I am running a Windows 2008 server with IIS7. I need to use SSL 3.0 for PCI compliance but whenever I read up on using it, all the articles explain to disable SSL 2.0. If I do this, will IIS automatically use IIS 3.0 from that point on? In the registry here [HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders SCHANNELProtocols] it only has a SSL 2.0 folder with a Client folder in it, is that correct? Shouldn’t there be a SSL [...]Continue Reading »
I have a SQL Server 2008 mirroring setup where CREATE CERTIFICATE was used to generate the SQL Certificate Objects to enable mirroring between workgroup-based servers. Q. How can I view the expiration date and other properties of the existing certificate objects? (I understand that these are SQL “Objects” as they don’t show up in the usual MMC certificates console). You can write sql queries to get the expiration dates from sys.certificates Please follow the Remus [...]Continue Reading »
We’re using haproxy’s custom error page feature to show a “fail whale” maintenance page while we’re doing deployments to our site. However, since haproxy cannot show SSL’d users the custom error page, how can I redirect users to a non-SSL’d connection, to show the “fail whale” if there are no backends available? As I understand it, you can’t redirect clients from within haproxy since it can’t interact with SSL connections at all (can’t decrypt the [...]Continue Reading »
Just heard a podcast that claimed the SSL was broken for small key sizes. They said that you should use as strong a key as you can afford, without really saying which key sizes should be avoided. So the question is there a recommend minimum key size? Large modulus sizes are a defense against brute-force attempts to rebuild your private key by an attacker who has only your public key. More bits is more variations [...]Continue Reading »
Is it only controlled locally via hashsum or does the browser contact the webserver of the CA to verify the certificate? The browser will have the public keys of various root authorities cached locally. If you use windows you occasionally see an update with ‘root certificates’ in the name, that’s what it is. For a valid certificate the hierarchy can be traced all the way back to a valid root CA’s public key, possibly via [...]Continue Reading »
I’ve read that SSL is a good solution for “point to point” security, and not “end to end” security. For example, in this article at JavaWorld, it says: SSL/TLS is simply not designed for such a scenario; SSL/TLS only handles point-to-point security… SSL/TLS may secure the path between any two [intermediaries], but not from one end to the other. I am building a web service to provide data to separate clients, as described in this [...]Continue Reading »
I have a 3 Tomcat application servers with 3 Apache servers in front. Communication between Apache and Tomcats is done via mod_jk. I need to have secure connections between the Tomcat and Apache servers. To make this connection secured, it has to be encrypted and authenticated (to prevent man in the middle attacks). To be clear, I am not trying to authenticate clients. Only to make sure that traffic between Tomcat and Apache cannot be [...]Continue Reading »
I have a Fedora server running Jenkins which I install via yum. Everything is okay, I can access it with http://ci.mydomain.com. But now, I want to access it with https://ci.mydomain.com, so the login with username and password is encrypted. How can I do this? Best Regards Tim Update My /etc/sysconfig/jenkins file. Starting Jenkins works, but I can not access Jenkins with the webbrowser with https://ci.mydomain.com or http://ci.mydomain.com:443, … ## Path: Development/Jenkins ## Description: Configuration for [...]Continue Reading »
We have a web server running with two sites, I will call them domain.com and test.domain.com. We have an SSL certificate installed on the domain.com site, that covers both www.domain.com and domain.com. The test site does not have an SSL certificate. When navigating to http:// test.domain.com we can successfully reach the test site. However, when navigating to https:// test.domain.com all traffic is redirected to https:// domain.com, more or less without the user knowing. This could [...]Continue Reading »
How do you redirect port 80 -> 443 in Glassfish 3? My scenario is a web application SSL, and I want non-SSL requests to be automatically redirected. You should look at this blog post on port unification in Glassfish 3. I believe it answers your question for you: Granted, this solution offers a 302 redirect from only the protocol (e.g. http://blah:8000 to https://blah:8000) as opposed to a direct that changes the protocol and port, but [...]Continue Reading »
- Is there a way for administrators to disable users from installing Firefox extensions?
- Is there research material on NTP accuracy available?
- How to create a limited “domain admin” that does not have access to domain controllers?
- Can Windows RDC admin users be immune from being kicked?
- Domain Administrators account policy (After PCI audit)