Search Results

Search found 15441 results on 618 pages for 'ssl security'.

Page 39/618 | < Previous Page | 35 36 37 38 39 40 41 42 43 44 45 46  | Next Page >

  • Should I anticipate any problems trying to use the same SSL Cert on 2 computers (primary, backup)?

    - by Matt
    We have a production machine running IIS6 with a wildcard SSL certificate. The certificate that was installed is not exportable. We want to upgrade the system to IIS7. As part of this venture, we're creating a backup/failover server that will serve the exact same websites - when we take the primary down for upgrade, the secondary will take over. As such, the secondary also needs the SSL certificate. However, since the certificate was not exportable, this means re-keying it from Go Daddy. Per http://help.godaddy.com/article/867, I know that by re-keying the certificate the original will stop working. I'm still pretty new to SSL certificates, so are there any problems I should anticipate when installing the same SSL certificate on 2 different machines?

    Read the article

  • How do I force SSL for some URLs and force non-SSL for all others?

    - by brad
    I'd like to ensure that certain URLs on my site are always accessed via HTTPS while all other URLs are accessed via HTTP. I can get either case working in my .htaccess file, however if I enable both, then I get infinite redirects. My .htaccess file is: <IfModule mod_expires.c> # turn off the module for this directory ExpiresActive off </IfModule> Options +FollowSymLinks AddHandler application/x-httpd-php .csv RewriteEngine On RewriteRule ^/?registration(.*)$ /register$1 [R=301,L] # Force SSL for certain URL's RewriteCond %{HTTPS} off RewriteCond %{REQUEST_URI} (login|register|account) RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Force non-SSL for certain URL's RewriteCond %{HTTPS} on RewriteCond %{REQUEST_URI} !(login|register|account) RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Force files ending in X to use same protocol as initial request RewriteRule \.(gif|jpg|jpeg|jpe|png|ico|css|js)$ - [S=1] # Use index.php as the controller RewriteCond %{REQUEST_URI} !\.(exe|css|js|jpe?g|gif|png|pdf|doc|txt|rtf|xls|swf|htc|ico)$ [NC] RewriteCond %{REQUEST_URI} !^(/js.*)$ RewriteRule ^(.*)$ index.php [NC,L]

    Read the article

  • SSL in overlay window for login

    - by Sourabh
    HI I have to implement login over SSL in my website. for example cloginForm - this is the form https://www.myweb.com/loginProcess - this is the action which process the form -authenticates user. I am able to do this with usual web form but the problem is the overlay dialog box for login for example if I am on my website home page http://www.myweb.com - notice http and I click a login link there , it shows a small html div with login form (like a litebox).now ,as I am on a non SSL page (http) the data which I post does not get encrypted,and posted to the process action. How do I get around with this so that my overly login also becomes secure. thanks for your help in advance. :)

    Read the article

  • Security & Authentication: SSL vs SASL

    - by 4herpsand7derpsago
    My understanding is that SSL combines an encryption algorithm (like AES, DES, etc.) with akey exchange method (like Diffier-Hellman) to provide secure encryption and identification services between two endpoints on an un-secure network (like the Internet). My understanding is that SASL is an MD5/Kerberos protocol that pretty much does the same thing. So my question: what are the pros/cons to choosing both and what scenarios make both more preferable? Basically, I'm looking for a guidelines to follow when choosing SSL or to go with SASL instead. Thanks in advance!

    Read the article

  • dovecot main process terminated with status 89

    - by G. He
    I'm trying to configure dovecot/imap to run without SSL. I set ssl = no in 10-ssl.conf in /etc/dovecot/conf.d. However, with this setting, dovecot dies right away when it is started. I checked the log file and found the following: dovecot main process (4895) terminated with status 89 What does it mean? Is there a way for dovecot to run without ssl? The reason I do NOT want ssl is that my outlook complains the certificate cannot be verified. It is really annoying. And I only run the server on a very small lan and don't need that extra security.

    Read the article

  • Use of WebDAV to access OWA (exchange 2003) mails with Basic authentication and SSL

    - by Mayuresh
    I have got a working C# code for accessing OWA mails using WebDAV against a FBA enabled exchange 2003 (http://support.microsoft.com/kb/891748/en-us/) But my client's OWA (exchange 2003) has Basic authentication and SSL (i-e when I try to access the web mail link through browser I get a grey login box instead of a web page I can log into the mail box once I enter the correct details) But my same fails with a 401 error against this mailbox. I got the simple request working for the Basic authentication using – String usernamePassword = strUserName + ":" + strPassword; WebReq.Headers.Add("Authorization", "Basic " + Convert.ToBase64String(new ASCIIEncoding().GetBytes(usernamePassword))); But the subsequent WebDAV SEARCH request fails with 404 (resource not found) error. Can we use WebDAV against an exchange 2k3 with SSL and Basic authentication?

