I have a certificate for a domain example.com. So, every request in my application (MVC 3) is being redirected to the https://example.com. But the problem is, I can see the padlock icon in the Firefox browser
but one second later it disappears and I see that there is no certificate ?
I have no clue what's going on, can somebody enlighten me ? The application is being hosted on Windows Server 2008 R2.
The "...which is run by (unknown)" message is just a message telling you that the certificate only verifies the web site name, not the owner. The message is not very clear and has been reported as a bug to Mozilla.
The "Your connection to this site is only partially encrypted" message means that you're fetching at least some HTTP data as a part of your HTTPS page (check your font/image/media links on the page) and the data fetched via HTTP is not secure. A secure page should only link to HTTPS content, or someone listening to the connection may be able to the insecure communication and figure out what is done over the secure link. For example, if your cookies are not set as secure, they'll be sent over clear text too when fetching data from your site.
All in all, the SSL cert seems to be installed ok, but your page needs some updates to only link to secure content.
Related
When a user tries to browse webpage having an invalid certificate(expired,self-signed, untrusted root, etc..),
browser warns the user about the security issue with page give option to proceed or return back.
Is it possible the change the page(default) that's being displayed here? how to get into the chain of event that gets trigger after the browser evaluates certificate validity?
Any help would be appreciated.
thanks,
It is impossible to achieve that feature on the server-side. It is a part of the client-side's browser implementation on validating the server-side’s certificate.
As you know, the Https connection based on the SSL/TLS version between the client-side and the server-side. establishing the TLS connection requires a handshake between the server-side and the client-side.
The client and server will provide the available TLS version during the process, including the supported certificate encryption algorithm and certificate public key. If the process fails, we cannot program the webpage displayed on the client-side since the TLS connection has not been established yet.
Feel free to let me know if there is anything I can help with.
I have installed sitecore 9 xp0 in my local machine. After the installation, when I tried to launch the URL, the url is automatically redirecting to https. But in IIS, sitecore has only http binding.
These are the below lines from powershell during installation. It clearly shows http binding is used and it works.
[UpdateSolrSchema]:[Authenticating] http://mywebsite/sitecore/admin/PopulateManagedSchema.aspx?indexes=all
[UpdateSolrSchema]:[Requesting] http://mywebsite/sitecore/admin/PopulateManagedSchema.aspx?indexes=all
[UpdateSolrSchema]:[Success] Completed Request
when I try to launch http://mywebsite/sitecore it is redirecting to https://mywebsite/sitecore and getting the below error.
Can’t connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.
I even added https binding manually, selecting "DO_NOT_TRUST_SitecoreRootCert". But I am getting the below error
This site is not secure
This might mean that someone’s trying to fool you or steal any info you send to the server. You should close this site immediately.
Not sure, what could be the issue. Can someone help me on this? Thanks in Advance
I'm using sipml5 to connect to a sip phone service and one of the setting is the service websocket server URL. the problem is that the server url is not secured (ex. ws://123.123.123.123:9999/ws) and it cannot be accessed on wss://. Because of that, when loading my site on a HTTPS connection, the browser blocks the request automatically, it doesn't behave like it does when loading let's say, an image over http, and then shows a warning.
Error is: [blocked] The page at 'X' was loaded over HTTPS, but ran insecure content from 'ws://....': this content should also be loaded over HTTPS.
I need to know if there is a way to make the browser connect to ws:// even though the page initializing the request is loaded over https.
Please help.
EDIT:
What I'm looking for is a flag or something like that, in Chrome or Firefox for example, which lets the user access insecure resources even though the page is loaded on https.
Why you are using http? You can get an ssl certificate from https://letsencrypt.readthedocs.org/en/latest/intro.html
then add the following details to http.conf
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=/path-to/cert.pem
tlsprivatekey=/path-to/privkey.pem
I'm developing on Heroku a site with a couple of subdomains. One of them is signup (as in signup.myapp.com) which requires SSL access -- of course! But the rest of the subdomains, such as www, do not require https to access.
The problem is that the client only purchased an SSL certification for signup.myapp.com. This means that, when a user tries to access other places of my site with https (such as https://www.myapp.com), SSL certification does not validate and browsers tell the user that the site could be malicious... not good for branding.
I tried to make the site redirect from https to http, but of course this failed, because SSL was checked before the redirect could be sent.
Is there a way that I can deny access to these places of my site from https, so that users encounter, for instance, a 404 page instead? Or, do you know of any other ways to handle this situation? (the client is reticent to acquire a new SSL certificate, specially a wildcard certificate).
Unfortunately, you need a certificate for each of the domains (or a wildcard one as you mention), see e.g.:
How to redirect https to http without any SSL Certificate
The problem is that certificate is the first thing checked, way before anything else happens. If that fails, browser will typically display "get me out of here!"-kind of notification. There's no built in support for SSL-to-non-SSL transition.
You can shut down https://www.example.com (i.e. make your Web server not listen on port 443), but that of course won't yield a 404, also bad for branding.
With just one non-wildcard certificate, the only thing you can do is put all the pages under that domain. I.e. instead of https://signup.example.com/a/b/c, you need to do https://www.example.com/signup/a/b/c or something along those lines.
On the other hand, you can buy the certificate for under $100/year (or $150 total for 2 years) at GoDaddy:
http://www.godaddy.com/ssl/ssl-certificates.aspx
so, depending on your context, it might just pay off to pay this instead of doing any additional development.
I have an embedded web server with a self-signed SSL certificate. After I get past the Web Browser's warning about the SSL Certificate being self signed, I am seeing a difference between IE8 and Firefox 3.5.5.
In IE8, if I try to download a PNG file, it will download every time.
In FireFox, it will give me an error every other time.
The error message is this:
Secure Connection Failed
An error occurred during a connection to 192.168.1.100.
SSL peer was unable to negotiate an acceptable set of security parameters.
(Error code: ssl_error_handshake_failure_alert)
*The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
*Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
What is causing this? Why does one browser work all the time and the other only works every other time?
It's hard to say without looking at the packets. If I had to hazard a guess, it would be that on the second request, Firefox is trying to resume the SSL session, and for some reason, the server doesn't like that. On the next request, Firefox doesn't try to resume, and it succeeds again. Maybe?