May Not Be Safe For Work
I cannot get my server to make a secure connection.
I created a checkout form here: https://bradp.com/join-30-30-club
When entered, the browser attempts to make a secure connection appears to give up and goes to an unencrypted connection.
What do you think It could be?
I'm using Apache and PHP.
Based on the output of the certificates for that site fetched with:
openssl s_client -connect bradp.com:443 -showcerts
on my mac (full output at http://www.atlbbs.com/bradp.txt ) it looks like you might a certificate chain problem. Without seeing your logs, if I had to guess, I'd say you are lacking the extra intermediary certificate that GoDaddy SSL certs usually need to work. If that's all okay, then you can try and chase down the "self signed certificate in certificate chain" or tell your software to ignore that warning. Or find who Valicert is and what they have to do with anything.
Related
I have installed and followed all the step in creating an using Openssl but when I open localhost as https the browser says the connection is not secure or brings out privacy.
Kindly let me know what am doing wrong? How can one make it https and bring the green lock?
You did everything right but the browser doesn't know your certificate.
The browser will warn you everytime he gets a certificate signed by an authority he doesn't know. That DOESN'T mean that you did something wrong.
You can add your certificate as trustworthy (i.e. add an exception for your specific certificate) in the browser and everything will function as it would with a certificate from a trusted certificate authority (e.g. Comodo, RapidSSL, Symantec, etc)
I am trying to connect to google using host imap.gmail.com and port 993 but when I don't add novalidate-cert flag to imap_open function I get error as "Certificate failure for imap.gmail.com: self signed certificate in certificate chain". I am curious why I am getting this error. Why certificate validation is failing.
either because google really uses self-signed certificates to save money. or someone is doing a man-in-the-middle attack on you.
ask your sysadmin wether he is doing any fancy SSL packet inspection stuff...
It's probably because you don't have any trusted CAs configured for verification, or not the right ones. There is no good default setting with PHP, see also PHP and SSL CA Verification - OS Independent
Using this page: Wamp2 and "The ordinal 942 could not be located in the dynamic link library LIBEAY.dll"
I was able to setup SSL on my wamp. It works nice, especially after I provide the server certificate (server.crt) to an user. If not, they will have an "certificate not trusted" error. It is possible to reject those who are not using SSL certificate?
Thank you!
If the client displays a "server certificate is not trusted" message, that's because the server certificate you have installed is not signed by any authority the client knows about. Likely you're using a self-signed certificate. When you add this certificate to the trusted certificate store on your client, the client now trusts this certificate and does not display the warning anymore. It's not that "the client uses a certificate", it's that the client doesn't complain about the server's certificate.
You have no influence over this process at all. The server offers its certificate, and the client trusts it or doesn't. The server doesn't know this. If the client continues its conversation with the server, that pretty much implies that it trusts the offered certificate. Whether that is because the user approved it manually or because the client trusts the certificate otherwise, the server doesn't know.
There's also the concept of client certificates, in which a client identifies itself to the server using a certificate. This is badly supported in todays client software though and probably not what you're looking for.
I've been looking around for a way to check if a user has connected to my website using the right (my server's) SSL certificate in PHP. I guess my question is similar to this one,
except that I'm not implying the MITM.
I've looked around but didn't find a way to get the info from the cert used in the current connection and compare it to the servers cert. This to prevent users connecting with other certs.
How would one go about doing this?
Short Answer
You don't.
Longer Answer
This is only possible with client certificates.
Your webserver identifies you to the client, not PHP. PHP never sees this and no environment variables are sent/passed to PHP aside from HTTPS=on. You don't verify yourself to yourself as it would always evaluate true. The question you linked to already has the answer, and man in the middle doesn't mean much. You are effectively asking for a solution to any and all SSL Man in the Middle attacks with a definitive PHP script.
There is no such thing as being able to connect to your host with another SSL certificate, unless something Diginotar-esque happens to your Certificate Authority.
If you want assurance that they really meant to connect to your site, simply just check the host the client connected to. If they hit your IP, and requested a certificate from it, and then verified it with your CA, they will continue with the connection, and connect to $_SERVER["SERVER_NAME"] and $_SERVER["HTTPS"] == "on"
But, honestly, why are you worried about an incorrect SSL certificate? It will be flagged by the user's PC. I'd be more worried about session decrypting.
I have no idea what you mean by "to prevent users connecting with other certs" which sounds impossible to begin with, but:
SSL happens at a layer in the protocol stack to which PHP has no access or control.
The security of your clients' connections [in the context of running a website] is beyond your control.
I am using LDAPS authentication with Open source CMS ez publish. I have made all the configuration settings that I am suppoed to make. But, I still cannot get LDAPS authentication to work!
on debugging, I found that ldap_connect fails and it returns resourse id #80 or resource id #75 sometimes. Is there any documentation that describes what these resource ids mean? Even the php documentation of ldap_connect doesn't have any information on these resource ids. Or is there some thing else that I could have done wrong?
The PHP manual on resources. Seems like ldap_connect() is successful. If it fails, it returns FALSE.
The most common SSL related issue is trusting the certificate used in the connection.
If your LDAP servers SSL cert is not signed by a well known CA, or more correctly, by a CA known to your SSL library then it usually will fail. To resolve this you have to make your SSL library trust the CA.
Windows (IE), Firefox, Safari, etc all have their own keystore mechanisms and you can import certificates of the CA's Trusted Root into them. Then all certificates signed by that CA are now trustworthy.
Java uses JKS keystore files, old Netscape uses cert.db7 or cert.db8 files. No clue what PHP uses, however you ought to figure that aspect out.