    Read the article

  • Tomcat SSL Configuration

    - by bdares
    I received a SSL cert to use for a Tomcat 6.0 server, ready to use. I configured Tomcat to use it with the following in server.xml: <Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="C:\Tomcat 6.0\ssl\cert" keystorePass="*****" clientAuth="false" sslProtocol="TLS"/> I started Tomcat using the command prompt so I could see any error message as they happened. There were none. The results for accessing different URLS: http://localhost - normal page loads fine https://localhost - browser claims page cannot be found https://localhost:8443 - page cannot be found http://localhost:8443 - offers a certificate, after accepted redirects to https://localhost (I suspect the https:// urls initially offer the certificate which is automatically accepted by the browser, as it was issued by Verisign) How to fix? Edit: I've also tried port="443". Same result.

    Read the article

  • WCF Mono - BasicHttpBinding with SSL

    - by TheNextman
    I'm trying to port an existing WCF client application to run on Linux under Mono. Right now I'm testing everything out, figuring out what works on Mono and what doesn't. The client makes a super simple call over basicHttpBinding. It works great, until I enable SSL (that is, specify BasicHttpSecurityMode.Transport in the binding). Running on .NET in Windows, it works great Running on Mono on Ubuntu 9.10 / Mono 2.6 I get the following error: Exception in async operation: System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure --- System.IO.IOException: The authentication or decryption has failed. --- Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a I've read the Mono security FAQ here: http://www.mono-project.com/FAQ:_Security; however the SSL certificate on the server is from a root CA (a purchased certificate) - issued by Equifax Secure Certificate Authority. I ran the TlsTest tool on the Ubuntu install against the .svc URL and there are no problems/errors. Also I can hit the service fine in Firefox (no security warnings). What am I missing? Thanks in advance, Richard

    Read the article

  • Spring Security: how to implement Brute Force Detection (BFD)?

    - by Kdeveloper
    My web applications security is handled by Spring Security 3.02 but I can't find any out of the box support for Brute Force Detection. I would like to implement some application level BFD protection. For example by storing failed login attempt per user in the database (JPA). The attacked user accounts could then get a lockout period or a forced account re-activation by e-mail. What's the best way to implement this with Spring Security? Does any body have example code or best practices on this?

    Read the article

  • iphone: is there any secure way to establish 2-way SSL from an application

    - by pmilosev
    Hi I need to establish a HTTPS 2-way SSL connection from my iPhone application to the customer's server. However I don't see any secure way to deliver the client side certificates to the application (it's an e-banking app, so security is really an issue). From what I have found so far the only way that the app would be able to access the certificate is to provide it pre-bundeled with the application itself, or expose an URL from which it could be fetched (http://stackoverflow.com/questions/2037172/iphone-app-with-ssl-client-certs). The thing is that neither of this two ways prevent some third party to get the certificate, which if accepted as a risk eliminates the need for 2-way SSL (since anyone can have the client certificate). The whole security protocol should look like this: - HTTPS 2-way SSL to authenticate the application - OTP (token) based user registration (client side key pair generated at this step) - SOAP / WSS XML-Signature (requests signed by the keys generated earlier) Any idea on how to establish the first layer of security (HTTPS) ? regards

