I can no longer connect to the ec2 instance with windows server 2008 r2, or access the hosted site, after disabling SSL 3.0 and TLS 1.0 and restarting the server.
I followed the digicert instructions: https://knowledge.digicert.com/quovadis/ssl-certificates/ssl-general-topics/how-to-disable-ssl-2_0-and-ssl-3_0-on-windows-server-2008-r2.html
Check for the DWORD named Enabled on the right panel and ensure that it shows 0x00000000 in the Data column. If it doesn't show this value, right-click on Enabled and select Modify... from the drop-down list and set the Value data to 1 and ensure that Base has Hexadecimal selected.
Underneath the SSL 3.0 key, right-click on the Server key underneath it. If there is no Server key, you can create it underneath the SSL 3.0 key.
Check for the DWORD named Enabled on the right panel and ensure that it shows 0x00000000 in the Data column. If it doesn't show this value, right-click on Enabled and select Modify... from the drop-down list and set the Value data to 1 and ensure that Base has Hexadecimal selected.
Reboot the server.
Has anyone experienced this or know what might be going on? Thanks
I followed the digicert instructions to disable SSL 3.0 and TLS 1.0: https://knowledge.digicert.com/quovadis/ssl-certificates/ssl-general-topics/how-to-disable-ssl-2_0-and-ssl-3_0-on-windows-server-2008-r2.html
Related
I have developed Asp.net Core 6 Web Api and want to host it on my Windows server on a specific port that has SSL installed. Here is what I have done so far -
I have an SSL certificate which I added in the Personal store using certificate manager.
I installed this SSL certificate on Port 10001 and it got added successfully.
I created a subdomain and pointed it to this web server.
I want to run this API as an EXE hosted with Kestrel. I tried -
app.run("https://api.xxxxxx.com:10001")
I get an error that SSL Certificate could not be located.
Please help me with how to do this.
It would be useful if you provided the commands used for adding the port reservation and how you added the certificate to Windows, but anyways, my personal experience dealing with self-hosted apps and SSL is the following:
Add the certificate used for https to the Windows Certificates Store -> Local Computer (this is important, don't use the Current User store) -> Personal store
If NOT using localhost as the server address, as in your case, a Url mapping must be done with netsh.exe (with an elevated command window):
netsh.exe http add urlacl url=https://+:10001/ user=Users (*)
Next, make a port reservation using also netsh.exe:
netsh.exe http add sslcert ipport=0.0.0.0:10001 certhash=[your cert hash here] appid={your app id here}
(*) If your Windows language is other than English, use the name of the translated Users group. For instance, in spanish it would be "Usuarios".
If all these procedures are done correctly, you should be able to launch a server that binds to the specified port with https enabled.
Good luck
I know from this page that there should be a way to use self-signed certificates in my LAN in order to establish encrypted connections between my computers and my local synology NAS.
In essence it says:
It has two prerequisites:
Your Diskstation must have a fixed IP address on your LAN. You must be
able to add or assign certificates to devices you want to approve your
SSL. If you can satisfy those conditions, proceed with the following
steps:
In DSM 6.0 -> Control Panel -> Security -> Certificate
Click “Add” to start the process and choose “Create self-signed
certificate”
First you create a Certificate Authority (CA) which is the master key
that will sign the site usable SSL.
However in my case (DSM 7.0-41890) I cannot see any options saying "create self signed certificate"
Does anybody know how to do this with DSM 7?
I don't need 100% security, I just want the communication between devices in my network to be encrypted. I don't want any malicious program in my network to be able to see passwords in clear text by just monitoring network traffic...
There should be a subsection called "Add a new certificate", in which you can create a new self-signed certificate. A friend told me about this, I wasnt able to check it myself, so I apologize in advance in case it does not work.
I think they remove this possibility in dsm 7, it was in 6
I'm building an API in Visual Studio using ASP.NET Core Web Application, but since a couple of days ago it doesn't work anymore. When I run the API from Visual Studio using IIS Express I get an error in the browser: "ERR_CONNECTION_RESET".
The application does work when I disable SSL, but it should (and before did) work with SSL enabled.
Things I've tried:
Change port (within the correct range)
Delete localhost certificate and repair Visual Studio, prompting the creation of a new SSL certificate
Deleted the .VS file and restarted VS in administrator mode
Delete applicationhost.config and restarted VS in administrator mode
Created a fresh application with a working pre build WeatherAPI, but that has the same problem aswel
Ran SSL Diagnostics using Jexus and got the following
System Time: 18/06/2020 14:40:58
Processor Architecture: AMD64
OS: Microsoft Windows NT 10.0.18363.0
Server Type: IIS Express
SERVER SSL PROTOCOLS
PCT 1.0:
PCT 1.0 is not secure. OS default is used. You might explicitly disable it via registry.
