows accounts and use it to encrypt the data and steal the information. When I got to thinking about how I would go about breaking into the windows system without restarting it, I couldn't figure out if it was possible. I know it is possible to write a program to crack windows passwords once you have access to the appropriate file(s). But is it possible to execute a program from a locked Windows system that would do this? I don't know of a way to do it, but I am not a Windows expert. If so, is there a way to prevent it? I don't want to expose security vulnerabilities about how to do it, so I would ask that someone wouldn't post the necessary steps in details, but if someone could say something like "Yes, it's possible the USB drive allows arbitrary execution," that would be great! EDIT: The idea being with the encryption is that you can't reboot the system, because once you do, the disk encryption on the system requires a login before being able to start windows. With the machine being in hibernate, the system owner has already bypassed the encryption for the attacker, leaving windows as the only line of defense to protect the data.

    Read the article

  • What is the best "forgot my password" method?

    - by Edward Tanguay
    I'm programming a community website. I want to build a "forgot my password" feature. Looking around at different sites, I've found they employ one of three options: send the user an email with a link to a unique, hidden URL that allows him to change his password (Gmail and Amazon) send the user an email with a new, randomly generated password (Wordpress) send the user his current password (www.teach12.com) Option #3 seems the most convenient to the user but since I save passwords as an MD5 hash, I don't see how option #3 would be available to me since MD5 is irreversible. This also seems to be insecure option since it means that the website must be saving the password in clear text somewhere, and at the least the clear-text password is being sent over insecure e-mail to the user. Or am I missing something here? So if I can't do option #1, option #2 seems to be the simplest to program since I just have to change the user's password and send it to him. Although this is somewhat insecure since you have to have a live password being communicated via insecure e-mail. However, this could also be misused by trouble-makers to pester users by typing in random e-mails and constantly changing passwords of various users. Option #1 seems to be the most secure but requires a little extra programming to deal with a hidden URL that expires etc., but it seems to be what the big sites use. What experience have you had using/programming these various options? Are there any options I've missed?

    Read the article

  • Diffie-Hellman in Silverlight

    - by cmaduro
    I am trying to devise a security scheme for encrypting the application level data between a silverlight client, and a php webservice that I created. Since I am dealing with a public website the information I am pulling from the service is public, but the information I'm submitting to the webservice is not public. There is also a back end to the website for administration, so naturally all application data being pushed and pulled from the webservice to the silverlight administration back end must also be encrypted. Silverlight does not support asymmetric encryption, which would work for the public website. Symmetric encryption would only work on the back end because users do not log in to the public website, so no password based keys could be derived. Still symmetric encryption would be great, but I cannot securely save the private key in the silverlight client. Because it would either have to be hardcoded or read from some kind of config file. None of that is considered secure. So... plan B. My final alternative would be then to implement the Diffie-Hellman algorithm, which supports symmetric encryption by means of key agreement. However Diffie-Hellman is vulnerable to man-in-the-middle attacks. In other words, there is no guarantee that either side is sure of each others identity, making it possible for communication to be intercepted and altered without the receiving party knowing about it. It is thus recommended to use a private shared key to encrypt the key agreement handshaking, so that the identity of either party is confirmed. This brings me back to my initial problem that resulted in me needing to use Diffie-Hellman, how can I use a private key in a silverlight client without hardcoding it either in the code or an xml file. I'm all out of love on this one... is there any answer to this?

    Read the article

  • ASP.NET MVC - Entending the Authorize Attribute

    - by Mad Halfling
    Hi folks, currently I use [Authorize(Roles = ".....")] to secure my controller actions on my ASP.NET MVC 1 app, and this works fine. However, certain search views need to have buttons that route to these actions that need to be enabled/disabled based on the record selected on the search list, and also the security privs of the user logged in. Therefore I think I need to have a class accessing a DB table which cross-references these target controller/actions with application roles to determine the state of these buttons. This will, obviously, make things messy as privs will need to be maintained in 2 places - in that class/DB table and also on the controller actions (plus, if I want to change the access to the action I will have to change the code and compile rather than just change a DB table entry). Ideally I would like to extend the [Authorize] functionality so that instead of having to specify the roles in the [Authorize] code, it will query the security class based on the user, controller and action and that will then return a boolean allowing or denying access. Are there any good articles on this - I can't imagine it's an unusual thing to want to do, but I seem to be struggling to find anything on how to do it (could be Monday-morning brain). I've started some code doing this, looking at article http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/ , and it seems to be starting off ok but I can't find the "correct" way to get the calling controller and action values from the httpContext - I could possibly fudge a bit of code to extract them from the request url, but that doesn't seem right to me and I'd rather do it properly. Cheers MH

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 122 123 124 125 126 127 128 129 130 131 132 133  | Next Page >