    Read the article

  • Reality behind wireless security - the weakness of encrypting

    - by Cawas
    I welcome better key-wording here, both on tags and title, and I'll add more links as soon as possible. For some years I'm trying to conceive a wireless environment that I'd setup anywhere and advise for everyone, including from big enterprises to small home networks of 1 machine. I've always had the feeling using any kind of the so called "wireless security" methods is actually a bad design. I'm talking mostly about encrypting and pass-phrasing (which are actually two different concepts), since I won't even considering hiding SSID and mac filtering. I understand it's a natural way of thinking. With cable networking nobody can access the network unless they have access to the physical cable, so you're "secure" in the physical way. In a way, encrypting is for wireless what walling (building walls) is for the cables. And giving pass-phrases is adding a door with a key. But the cabling without encryption is also insecure. Someone just need to plugin and get your data! And while I can see the use for encrypting data, I don't think it's a security measure in wireless networks. As I said elsewhere, I believe we should encrypt only sensitive data regardless of wires. And passwords should be added to the users, always, not to wifi. For securing files, truly, best solution is backup. Sure all that doesn't happen that often, but I won't consider the most situations where people just don't care. I think there are enough situations where people actually care on using passwords on their OS users, so let's go with that in mind. For being able to break the walls or the door someone will need proper equipment such as a hammer or a master key of some kind. Same is true for breaking the wireless walls in the analogy. But, I'd say true data security is at another place. I keep promoting the Fonera concept as an instance. It opens up a free wifi port, if you choose so, and anyone can connect to the internet through that, without having any access to your LAN. It also uses a QoS which will never let your bandwidth drop from that public usage. That's security, and it's open. And who doesn't want to be able to use internet freely anywhere you can find wifi spots? I have 3G myself, but that's beyond the point here. If I have a wifi at home I want to let people freely use it for internet as to not be an hypocrite and even guests can easily access my files, just for reading access, so I don't need to keep setting up encryption and pass-phrases that are not whole compatible. I'll probably be bashed for promoting the non-usage of WPA 2 with AES or whatever, but I wanted to know from more experienced (super) users out there: what do you think? Is there really a need for encryption to have true wireless security?

    Read the article

  • Broken images and security warnings in Facebook Connect

    - by Adam
    I'm hoping this is just a bug on Facebook's end that will be fixed soon, but in my Facebook Connect app I'm launching the dialogue FB provides to make a post. This dialogue is launched on a page with an SSL connection. In this dialogue the profile pic for some users comes up with a security warning while others display correctly. I'm already setup to use Facebook's SSL javascript file instead of the HTTP file.

    Read the article

  • Security warnings in Facebook Connect

    - by Adam
    I'm hoping this is just a bug on Facebook's end that will be fixed soon, but in my Facebook Connect app I'm launching the dialogue FB provides to make a post. This dialogue is launched on a page with an SSL connection. In this dialogue the profile pic for some users comes up with a security warning while others display correctly. I'm already setup to use Facebook's SSL javascript file instead of the HTTP file.

    Read the article

  • How to connect to a queue manager with ssl enabled server connection channel when authentication is

    - by Dr. Xray
    I am trying to write a java application connecting to server connection channel with SSL enabled. So far, I have been successfully connected to the channel by setting authentication to 'optional'. However, when I set it to be 'required', the connection fails. Here is what I did: Create key db for queue manager and keystore for the java client user. Create key/self-signed certificates for the queue manager and the client user, with names prefixed ibmwebspheremq. Export, exchange and import certificates for the queue manager and the client. (I did answered 'yes' when being asked whether I trust the queue manager cert). The location and password to the truststore and keystore are set to point to the same keystore at the client side, where the orgininal created client user key and the imported queue manager key are. With other settings being the same, if I switch back to 'optional' authentication, the connection works. I think there is something I understand incorrectly about this ssl authenticaion but cannot figure out what. Could someone kindly help me?

    Read the article

  • Self - hosted WCF server and SSL

    - by jitm
    Hello, There is self - hosted WCF server (Not IIS), and was generated certificates (on the Win Xp) using command line like makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=SecureClient -sky exchange -pe makecert.exe -sr CurrentUser -ss My -a sha1 -n CN=SecureServer -sky exchange -pe These certificates was added to the server code like this: serviceCred.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "SecureServer"); serviceCred.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "SecureClient"); After all previous operation I created simple client to check SSL connection to the server. Client configuration: <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BasicHttpBinding_IAdminContract" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Basic"/> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="https://myhost:8002/Admin" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IAdminContract" contract="Admin.IAdminContract" name="BasicHttpBinding_IAdminContract" /> </client> </system.serviceModel> </configuration> Code: Admin.AdminContractClient client = new AdminContractClient("BasicHttpBinding_IAdminContract"); client.ClientCredentials.UserName.UserName = "user"; client.ClientCredentials.UserName.Password = "pass"; var result = client.ExecuteMethod() During execution I receiving next error: The provided URI scheme 'https' is invalid; expected 'http'.\r\nParameter name: via Question: How to enable ssl for self-hosted server and where should I set - up certificates for client and server ? Thanks.