SSL 2.0:
SSL 2.0 is not secure. OS default is used. You might explicitly disable it via registry.
SSL 3.0:
SSL 3.0 is not secure. OS default is used. You might explicitly disable it via registry.
TLS 1.0:
TLS 1.0 is not secure. OS default is used. You might explicitly disable it via registry.
TLS 1.1:
TLS 1.1 is not secure. OS default is used. You might explicitly disable it via registry.
TLS 1.2:
SChannel EventLogging: 1 (hex)
To tune TLS related settings, please follow https://support.microsoft.com/en-us/kb/187498 or try out IIS Crypto from https://www.nartac.com/Products/IISCrypto/.
Microsoft documentation on cipher suites can be found at https://learn.microsoft.com/en-us/windows/desktop/secauthn/cipher-suites-in-schannel.
-----
[W3SVC/1]
ServerComment : WebSite1
ServerAutoStart: True
ServerState : Stopped
BINDING: http *:8080:localhost
For what it's worth I've also checked for the subkeys through Regedit, but couldn't find the subkeys inside HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\
I am completely at a loss what it could be
Edit: Tried it on another PC, on which it seems to work properly
According to the binding configuration from the report, there is no https binding in your project.
BINDING: http *:8080:localhost
Please ensure you checked the option of configuring HTTPS binding while creating the AspDotNET CoreAPI project.
This will add additional code snippets to Startup.cs file.
//Adding middlewares for redirecting HTTP request to HTTPS
app.UseHttpsRedirection();
And additional HTTPS binding configuration in launchSettings.json file.
Besides, most of the browsers start to support TLS1.2 only, please ensure that TLS1.2 is not disabled.
Feel free to let me know if the problem still exists.
I have active directory installed on a Virtual Machine having OS Win Server 2012.
Now I want to configure it so that users can access it.
My IP Add is: 103.31.80.54
Subnet Mask: 255.255.255.252
GW: 103.31.80.53
What to do??
Follow the below mentioned steps from the Server Manager on Windows 2012 Server:
Open the Notifications Pane by selecting the Notifications icon from the top of the Server Manager. From the notification regarding configuring AD DS click
Promote this server to a domain controller.
From the Deployment Configuration tab select Add a new forest from the radial options menu. Insert your root domain name into the Root domain name field. [i.e
yourdomain.com]
Review and select a Domain and Forest functional level. Once selected fill in a DSRM password in the provided password fields. The DSRM password is used when
booting the Domain Controller into recovery mode.
Review the warning on the DNS Options tab and select Next.
Confirm or enter a NetBIOS name and click Next.
Configure the location of the SYSVOL, Log files, and Database folders and click Next.
Review the configuration options and click Next.
The system will check to ensure all necessary prerequistes are installed on the system prior to moving forward. If the system passes these checks you will
proceed by clicking Install. [The server will automatically be rebooted once the installation completes]
Once the server is done rebooting reconnect via RDP. Congratulations on successfully installing and configuring a Active Directory Domain Services on Windows
Server 2012.
We have successfully deployed a LightSwitch app in a web server IIS 7. The app works perfectly when accessed via the internal IP (http://servername), but when it is done via the external IP (https://www.example.com), the queries don't work. It does fetch ALL data but if something is entered in search fields the query fails, it shows data
fields with a red X.
Fiddler shows the following info:
<LI id=L_defaultr_12>Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter. Contact the server administrator. (12217)
And the screen looks like this:
Any suggestion on how to trace this problem would be greatly appreciated.
I found the problem was caused by the ISA server blocking high-bit characters. When you configure HTTP filtering to block high-bit characters, URLs that contain characters from a double-byte character set (DBCS) or URLs that contain Latin 1 characters are blocked
The solution:
Configure the Web publishing rule so that it does not block high-bit characters. To do this, follow these steps:
1. Start the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Management tool.
2. Expand ServerName, where ServerName is the name of your ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer.
3. Click Firewall Policy, click the Web publishing rule that you created to publish the Exchange Server computer for access by OWA users, and then click Edit Selected Rule.
4. Click the Traffic tab, click Filtering, and then click Configure HTTP.
5. Click to clear the Block high-bit characters check box, and then click OK two times.
6. Click Apply to update the firewall policy, and then click OK.