There's a ton of information out there regarding disabling SSLv2, but I can't find anything on enabling it in Apache2's ssl.conf page. Despite the security concerns, I would like to enable SSLv2 alongside TLS and SSLv3. I have tried the following configuration and am still unable to verify that SSLv2 is available. Might I need to add certain SSL Cipher Suites for SSLv2 to work?
(by the way I am using Red Hat Enterprise)
This is a snippet from /etc/httpd/conf.d/ssl.conf
Thanks in advance!
It's impossible on any normal build of OpenSSL -- SSLv2 is usually blocked at compilation time. You'd need a custom OpenSSL build, then your httpd config would work.
Related
We will soon be attempting to turn off TLS 1.0 and 1.1 on our servers that host our DNN websites. Before we do so, we thought we'd ask if anyone knew of any reason that the 2sxc module might not function correctly after those are turned off? Thanks!
Should be no issues at all. Also, the config that does that is usually fairly easy to enable and disable, so easy to test on a weekend.
But again, nothing about TLS has anything to do with 2sxc. Main thing to test is that your SMTP connection is working after you disable stuff.
I am building a server/client application and I would like to use Microsoft's SSL instead of a 3rd party library such as OpenSSL.
I have came across this example code on the MSDN:
Server: https://learn.microsoft.com/en-us/windows/win32/secauthn/using-sspi-with-a-windows-sockets-server
Client: https://learn.microsoft.com/en-us/windows/win32/secauthn/using-sspi-with-a-windows-sockets-client
I am looking through the code and it appears that it is using a function AcquireCredentialsHandle which from my understanding just uses existing credentials (cert?) found on the system.
I would like to, if possible, create my own certificate on the fly each time I connect to the server. This way the cert is changed each time and if anyone were to get my cert then it would only be useful for the specific set of traffic.
I'm trying to run the azure iothub sdk c sample of the mqtt protocol.
I've compiled hte project but when I run the program it returns some error about SSL routines
This i the complete error:
error:1416F086: SSL routines:tls_process_server_certificate:certificate verify failed
Info: Closing tlsio from a state other than TLSIO_STATE_EXT_OPEN or TLSIO_STATE_EXT_ERROR
I got only this error repeated five times, one for each accepted message ready to be transmitted to the IoTHub.
I've read that I need to set trust to the openssl certs in the sample directory but I've not figured out how to do this task or how to avoid this problem.
Is there someone who has already faced this issue?
This document describes in detail how to prepare your development environment as well as how to run the samples on Linux, Windows or other platforms. Please refer to the section to rebuild you code and then run to test.
Try using the TrustedCerts option. With this option you can pass to the SDK the certificate that is used to validate the server's certificate. This is typically used when either you don't have the root certificate, Baltimore CyberTrust, or your device does not have the concept of a trusted root certificate store. You can find an example of this option being used in
<repositoryRoot>\iothub_client\samples\iothub_client_sample_amqp_shared\iothub_client_sample_amqp_shared.c
https://github.com/Azure/azure-iot-sdk-c/blob/44827986929af7f4fbb41806b880a6da4e13d3e8/iothub_client/samples/iothub_client_sample_amqp_shared/iothub_client_sample_amqp_shared.c#L261
I want to refuse/disable all renegotiations initiated from either direction with openssl (in my server code in C).
Is there an option or callback I can set (e.g., SSL_CTX_set_fooooo()) to accomplish this? I can find nothing.
I don't understand why an option like SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION) is documented but nothing like, say, SSL_CTX_set_options(ctx, SSL_NO_RENEGOTIATION).
I know this question is old, but this comment on an openssl issue might point future searchers in the right direction:
SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS is only relevant to OpenSSL 1.0.2 it cannot be used in 1.1.0 or 1.1.1. If you use it then it prevents renegotiation from occurring at all, so there is no need to also use SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION. The equivalent option in 1.1.0/1.1.1 is SSL_OP_NO_RENEGOTIATION.
SSL_OP_NO_RENEGOTIATION was what I was looking for to disable client renegotiation but secure renegotiation (RFC 5746) was still active, per testssl.
I'm using cluster resources from my academic provider (PDC, Sweden) that uses the MIT-Kerberos authentication protocol for the users to sign in securely.
I'm also using Netbeans to develop C and Fortran code. Netbeans has a feature that lets you build your code on a remote host while you are working on your localhost/Desktop machine. Naturally, this feature requires you to log into your remotehost.
Since Netbeans is using its own SSH client, I cannot connect to the above mentioned remotehost even if I have a valid Kerberos ticket. I have googled this issue, but couldn't find anything related to it.
Has anybody else had a similar issue?
Does anybody know of an IDE for C/Fortran that has a build on remotehost feature and is capable of using the Kerberos protocol?
Eclipse with the Photran plugin are commonly mentioned. I never used it myself, but Eclipse should also support authentication via Kerberos.
See here for more on Eclipse and SSH.