    Read the article

  • Emailing an excel sheet with SSL in Python

    - by jakecar
    Hi...this is my first post so let me know if there are any common courtesies I should know about. I just started programming 8 months ago, so I am fairly new. I have been doing some projects to get better. A project I'm working on now creates an Excel sheet from inputted data. It's in Python, which I just started learning a couple of weeks ago. I'm attempting to embed part of this Excel sheet into an email, sent from my school address. I have spent hours looking this up, and to no avail. There are two problems I am asking for help with: 1) I have figured out how to send an email from my GMail account, but not from my school address. My school email uses SSL port 465, which I have tried to use, but to no avail. Unfortunately, I have been having a problem setting up outgoing email for this account on my iPhone as well. It may be related? Does anyone know of common issues relating to outgoing email with SSL and Python? 2) Excel has an option of saving a sheet as a HTML. When doing so, I copy and pasted the HTML source and emailed it as an attachment. Unfortunately, the colored text did not transfer over. Does anyone know of a better way of using Python to send an excel sheet embedded in an email? Thanks for your help!

    Read the article

  • SSL over TDS, SQL Server 2005 Express

    - by reuvenab
    I capture packets sent/received by Win Xp machine when connecting to SQL Server 2005 Express using TLS encryption. Server and Client exchange Hello messages Server and Client send ChangeCipherSpec message Then Server and Client server send strange message that is not described in TLS protocol What is the message and if SSL over TDS is standard compliant at all? Server side capture: 16 **SSL Handshake** 03 01 00 4a 02 ServerHello 00 00 46 03 01 4b dd 68 59 GMT 33 13 37 98 10 5d 57 9d ff 71 70 dc d6 6f 9e 2c Random[00..13] cb 96 c0 2e b3 2f 9b 74 67 05 cc 96 Random[14..27] 20 72 26 00 00 0f db 7f d9 b0 51 c2 4f cd 81 4c Session ID 3f e3 d2 d1 da 55 c0 fe 9b 56 b7 6f 70 86 fe bb Session ID 54 Session ID 00 04 Cipher Suite 00 Compression 14 03 01 00 01 01 **ChangeCipherSpec** 16 03 01 ???? Finished ??? 00 20 d0 da cc c4 36 11 43 ff 22 25 8a e1 38 2b ???? ??? 71 ce f3 59 9e 35 b0 be b2 4b 1d c5 21 21 ce 41 ???? ??? 8e 24

    Read the article

  • make java plugin use the browser certificates

    - by Shalom938
    We have a java applet that communicates with a spring application running on tomcat and using spring's http invoker. We want to secure the applet using ssl with client authentication, we have a jsp page for login, after successful login the applet loads. The jsp page is secured with ssl, when the applet loads the http invoker inside the applet is doing a second handshake apparently not related to the browser handshake, OK, I don't mind that, but I want the java plugin to use browser certificates and client certificates but its not, I have to load the client certificate to the java plugin also using the java ControlPanel, and if my server's certificate is self signed then I have to load the server certificate also to the java ControlPanel and to the nrowser. Another thing is when the applet starts loading the java plugin pops a dialog asking for the client keystore password, I would like to avoid that. So to conclude: I would like the java plugin to use the browser's trusted certificates and client certificates, and to avoid the keystore password dialog that pops up. I have googled for it for two days and can't find any clue of how to accomplish that. I will appreciate any help. I'm using jdk 1.6.0 u23 and firefox 3.6.13.

    Read the article

  • GlassFish v3: Security related updates + Repository/Publisher?

    - by chris_l
    I've used GlassFish v3.0 as my main development application server for a few weeks now. Now that I want to install it on my VPS, I'd like to get the latest security updates, because Glassfish v3 Release 3.0 (Open Source Edition or not) is already a few months old, and v3.1 is only available as "early access" nightlies (see https://glassfish.dev.java.net/public/downloadsindex.html). GlassFish offers an update mechanism (via pkg or updateTool), but when I simply try to get the latest updates (pkg image-update), it finds nothing. However, when I change the preferred publisher to dev.glassfish.org, I get a list with lots of updates. The interesting thing is, that I haven't been able to find any description about the contents of the diverse publishers/repositories (release, stable, contrib and dev) anywhere on the web, most importantly answering the question: Am I supposed to use the dev repository for security updates, or does it contain unstable updates? (The name suggests unstable updates, but the version numbers, like "3.0.1,0-11:20100331T082227Z" leave me guessing. The build is more than a week old, so it's obviously not "nightly" or "weekly", but what is it?) Where do I get security updates from then? Or are there simply no security updates yet? Asking on the GlassFish forum resulted in 56 views, but 0 answers.

