I'm trying to enable TLS 1.2 with GPO. I would like to know if it needs a gpupdate then reboot per computer for it to take effect. Thank you.
I cannot test this as our test servers do not have TLS 1.0 traffic, only production.
Related
I'm now researching the Hashistack and trying to deploy pet microservice-based project on it. I deployed Nomad and Consul clusters with Ansible roles on bare metal nodes:
https://github.com/ansible-community/ansible-consul.git (v2.5.4)
https://github.com/ansible-community/ansible-nomad.git (v1.9.6)
Servers of Nomad and Consul are placed on the same nodes.
I do not use Vault. I created separate private CA, generated TLS certificates and private keys for these services and configured Nomad and Consul servers and clients to use them.
My goal is to setup production ready Hashistack cluster. So that I want to setup full TLS for both services.
I successfully connected to both UIs via HTTP, but when I try HTTPS, I get the SSL_ERROR_BAD_CERT_ALERT error.
I'll appreciate if you suggest the best practices to operate the Hashistack in production, and what steps are required for it.
Thank you!
I'm a bit late to respond, but came across the same error. Figured I'd leave my solution in case future readers find it helpful...
For me, the issue came down to the verify_https_client flag in my Nomad tls config block. Since Nomad is configured for mutual TLS, all clients (including web browsers) need to provide a client certificate signed by the same CA used by Nomad in order to connect. You'll need to generate/sign that certificate, and look up how to configure your browser to automatically provide it when needed.
For production use, that's the safest route. For a dev environment, you can just set that verify_https_client config to false in your Nomad config.
Here's a link to the Nomad docs for this flag: https://www.nomadproject.io/docs/configuration/tls#verify_https_client
You need first, generate a client certificate for your web brower.
Then convert it to PKCS12 format.
openssl pkcs12 -export -inkey ./nomad-cli.key -in ./nomad-cli.pem -out ./nomad-cli.p12
Let's say your are using Chrome,
Go to chrome://settings/certificates?search=certificate and import the converted certificate nomad-cli.p12.
I've found answer for same case.
When nomad cluster deployed with mTLS need deploy cli keys to each server nodes or at least on the node to which you are configuring the connection.
cli keys generated by instruction https://learn.hashicorp.com/tutorials/nomad/security-enable-tls#nomad-ca-key-pem
and nginx configured by instruction https://learn.hashicorp.com/tutorials/nomad/reverse-proxy-ui?in=nomad/manage-clusters
however this manual does not contain a description of configuring mTLS.
You need add following parameters in location /.
location / {
....
proxy_pass https://127.0.0.1:4646;
proxy_ssl_certificate /etc/nomad.d/cli.pem;
proxy_ssl_certificate_key /etc/nomad.d/cli-key.pem;
proxy_ssl_verify off;
....
}
In this case nginx can connect encrypted connection with nomad http port with TLS.
Also don't forget enable http basic auth at least.
I'm trying to use Fiddler version 5.0.20202.18177 (latest as of writing) to determine the URLs used by various online / web installers.
This works fine in most cases. For example, with SpotifySetup.exe:
However, this does not work in some cases. For example, with DropboxInstaller.exe and bitdefender_online.exe:
I have ensured that:
HTTPS decryption is set up for all processes:
All types of connections are being captured:
Windows' proxies are set as expected.
All Windows 10 AppContainer Loopback exemptions are in place:
Running Fiddler as administrator doesn't make a difference.
I would have guessed that the executables simply aren't utilising the proxy but, as far as I'm aware, if the proxy is set at the Windows level then they can't override that?
A program can use of the proxy defined in the Windows Internet settings but it also can ignore those settings and directly connect to the Internet.
The proxy settings are only used automatically for programs that use an HTTP client provided by Microsoft (e.g. WinHTTP for C/C++ or a Dot.net Http client implementation).
All other programs that use their own HTTP client can query the Windows proxy settings and apply them but this is optionally. From a Windows perspective those programs just open TCP connections, what protocol is used on the connection is unknown to Windows hence Windows could not enforce that a proxy is used even if it would try to do so.
By default even programs that come with Windows like the command-line too curl ignore the Windows proxy settings.
Dropbox for example has their own proxy settings within the Dropbox client. There you have to configure Fiddler as proxy.
Bitdefender also seem to have it's own proxy settings where you have to configure Fiddler.
After my discussion with Robert, I ended up abandoning Fiddler, setting up a VirtualBox VM running pfSense Community Edition (free) + Squid3 with HTTPS Interception and Access Logging, installing the pfSense's root CA certificate in my test Windows VM, and changing my test Windows VM's default gateway to the LAN IP address of the pfSense which worked.
In the case of the Dropbox example, it was initially logging TCP_TUNNEL_ABORTED/200 client.dropbox.com:443 so I added client.dropbox.com to the whitelist in the ACLs then it worked and I could see the full EXE URL:
I recently learnt that TLS negotiation is done by the Windows Server. But, in IIS we can bind SSL certificate for specific domain. Doesn't it means that IIS takes care of TLS offloading? Is this true, even when we configure IIS as reverse proxy?
Thanks in advance.
I'm working on an installation module (C#) for a distributed system.
One of the requirements is being able to setup one of the servers as an NTP server (windows time service).
I've followed several MS articles, for example:this one
but it seems that each one also requires to configure the NTP client settings (for example changing the server type from Nt5DS to NTP).
Any idea of how to keep a server's existing NTP client settings untouched while setting it as NTP server?
Thanks,
After investigating this issue for a while, looks like that's impossible.
After reading this post, I understand that the same registry key is used for both NTP client and server protocols, meaning, if the same machine needs to be a client and a serve but the client should work with, let's say, NT5DS and the server's protocol is obviously NTP than it can't work.
I will be building a server/client software on Windows, where many machines need to communicate with a Postresql database running on the server. This is C++ software so I will use libpq to connect to the database.
If I do this, will there be issues with the firewall? I'd like to make configuration as easy as possible and not have users open up firewall ports or disable their firewall.
If I do need to open up firewall ports, can I use WCF to get around the issue? Basically send a command to the server using WCF, run the postgresql command locally, and get the result back (I have never used WCF but understand that it can communication using HTTP port 80).
PostgreSQL typically listens on port 5432, which is not open by default in the Windows firewall. But the only machine where the firewall would need to be re-configured is the one where PostgreSQL is running. If you have many client machines, none of them should require firewall changes (unless they have restrictions on outbound traffic, which is rare).
Hope this helps.
You can also configure SSL connections to ensure better security.