The task in hand is to look for an authentication mechanism from Linuix client (Scietific Linux 6.1) to a HyperV Server. I'm using openwsman to establish the connection; it seems openwsman does not support kerbose/gssapi as openssl/openssh internally used does not support the protocol.
Googling about GSS and openssh support, I was able to find a git project maintained by Simon Wilkinson (https://github.com/SimonWilkinson/gss-openssh) and also a webpage maintaining the patches against openssh releases (http://www.sxw.org.uk/computing/patches/openssh.html). But both this project are based on OpenBSD platform.
Does anyone have ported this changes for linux? Or anyother mechanism to get GSS authentication working on Linux?
Thanks!
http://grid.ncsa.illinois.edu/ssh contains the port for GSS protocol and seems to maintain pacthes against openssh very well.
Related
Similar to SSL enabling in Tomcat Windows server question, how do I configure NGINX/OpenResty to use/trust Windows certificate store (especially the authorities)?
One option is to use some kind of NGINX plugin based on NSS (Network Security Services). I've actually found a repository for it here, but no sure I can use it.
Are there any other solutions?
I've got a windows forms app which is deployed through click once. The app was build with .net 4.7.2 and it uses the HttpClient API to access a couple of rest web services, which are hosted on an internal server. As you might expect, the services can only be accessed through HTTPS and the server is configured to suppport all TLS versions (btw, this is a 2016 windows server).
The intranet client app (ie, the windows forms app) is deployed across several internal sub-networks and everything is working well with the exception of a single PC (which belongs to a specific subnetwork - it's the only PC that is using this particular app). This PC will only be able to consume the services when the HttpClient is configured to use TLS 1.1.
Since we're using internal certificates (we have an internal certificate authority for our AD), I've already checked and the certificate with the public key of the entity is already present on the trusted certificate authorities container of the computer where the secure session can't be established through TLS 1.2.
The PC is running Windows 10 Pro (latest version), so it should support TLS 1.2. I've tried emulating the requests from Fiddler and the truth is that I'll only get the results when I configure it to use TLS 1.1.
Without setting the protocol to TLS 1.1, I can see that Fiddler says that the handshake hasn't been established and the service is never "executed".
Now, according to what I've read, I shouldn't have been getting any problems with the code. In fact, I shouldn't have to specify the TLS version (it looks like Windows 10 Pro has out of the box support for TLS 1.2 and that should be the default for WIndows 10. Since I'm using .NET 4.7.2, it should automatically use the system's default protocol), but the truth is that only using tls 1.1 (not tls 1.2!) allows for the secure channel to be established.
I've tried running the code in other machines and everything works out as expected (I can establish the secure channel with tls 1.1 or tls 1.2 or even let it use the system's default protocol).
Since I'm not really a network guy, can anyone point me in the right direction? Do you guys think this can be caused by a firewall? Any ideas?
I mean, it looks like the PC recognizes the certificate used in HTTPS session (if that wasn't the case, then I wouldn't be able to use TLS 1.1, right?), but it seems like there's something in the way that won't let me use TLS 1.2...
Thanks.
Luis
Check our official guidance for TLS: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls
If it is one machine problem, I would recommend to create a simple HelloWorld app doing simple request, targeting the same .NET Framework (4.7.2) and then test that on the specific machine vs. other machines. That will tell you for sure if the problem is in your app or in machine/network settings.
I have set up an WSO2 Identity server in an EC2 instance. I have mapped the carbon.xml entries to this EC2 instance. The WSO2 server is starting up in that IP without any errors.But when i access it , i get a strange SSL error .ideally SSL warning should be coming since i am using WSO2 provided certificates itself and i can go on bypassing it.This is for sample environment so i am not planning to buy certificates
But this error is totally different and there is no way to bypass it.
The error in chrome says
50.200.189.207 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
I am unable to get rid of this.What could be the cause?
Some environments may have (mis)configured already unsupported ciphers (I had this issue on AWS Linux with OpenJDK as well, not on CentOS with Oracle JDK).
I suggest you to read WSO2 CARBON Configuring TLS
long story short:
open $WSO2IS/repository/conf/tomcat/catalina-server.xml
Locate Connector for TLS (port 9443 with sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" )
add property: ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
note: please read the documentation for exact values of the cipher property
And indeed, Oracle JDK is recommended for WSO2 products (as noted in the comments), the JDK vendors may differ in supported ciphers
If it doesn't work, let me know, I will post exactly what I've used for other projects
One of our programs uploads data to external FTP servers.
Connection (credentials and/or data) is encrypted.
It worked well until one of these external FTP servers installed one of the latest MS patches which has broken the encryption.
I am trying to set up a test environment to reproduce the issue.
The URL which is used by our program is
ftp-authssl://123.123.123.123:21
(actual IP is replaced by 123.123.123.123)
What does ftp-authssl:// mean?
The program is written in C#. It uses Eldos Secure Black Box (https://www.eldos.com/sbb/) library to upload data to FTP server. FTP server is IIS running on Windows Server 2008 R2.
This is explicit TLS mode for FTP, where you start with a plain connection and then issue a AUTH TLS (or older AUTH SSL) command and then upgrade the plain connection to TLS. This is similar to STARTTLS with other protocols like SMTP or IMAP.
See Wikipedia article to FTPS for more details.
Hello i have a bit of a problem using websockify.
I made executable for windows, then i start my websockify in cmd:
c:\web\websockify.exe 192.168.1.70:5901 192.168.1.70:5900
WARNING: no 'resource' module, daemonizing is slower or disabled
WebSocket server settings:
Listen on 192.168.1.70:5901
Flash security policy server
No SSL/TLS support (no cert file)
proxying from 192.168.1.70:5901 to 192.168.1.70:5900
so far all good. In the background VNC server is running on the same
computer at port 5900. The thing is i need to use websockify to be
able to use novnc on the other computer in local network.
I have latest novnc installed on latest XAMPP server (apache 2.2).
When i start vnc.html it asks for server, port, password. I typed
them in and press connect. I get an error on the websockify side:
WARNING: no 'resource' module, daemonizing is slower or disabled
Usage:
websockify.exe [options] [source_addr:]source_port target_addr:target_port
websockify.exe [options] [source_addr:]source_port -- WRAP_COMMAND_LINE
websockify.exe: error: no such option: --multiprocessing-fork
I can't connect using noVNC. I searched for internet to find solution
but did not find it.
Can someone help me get this apps together runnig?
or is there some more windows friendly solution with some other app that
does what websockify does?
br
Did you follow this guide? https://github.com/kanaka/websockify/wiki/Compiling-Websockify-as-Windows-Executable
Websockify uses the python multiprocessing module. This module is problematic on Windows, especially with older versions of python. You might try python 3.2 or greater and see if you have more success although no guarantees. Websockify is developed and tested on Linux only.
There used to be a pre-built version of Websockify for Windows that at least worked without multiprocessing (one client at a time), however, github dropped support for downloads so this build is no longer available.
Disclaimer: I made websockify.