The old SSL certificate has expired and I want to renew the SSL certificate. However, the server already has established multiple links with other clients. So, can I just bind the old sockets to the new ssl, which means I don't need to disconnect the old base tcp links?
Existing TLS connections don't need to get updated with a new certificate - the server certificate is only checked at the beginning of the TLS connection. If your specific server supports updating the server certificate without a restart and thus without closing established connections is unknown - some do and some don't.
Related
I am working on a small application on an embedded platform which has to send some classified information to a server. This connection to the server is encrypted using SSL. The encryption is tunneled trough a proxy - in this case a Zentyal proxy. The embedded application is written in C and the connectivity part is done with wolfssl and lwip.
The application works fine with Zentyal 5.1. But recently the proxy server was updated to 6.1 and now the connection is falling all the time. Debugging the issue, I have found the problem occurs when the application ask the server for a tunnel connection. What I see happening is that the application sends the CONNECT request to the proxy ...
... to which the the proxy answers with a 200 Connection Established.
But after that packet is received the proxy send another message with Proxy-Coneection:Close. Whith has the effect that the connection is shut down before the SSL handshake.
I have tried different configuration in the Zentyal (transparent proxy enable, disable cache, etc.) but the error remains the same. Also, I have added different HTTP headers like proxy-connection: Keep alive. But the connection is still being closed.
Maybe this is a problem with the 6.1 version. I have tried looking through the change log but there is no reference to any change in the processing of the connect request. Neither are there any known problems related to the way the connect is being handled.
Any advice?
I know that during normal SSL handshake, the client receives the server's certificate and verifies it, then uses the server's public key to encrypt the session key.
I want to write a SSL client in C language on Linux. During SSL handshake, it doesn't have to wait for the server's certificate and it sends the session key encrypted with the server's public key that have already been downloaded previously.
I am learning how to use OpenSSL, I only need the do-handshake part here.
Thanks for attention. Why to do this? The ISP or gateway can censor the certificate and block the connection according to names in the certificate.
Unfortunately, this is impossible. As part of the SSL (or TLS) protocol, the server will always send its certificate.
If you would like to bypass ISP censorship, I recommend using a VPN or Tor.
I'm trying use an SSL client/server example from:Client and Server communication using ssl c/c++ - SSL protocol don't works to create a secure connection using TLSV1 --
I Want to know how to create certificates for this code so that there will communication between client & server.
It need server certificate, server key & client cacertificate and cakey
i try to create it with the help of this link:https://help.ubuntu.com/community/OpenSSL
but it client unable to get connected to server shows unable to verify
Using information from some consultants about 2 years ago we set up a SQL Server 2012 box to always have an encrypted connection (at least we thought so). A week ago the SSL certificate expired and everything continues to work fine which is puzzling.
We forced encryption by doing the following:
Obtain an SSL certificate and install it on the SQL Server via MMC. Explicit instructions for this step are here.
Open SQL Server Configuration Manger and expand the SQL Server Network Configuration node in the left pane.
Right click Protocols for MSSQLServer and choose properties.
Go to Certificate tab and choose the installed SSL cert from the drop down.
Go to the Flags tab and set force encryption to Yes.
Now, since the SSL cert expired, there is no longer any cert selected in the drop down when I visit step 3 above. However, I put WireShark on the DB server and use SSMS to request some data. The TDS (Tabular Data Stream) packets are still encrypted? When I put WireShark on a different DB Server I set ForceEncryption to NO, those TDS packets are not encrypted as expected.
So my questions are:
How are the TDS packets still encrypted if the cert is expired?
Even when the cert was valid, why didn't I have to select Options > Encrypt Connection to connect to my encrypted DB server? I thought setting ForceEncryption=Yes required ALL client connections to specify Encrypt in their connection string (or the SSMS checkbox)?
If Web APIs are the only method of accessing my DB, and they do so over SSL, is it even necessary to encrypt the SQL Protocol?
1)How are the TDS packets still encrypted if the cert is expired?
you don't need a valid certificate in order to encrypt, you can still encrypt using an expired certificate.
2)Even when the cert was valid, why didn't I have to select Options > Encrypt Connection to connect to my encrypted DB server? I thought setting ForceEncryption=Yes required ALL client connections to specify Encrypt in their connection string (or the SSMS checkbox)?
Do not enable the Force Protocol Encryption option on both the client and the server,
if you enabled force encryption on SQL server you don't need to do it on any client-side
3)If Web APIs are the only method of accessing my DB, and they do so over SSL, is it even necessary to encrypt the SQL Protocol?
To enable SSL you need the certificate to be installed on SQL server so in order to access the DBusing SSL you are doing the same job.
Thank you
I'm using plain-C WebSocket library called libwebsockets to make a connection between client and server. When starting server I specify the server's cert and private key to be able to use SSL connection. It works OK.
When making a client's connection to the server I specify an SSL option to be able to create an SSL connection (using self-signed cert). All those things work as expected.
Now, I need somehow to get server's certificate on the client side during the connection establishment (or during handshake). Is there a way to do this? I can't find anything in the official documentation.
Thanks in advance.