Today by connecting to our site through the browser we have reported this problem NS_ERROR_NET_INADEQUATE_SECURITY
anybody know what the problem is?
No problem, you can set TLS protocols and Ciphersuites to obtain Perfect Forward Security (PFS) and your site
You can set them for all ADC listeners or for a specific listener and your site will work again.
Protocols:
TLSv1.2 TLSv1.3
cipherSuites:
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
After setting try with all updated browsers and check with www.ssllabs.com your PFS security score. I suggest you to check at regular intervals of time your score to be able to adjust the security of your site.
Related
I am not able to connect the WMQ-9.1 queue manager via RFHUtil in case the channel configured with TLSV1.2 Cipher means.
No issues when i am connecting from SSL to TLSV1.0 version in that. Never tried TLSV1.1 before.
Any idea how to overcome this also can you suggest any alternate open source tools are available in the market or git repo?
You can pull the latest from here.
https://github.com/ibm-messaging/mq-rfhutil/tree/master/bin/Release
Customer complains that our receiver channel is taking longer time for the SSL Handshake. The MQ version is MQ7.1.0.6 and the OS is Solaris
This problem started to appear just since two weeks.
I check the http://www.mqseries.net/phpBB2/viewtopic.php?t=63615 URL on OCSP and not sure if I can set OCSPCheckExtensions=NO in qm.ini file. Could you please let me know if it is a good approach to set OCSPCheckExtensions=NO
Suggestions are most welcome
I am relating to Application and invalid certificate errors
When i initiate the call with Twilio REST API, and then pick up the phone, i can hear that error occured and Certificate Invalid - Could not find path to certificate appears in my alert dashboard.
However, certificate is located in the mozila certificate program, i can find certificate at Public All Intermediate Certs List. I dont use self signed certificate.
As soon as i disable SSL Certificate Validation inside Twilio Console Account settings, the problem is gone.
My result from qualys ssl lab are:
Summary:
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.
This server accepts RC4 cipher, but only with older protocols. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.
This server's certificate chain is incomplete. Grade capped to B.
Configuration:
SSL 3 INSECURE
Cipher Suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 4096 bits FS WEAK
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH secp256r1 (eq. 3072 bits RSA) FS INSECURE
Protocol details:
Secure Renegotiation Supported
POODLE (SSLv3) Vulnerable INSECURE SSL 3: 0xa
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported
RC4 Yes INSECURE
Forward Secrecy With some browsers
Shall i disable SSL or do you have any ideas what can i do?
Twilio developer evangelist here.
I am hoping that your https://ssllabs.com/ssltest has scared you sufficiently enough. You need to upgrade your server from SSLv3 to TLS as SSLv3 and a lot more of your setup is insecure and will not protect you in the face of an attack.
Twilio has deprecated support for SSLv3 and supports TLS. This is likely why you are getting an invalid certificate error.
For the sake of your and your users own security and safety, please upgrade your server.
I am fairly new to Pound cfg and SSL in general and working on learning. Tried a few things I found on Google related to setting Ciphers but they failed.
We are having an issue with Firefox after setting Ciphers in Pound to not allow SSLv3. Firefox tells customers that the system is not setup properly, so it is blocking them. Here is what I am trying to do.
Disallow SSLv3, SSLv2 via Pound Cfg file. Here is what I have tried:
Ciphers "All:!SSLv2:!SSLv3"
We are using SHA2 through Godaddy for Cert and SHA256 for key. When I test via https://dev.ssllabs.com/ssltest/ we get a giant F. Any ideas?
Any and all help is greatly appreciated. Thanks!
"Ciphers" is used to configure the cipher suites, not the SSL/TLS protocols. According to the man page, you want to do this:
Disable SSLv3
Note that Disable works by disabling that protocol and all lesser protocols, so disabling SSLv3 also disables SSLv2 along with it.
You will probably want to configure Ciphers as well. Exactly how you configure it depends on what browsers and user agents you want to support, but you can get started with:
Ciphers: "EECDH+AESGCM:AES128+EECDH"
I have been a long time reader but this is my first real post on a topic that I couldn't find a solution to.
I am currently hosting a website on Windows 2012 that I would like to get the latest TLS 1.2 ciphersuites running on.
I am aware of how to enable TLS 1.1 and TLS 1.2 in windows and have done so(via registry edits). I have also changed the cipher order to what I would like it to be.
My question is: How do i actually go through and set up my ECDHE / ECDSA portion of the cipher suite after this step?
When i view the site in the latest chrome beta (which supports ECDHE and ECDSA in TLS 1.2 provided you use the supported curves) it seems to skip all of the ECHDE ciphersuites.
Is there something else i need to do to get ECDHE/ECDSA properly enabled?
I have read around on the net trying to solve this myself and they mention making copies of your root cert and then modifying them to somehow support ECDHE. Am i barking up the wrong tree?
Thank you in advance for any and all support with this issue.
Edit: adding clarification/progress
After more research, I have found that in order to get ECDSA to work, you need an ECDSA certificate. The only way to get one at this time is to self-sign, as the cert-cartel has not yet come up with proper cross-licensing agreements and fee structures for Ellipic Curve Certificates yet.
Since self-signing is not an option for this site, I have removed all ECDSA suites from the cipher-order.
Unfortunately, because all of the AES Galois Counter Mode suites were also ECDSA, this rules those out for the time being.
This leaves me with a strongest cipher suite of ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 which I BELIEVE is supported by the latest version of Chrome beta correct? I can't seem to get Chrome to pick up anything beyond SHA-1. Is there no SHA-2 support? even in the latest beta?
AES-GCM is about how you encrypt the data in your connexion, EC-DSA or RSA about how the server identifies itself to the client. There is therefore no reason why you couldn't do AES-GCM encryption with a RSA authentication.
RFC 5289 does define the needed suite for that :
https://www.rfc-editor.org/rfc/rfc5289#section-3.2
CipherSuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = {0xC0,0x2F};
CipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = {0xC0,0x30};
CipherSuite TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = {0xC0,0x31};
CipherSuite TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = {0xC0,0x32};
It's not however necessarily easy to find both the client and the server that will support them.
I had similar experiences with Win2008 R2.
Depending on the certificate, GCM cipher is offered by the server or not.
With self-signed ECDSA certificate i got GCM to work but older browsers
or Windows XP can't connect to such a https-site.
Windows doesnt support any TLS_ECDHE_RSA...GCM... ciphers:
http://msdn.microsoft.com/en-us/library/aa374757(v=vs.85).aspx
Thus normal RSA-certificates don't work with GCM under Windows.
Browser compatibility:
http://www.g-sec.lu/sslharden/SSL_comp_report2011.pdf