    Read the article

  • GlassFish v3: Security related updates?

    - by chris_l
    I've used GlassFish v3.0 as my main development application server for a few weeks now. Now that I want to install it on my VPS, I'd like to get the latest security updates, because Glassfish v3 Release 3.0 (Open Source Edition or not) is already a few months old, and v3.1 is only available as "early access" nightlies (see https://glassfish.dev.java.net/public/downloadsindex.html). GlassFish offers an update mechanism (via pkg or updateTool), but when I simply try to get the latest updates (pkg image-update), it finds nothing. However, when I change the preferred publisher to dev.glassfish.org, I get a list with lots of updates. The interesting thing is, that I haven't been able to find any description about the exact meaning of the diverse publishers/repositories (release, stable, contrib and dev) anywhere on the web, most importantly answering the question: Am I supposed to use the "dev" repository for security updates, or is it (probably more likely) for unstable updates? Where do I get security updates from then? Or are there simply no security updates yet? Asking on the GlassFish forum resulted in 56 views, but 0 answers.

    Read the article

  • WCF NetTcpBinding Security - how does it work?

    - by RemotecUk
    Hi, encountered the following problems trying to work through the quagmire of settings in WCF... I created a WCF client server service using a NetTcp binding. I didn't make any changes to the security settings and when running on one machine it works very nicely. However, when I ran my client from another machine it complained that the server didnt like the security credentials that were sent. I understand now that NetTCP is "secured" by default and that my client would have been passing the wrong security details - namely the windows user name and password (or some form of domain authentication) to my server which as they are not running on the same domain it would not have liked. However, what I don't understand is as follows: I haven't specified any security in my binding - does the standard settings expect a windows user name or password to be sent? I don't have any certificate installed on my server - I understand that NetTCP bindings need some form of public private key to protect the credentials - yet this seemed to work when both client and server were on the same machine - how was the data getting encrypted? Or wants it as WCF knew it was on the same machine and encryption isn't needed? I have had to set my security mode on my client and server to "none" now and they connect nicely. However is there any way to encrypt my data without a certificate? Finally... what is the difference between Transport and Message security? To check my understanding (excuse the scenario!) message security is like if I sent a letter from person A to person B and I encode my hand writing to ensure that if anyone intercepts it they cannot read it? Transport Security is if I decide to have my letter sent by armed transport so that no one can get at it along the way? Is it possible to have any form of encryption in WCF without a certificate? My project is a private project and I dont want to purchase a certificate and the data isnt that sensitive anyway so its just for my own knowledge. Thanks in advance.

    Read the article

  • OAM11gR2: Enabling SSL in the Data Store

    - by Ekta Malik
    Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} Enabling SSL in the Data Store of OAM11gR2 comprises of the below mentioned steps. Import the certificate/s required for establishing the trust with the Store(backend) in the keystore(cacerts) on the machine hosting OAM's Weblogic Admin server Restart the Weblogic Admin server Specify the <Hostname>:<SSL port> in the "Location" field of the Data Store and select the "Enable SSL" checkbox Pre-requisite:- Certificate/s to be imported are available for import Data Store has already been created using OAM admin console and the connection to the store is successful on non-SSL port( though one can always create a Data Store with SSL settings on the first go) Steps for importing the certificate/s:- One can use the keytool utility that comes bundled with JDK to import the certificate. The step for importing the certificate would be same for self-signed and third party certificates (like VeriSign) $JAVA_HOME/bin/keytool -import -v -noprompt -trustcacerts -alias <aliasname> -file <Path to the certificate file> -keystore $JAVA_HOME/jre/lib/security/cacerts Here $JAVA_HOME refers to the path of JDK install directory Note: In case multiple certificates are required for establishing the trust, import all those certificates using the same keytool command mentioned above  One can verify the import of the certificate/s by using the below mentioned command $JAVA_HOME/bin/keytool -list -alias <aliasname>-v -keystore $JAVA_HOME/jre/lib/security/cacerts When the trust gets established for the SSL communication, specifying the SSL specific settings in the Data Store (via OAM admin console) wouldn't result into the previously seen error (when Certificates are yet to be imported) and the "Test Connection" would be successful.

    Read the article

< Previous Page | 35 36 37 38 39 40 41 42 43 44 45 46  | Next Page >