we have had our firewall providers install an SSL certificate on the firewall and if we put an SSL certificate on the server ( website ) then will it conflict or it will run fine ?
Any advise on this will be highly appreciated.
So how SSL works is probably not what you expect, according to your description there will be two distinct connections, from the user to the firewall and from the firewall to the webserver.
From the user point of view, only the firewall certificate matters, it will be this one used to crypt the data.
If you activate ssl on the webserver and add a certificate, the only one seeing this certificate will be the firewall, so it has to be valid for the firewall client itself (if the firewall doesn't know the authority which signed the certificate, you'll have a validation problem if you don't add this authority certificate into the firewall certificate store).
Mostly in this case your firewall act as a reverse proxy, doing the user's SSL termination and initiating another SSL session between itself and the webserver.
In bad ascii art this may be shown like this:
user <--using firewall's cert--> Firewall <--using server's cert--> webserver
Related
I am working on some 3rd party integration project.
Created RootCA and SubCA from their official documentation website and after importing in windows server, we created key using openssl and got signed certificate from 3rd party integration Support team
We have configured in ldp.exe client and it got connected and fetched the dataset.
Now we are implementing in PHP code level.
We have:
IIS server 10
PHP 7.2
PHP Code is working in IIS
Added ldap.conf file created c:/openldap/sysconf/ldap.conf
TLS_REQCERT allow
#TLS_CACERT c:\openldap\sysconf\RootCaSha1.der
TLS_CACERT c:\openldap\sysconf\SubCaSha1.der
#TLS_CACERTDIR c:\openldap\sysconf
We have tried various paths and noted all evidence via wireshark tool
It says TLSv1.2 Alert (Level: Fatal, Description: Handshake Failure) so it means some certificate in ldap.conf are not as per requirement.
Looking forward to help in this regard so we can get connect.
Thanks in advance
As far as I know, the TLS handshake failure error commonly occurred when the server’s certificate is configured improperly. this should be configured on the IIS server-side. Please check the below items.
The account running the website is supposed to own the right of accessing the private key of the certificate. Firstly import the certificate to the Local machine Certification Store, under the property page of the certificate, grant the account access to the private key of the certificate.
Subsequently, we specify the certificate in the IIS site binding module.
Besides, Please note that the communication between the client-side and the server-side is established based on the fact that the client trusts the server certificate. this means that when we visit the website, the browser address bar has the sign of security lock. In this way, the public key of the certificate can be exchanged. The specific operation is to add the server root certificate to the Trusted Root Certificate Authority certification store of the client-side.
I deal a lot with self-signed SSL certificates as I deploy the systems in offline environments. The problem is that for example Chrome users has to deal with "dangerous site errors" etc, also if I want to even use GuzzleHttp library for connecting to any other service I have to setting secure to none. What's the best way to deal with it?
If you have a Selfsigned certificate this can be made trusted to the specific system that you use. If others from your office uses it then they may need to add this Selfsigned certificate as trusted by adding it to their system certificate store to make this trusted.
When it comes to office environment it is better to contact the Administrator and add the certificate to all the systems (certlm.msc in run for local machine / certmgr.msc for current user) so your colleagues won't get this dangerous site errors.
I have a SSL enabled eCommerce website which uses cURL for payment processing. Everything is running well but recently I learned about "CA Public Certification Bundle for cUrl" that its a good idea to use it for cURL connections.
If this is true than can someone tell me how or how is it better/different than using the standard SSL?
Doesn't the SSL already provide some kind of certification for all connections?
Any HTTPS client connected to an HTTPS server will get its certificate (in fact, it can be a certificate chain). This server certificate must then verified by the client to authenticate the server.
This is normally done by using a number of CA certificates that are configured on the client as trust anchors (i.e. this is what you trust in advance, before encountering the server certificate). The client tries build a chain between the last element of the server chain and one of the CA certificates in its trust anchors. If there is such a valid chain the server certificate is trusted.
A "CA certificate bundle" would be a set of trust anchors. You can build your own by looking for CAs you're willing to trust, or you can use an existing bundle. Most OSes or browser come with an existing bundle. cURL in itself doesn't but it can rely on a pre-defined location (set at compile time) or it also suggests to use the Firefox bundle (via a conversion mechanism). (You can override default setting via extra options, on the command line or via the API.)
Certificate Pinning (which you also mention) has nothing to do with a CA cert bundle. In fact, it's almost the opposite. Instead of relying on 3rd party trust anchors (the certification authorities), you explicitly "pin" a set of server certificates you know as directly trusted. They're not used to verify other certificates, instead, you compare the certificate you get with the exact certificate you're expecting for that host (or at least you compare public keys). This is more like having a reference mapping from server name to certificate (or to public key) and comparing what you get from that host with the reference you have. Of course, this can only work for a reasonably small set of certificates in practice, unlike the CA (PKI) approach which is designed to let you authenticate parties you have never encountered before (via a 3rd party: the CA).
How is it better/different than using the standard SSL?
Doesn't the SSL already provide some kind of certification for all connections?
Using a CA certificate bundle isn't different than using "standard SSL", it is what's commonly used for SSL/TLS connections. You often don't see it because that CA bundle is often supplied with your client (or with the OS).
Note that strictly speaking, this is orthogonal to SSL/TLS itself, which mainly just says you should authenticate the server. Certificate verification (the PKI way, via CA certificates) is defined in a different specification, also complemented by a specification on how to verify the name in the certificate (and the HTTPS specification of course).
Found a great answer here. The comment above really helped. The exact keyword I was looking for was "Certificate Pinning".
Using this page: Wamp2 and "The ordinal 942 could not be located in the dynamic link library LIBEAY.dll"
I was able to setup SSL on my wamp. It works nice, especially after I provide the server certificate (server.crt) to an user. If not, they will have an "certificate not trusted" error. It is possible to reject those who are not using SSL certificate?
Thank you!
If the client displays a "server certificate is not trusted" message, that's because the server certificate you have installed is not signed by any authority the client knows about. Likely you're using a self-signed certificate. When you add this certificate to the trusted certificate store on your client, the client now trusts this certificate and does not display the warning anymore. It's not that "the client uses a certificate", it's that the client doesn't complain about the server's certificate.
You have no influence over this process at all. The server offers its certificate, and the client trusts it or doesn't. The server doesn't know this. If the client continues its conversation with the server, that pretty much implies that it trusts the offered certificate. Whether that is because the user approved it manually or because the client trusts the certificate otherwise, the server doesn't know.
There's also the concept of client certificates, in which a client identifies itself to the server using a certificate. This is badly supported in todays client software though and probably not what you're looking for.
I'm having trouble installing a SSL certificate on a subdomain within Plesk 10.
I don't seem to have an option to add the SSL certificate to a subdomain only. If i add the cert to the base domain will the subdomain share the same certificate?
Has anyone managed to install a cert on a subdomain using plesk 10?
SSL certificates affect all Connections made to the IP it is bound to, there is no way to bind a certificate to a subdomain or a specific folder because the SSL Setup has to be made before the URL is given to the server process.
You either need to use the same SSL certificate for all domains on your server or you need a new IP and use it only for the subdomain that needs to be protected. (I believe there was a SSL Configuration Link in IP management or something...)
Multiple Certificates on a single IP is now possible using SNI:
http://download1.parallels.com/Plesk/PP10/10.2.0/Doc/en-US/online/plesk-administrator-guide/index.htm?fileName=68308.htm
http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI