I upgraded DataGrip to 2021.1.2, and now when I run any query I get this response
javax.net.ssl.SSLHandshakeException: The server selected protocol
version TLS10 is not accepted by client preferences [TLS13, TLS12]
How to resolve this?
if you are trying to connect Microsoft Sql server the use the drive
Microsoft SQL Server (jTds)
note : Click on the driver option
you need to do the following:
1:
create a new file (any where) with the name custom.java.security
2:
put the following content in the file
jdk.tls.disabledAlgorithms=SSLv3, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
3 :
open DataGrip -> in your database panel -> select the database you want -> right click -> select Properties -> go to the Advanced tab
4 : in the VM Options field write the following
-Djava.security.properties=${PATH_TO_FILE}/custom.java.security
you need to replace ${PATH_TO_FILE} with the folder path of the file that you created in step 1
don't forget to have \\ instead of one \ in path if you use windows
5 : goto File menu -> select Invalidate Caches... -> click Invalidate And Restart
Credit : https://youtrack.jetbrains.com/issue/DBE-13313
The other suggestions did not work for my IntelliJ.
What did the trick for me (while connecting to a MySQL Aurora db) was picking/downloading the "MySQL for 5.1" drivers instead of the default MySQL drivers that IntelliJ selected for me.
No need to create a file as the accepted answer.
When the error prompts, just open "Data Sources and Drivers":
The original text in "VM options":
"-Djdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves"
So just remove TLSv1, TLSv1.1 then apply and reconnect, it will work.
Try adding TLSv1.1,TLSv1.2,TLSv1.3 to the enabledTLSProtocols setting in the Advanced tab like this:
DataGrip Project Preferences
Updating the TLS Protocol on server side should be preferred though.
Find the java.security file on your computer and edit it with any text editor, for example Notepad ++
Find the text jdk.tls.disabledAlgorithms, remove the TLS 1.1 and TLS 1.2 protocols and save the file with the changes
Related
Hi,
I've a Buffalo Linkstation LS-WXL and want to secure my the WebAccess with a SSL certificate of Let's Encrypt.
I've already found the pre-installed openssl program in the directory /usr/local/ssl/bin and created an Let's Encrypt certificate with the help of openssl and https://gethttpsforfree.com, but here's my problem: I don't know how I should create the certificate files out of these three created bolocks and my domain.key file. Further I don't know where I should embed this files on the nas.
My WebAccess Settings:
WebAccess-Service -> enabled
HTTPS/SSL-encryption -> disabled
Use BuffaloNAS.com -> disabled
DNS-Hostname -> xxx.xxx.xx
Configure firewall (UPnP) automatically -> disabled
External port -> 9000
Internal port -> 9000
Exclusive session -> disabled
Session expiry time (in min.) -> unlimited
WebAccess-URL -> https://xxx.xxx.xx:9000
Can someone help me with my problem?
Linkstation LS-WXL
1.75
I have to add some certificates to firefox before building it. Then test it with this certificates. I know that certificates are hardcoded into the certdata.txt, in this location:
mozilla-source\mozilla-central\security\nss\lib\ckfw\builtins
I've tried to add certificates into the certdata.txt using addbuilit from nss-tools. But after building it I get errors.
Compiler shows this errors when reading certdata.txt:
0:49.23 c:/mozilla-source/mozilla-central/obj-x86_64-pc-mingw32/security/nss/lib/ckfw/builtins/builtins_nssckbi/certdata.c(20983,1): warning: missing terminating '"' character [-Winvalid-pp-token]
0:49.23 "\152\270\202\165\004\122\100\146\207\136\301\151\270\325\275\134
Actually it's pretty easy to do.
Firstly you need a nss and nspr, because of nss that is built in to mozilla installer does not have addbuiltin function that we need.
Download NSS for windows
Download Nspr for windows
Second step
unpack both of these files.
Then copy the contents of the NSPR /lib folder to the NSS /bin folder
Copy your certificate and certutil.txt to the NSS /bin folder.
Note: Your certificate should be in .der format!
Third step
Run this code bellow:
addbuiltin -n "My certificate name" -t "CT,C,C" < CAcert.der >> certdata.txt
My certificate name - The name of the certificate that will be added to the certutil.txt.
CT,C,C - Is the trusted properties of the certificate.
CAcert.der - Certificate itself.
certdata.txt - Certificates containing file.
But before copying certutil.txt back to the source code you have to do one more thing.
Open certutil.txt in Notepad++ and turn on hidden characters by Menu View → Show Symbol → Show All Characters. Then change /r/n to /n.
And you've done!
I recent research about certificate in windows.
I try two different way to install certificate:
1. Use certutil command to install. ex: certutil -addstore -f "ROOT" rootCA.pem
2. Use Microsoft api to install.
certStore = CertOpenSystemStore(NULL, "ROOT")
CertAddEncodedCertificateToStore(
certStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
rootCACert,
len(rootCACert),
CERT_STORE_ADD_REPLACE_EXISTING,
NULL
)
After installed, I use certmgr.msc to check it success.
And firefox's security.enterprise_roots.enabled set True.
But I found a strange situation.
Firefox only trust certificate which certutil install.
Can somebody tell me why?
Thanks in advance!
According to the Mozilla Wiki there are differences in Versions:
As of version 49, ... Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE)
and
As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).
So it would be nice to know what version you use.
To answer your question: As the flags of the stores searched are named in the wiki it seems you are using the wrong store in your API solution. Have a look at the function CertOpenStore instead of CertOpenSystemStore. This allows to pass e.g. CERT_SYSTEM_STORE_LOCAL_MACHINE as dwFlags to open the store Mozilla searches.
I'm looking for a quick easy way to bring up my testbed. No need to worry about default settings because this is just for testing. I just need to get 802.1x working on 3 modes PEAP, TTLS and TLS on my MacBookPro. My set up is quite simple with a Airport 11ac and a Mac Mini on Yosemite 10.10.3 that i will use to install FreeRadius. The client is a MacbookPro that i will be authenticated against the network. Thanks.
Here is what i've got from :
http://wiki.freeradius.org/building/Build
and
kb.meraki.com/knowledge_base/freeradius-configure-freeradius-to-work-with-eap-tls-authentication
1) Install talloc and FreeRadius
curl -LO www.samba.org/ftp/talloc/talloc-2.1.0.tar.gz
tar zxvf talloc-2.1.0.tar.gz
cd talloc-2.1.0
./configure --without-gettext
make
sudo make install
cd ../
curl -LO ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.8.tar.gz
tar zxvf freeradius-server-3.0.8.tar.gz
cd freeradius-server-3.0.8
./configure --enable-developer
make
sudo make install
NOTE: while installing free radius, notice that toward the end, bootstrap is being called. That's when your certificate is being generated.
2) Edit /usr/local/etc/raddb/users with:
user Cleartext-Password := "whatever"
Reply-Message := "whatever"
bob Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
3) Edit /usr/local/etc/raddb/mods-enabled/eap:
default_eap_type = md5 change to default_eap_type = tls
private_key_file = ${certdir}/server.pem change to server.key
4) Edit clients.conf with your Airport Extreme's ip
client ExtremeAnger {
ipaddr = 192.168.5.1
secret = wireless
}
5) Start FreeRadius on MacMini with
sudo /usr/local/sbin/radiusd -X
6) Copy ca.der and client.p12 to MacBookPro
7) Go to MacBookPro and install Apple Configuration app from the App Store
8) Under 'Supervise' menu, click the plus + sign , create new profile
a. Fill out General tab with the name of the cert,
b. go to WiFi tab, enter ssid and security type (tls),
c. go to Identity Certificate and load the client.p12 file,
d. go to Certificates tab and load the ca.der file
e. go back to WiFi tab, Trust menu, check box the Example Certificate Authority that appears after you are done with step d.
9) Save and go back to main menu of the Apple Configuration, click the export arrow button and SaveAs a profile, you will get abc.mobileconfig file
10) Double click on this profile on the MacBookPro and try to authenticate to your Airport Extreme's 802.1x network ssid.
11) Pray that it will work on first try, if not , read the logs that comes out on the screen of your MacMini's Radius -X window
12) Create another profile for PEAP and TTLS from Apple Configurator App.
Make sure you use the username bob and pw hello as configured above (if you haven't figured it out yet, username 'user' and pw 'whatever' is used for tls mode)
Thanks for reading
I can't get windows 8 (release preview) to accept either the inf2cat or makecat approach described as solutions to the question at
What changed in the driver signature requirements for Windows 8?
unless I disable validation.
I am not signing these with any certificates at this point, just trying to get past the errors preventing the drivers from installing at all.
Windows 8 gives me a very nondescript error:
"A problem was encountered while attempting to add the driver to the store."
Looking in the event logs, there is nothing of use; only an informational entry from "Windows Error Reporting" indicating a PnPdriverimporterror.
When i use my original files with the cab files that don't match the inf, I get the error everyone else is listing:
The hash for the file is not present in the specified catalog file.
I have one .inf file that i need to generate a .cat for.
Perhaps I am doing something wrong. Ideas??
INF2CAT Approach
c:\win_xp_vista32_64>inf2cat /driver:"." /os:XP_X86,XP_x64,Vista_X86,Vista_x64,7_X86,7_X64,8_X86,8_X64
.......................
Signability test complete.
Errors:
None
Warnings:
22.9.10: usbser.sys in [drivercopyfiles.nt] is missing from [SourceDisksFiles] s
ection in \mchpcdc.inf; ok if file source is provided via LayoutFile in [Version
].
22.9.10: %driverfilename%.sys in [drivercopyfiles.ntamd64] is missing from [Sour
ceDisksFiles] section in \mchpcdc.inf; ok if file source is provided via LayoutF
ile in [Version].
Catalog generation complete.
c:\win_xp_vista32_64\mchpcdc.cat
MAKECAT approach
--- start of catalog.cdf file---
[CatalogHeader]
Name=mchpcdc.cat
ResultDir=.\
[CatalogFiles]
<hash>mchpcdc=.\mchpcdc.inf
---end of .cdf file ---
c:\win_xp_vista32_64>makecat catalog.cdf
These same files, w/ the cat from either approach install just fine in Windows 7.
I think this problem is to do with "windows driver signing enforcement". You can resolve this by disabling this option. Go through with below link:
http://tivadj-tech.blogspot.in/2012/09/certificate-check-error-when-installing.html
I just tested this on Windows 10 and 8 PRO now, to get this right, follow these steps:
1) From your Start menu, locate your DDK's "x64 Checked Build Environment" i.e. the custom DOS build screen. Right-click, run-as administrator...
2) Compile your source with the Build tools etc.
3) Go into your compiled code, and then create your test-certificate (you don't need to purchase one just yet, use your self-signed one created with the line below):
makecert -r -pe -ss PrivateCertStore -n CN=newhex.com(Test) NewhexTest.cer
The above means your certificate is called "newhex.com(Test)" and the generated file is "NewhexTest.cer"
4) Create / Edit your .CDF file which contains items about what your CAT file's contents.
5) Create your CAT file by executing:
makecat -v MyCDF.CDF
This should generate an un-signed CAT file that includes all files specified by your CDF.
6) Sign your CAT file as follows:
Signtool sign /v /s PrivateCertStore /n newhex.com(test) /t http://timestamp.verisign.com/scripts/timestamp.dll MyDriverWhatever.cat
This should result in a CAT file that is signed, but don't just install it, because your Windows can't trust Newhex's cert since it's not in the keystore, to fix this do:
7) Add your certificate to your private Key Store, remember this step MUST be done by an administrators access, otherwise you will get an error about (Keystore not found etc):
certmgr.exe -add NewhexTest.cer -s -r localMachine root
This should add into your keystore, Once done, you can then:
8) Go into your device manager, and add your new driver, you would get a warning but will be accepted and installed without the need to reboot with a forced (Don't check cert type account).
I tried this already and it works on Windows 10 and Windows 8 pro versions.
Kind Regards
Heider Sati
You are supposed to use inf2cat, not makecat, because you have an INF file.
You should work on addressing those warnings from inf2cat by fixing your INF file. Here is my INF file that uses usbser.sys and doesn't cause any warnings: https://gist.github.com/3647208
I was able to fix my INF file thanks to the advice from chinzei in the first post of this thread: http://www.microchip.com/forums/m488342-print.aspx
If you continue to have trouble, please edit your question to include the source of your INF file, or at least a link to the source.
I encounter the same problem and was able to install my driver with a TEST certificate using the instructions provided here:
http://msdn.microsoft.com/en-us/windows/hardware/gg487328.aspx