I need to check avalara TLS 1.2 compliance, But I didn't find any documentation
Could someone let me know the procedure to check compliance
TLS is part of JRE security settings not related with hybris. You can check your JRE security configuration. Up to date JRE distributions supporting TLS 1.2 and old versions already disabled.
You can checkyour configuration in hac via groovy script. For example my web page supporting TLS 1.2 and 1.3.
URL url = new URL("http://mkysoft.com/ip.php");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
InputStream is = connection.getInputStream();
return org.apache.commons.io.IOUtils.toString(is);
If you want to test other TLS/SSL/certificate/handshake options check https://badssl.com/ for alternative test endpoints.
Related
After upgrading the com.hazelcast group to 5.2.1 version, not able to configure the ManagementCentre url. Not able to see the following method itself, do I need to any other alternate config api for this?
ManagementCenterConfig managementCenterConfig = new ManagementCenterConfig();
managementCenterConfig.setUrl(hazelCastConfiguration.getManCenterUrl());
able to config mancenter url in lower version.
Recently the 3rd party email service provider I was using made a change. They disabled support for TLS 1.0 and TLS 1.1.
I provide support for an ancient system that still uses php 5.3 and phpmailer 5.2.
My tests indicates that TLS 1.2 is enabled.
But, the PHPMailer code cannot connect to the email server after the disabling of TLS 1.0 and 1.1
Also, note that I am not a full time php expert.
Is there a way to make PHPMailer 5.2 use tls 1.2?
Look for constant STREAM_CRYPTO_METHOD_TLS_CLIENT in file class.smtp.php and update that to STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
Like this:
public function startTLS()
{
if (!$this->sendCommand('STARTTLS', 'STARTTLS', 220)) {
return false;
}
// Begin encrypted connection
if (!stream_socket_enable_crypto(
$this->smtp_conn,
true,
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
)) {
return false;
}
return true;
}
You should run phpinfo() in a small php script on your server to make sure TLS 1.2 is available in the first place.
It's not up to PHPMailer, its up to the version of PHP that you're using to run it, so the solution is to update your PHP version. The major changes relating to TLS were largely in PHP 5.6, so upgrading to that would be a good intermediate point if you're really stuck with this legacy version.
I recently need to use .net core to do SOAP NTLM login.. to my horror.. I realized ,net core does not come with SOAP support.. fumbling around, I came across SOAPCore on nuget package which has SOAP middleware for .net core. My console app interfacing to .net core 2.1 SDK tries to do NTLM login. Below is the codes, very simple.. it's trying to login to Milestone VMS.
<----------codes--------------->
int MAX_BUFFERSIZE = 2 * 1024 * 1024;
string strURL = "http://192.168.51.207/ServerAPI/ServerCommandService.asmx";
BasicHttpBinding httpBinding = new BasicHttpBinding();
httpBinding.MaxBufferSize = MAX_BUFFERSIZE;
httpBinding.MaxReceivedMessageSize = MAX_BUFFERSIZE;
httpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
httpBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm; //changed Ntlm to Windows also don't help
EndpointAddress endpoint = new EndpointAddress(strURL);
var factory = new ChannelFactory(httpBinding, endpoint);
CredentialCache cc = new CredentialCache();
NetworkCredential ntcc = new NetworkCredential("user", "password", "domain");
cc.Add(strURL, 80, "ntlm", ntcc);
factory.Credentials.Windows.ClientCredential = cc.GetCredential(strURL, 80, "ntlm");
var client = factory.CreateChannel();
Guid guid = Guid.NewGuid();
LoginInfo lo = client.Login(guid, "");
Console.Write("\ntoken=" + lo.Token);
ConfigurationInfo config = client.GetConfiguration(lo.Token);
... //do something
client.Loguout(guid, lo.Token); //logout
<-------------end of code segment------------>
Now, running this in Windows 10 works fine.. it's able to login and get the info needed.. but funny thing is when it runs on Linux.. I installed BASH for Windows 10 and it's Ubuntu 18.04, and have installed .net core 2.1.300.. it gave an http code 401 exception: "The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate, Ntlm'."
I've previously read on Stackoverflow about something quite similar and it was said that .net core 2.1 would resolve it.. I'm already using 2.1.300. Is it still not resolved? or am I doing something wrong?
Another question I have pertaining to this, the "ServerCommandServiceSoap" interface is generated using svcutil.exe from the wsdl file provided by Milestone in their SDK. Now, what is the difference between svcutil.exe and wsdl.exe? I noticed that the proxy class generated isn't the same usi ng these two tools.. using svcutil.exe has an interface class with dependencies on System.ServiceModel, while using wsdl.exe has no interface class and depends on System.Web.Services which is not available in .net core. why is it different when they are ran against the same wsdl document?
Can someone please enlighten me on this? thanks a lot.. :)
Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that Google App Engine supports TLS 1.0 and 1.1 versions.
Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?
So I also came up against this problem...and found that GCP weren't that helpful. They'll helpfully restrict at a domain level if a support ticket is put forwards....which resolves the security concern...but you'll still get false positives which need explaining at every penetration test (the GAE shared IPs accept other version of TLS for other domains).
For a nice clean solution; use Cloudflare for your DNS. They essentially act as a middleman/web application firewall. Amongst other things (free certificates, WAF, DDOS mitigation, CDN, HTTPS force, HSTS etc etc etc), you're able to set the minimum TLS version as you wish. Mine is now minimum TLS 1.2, supporting TLS 1.3 if the browser accepts it. I've also essentially only got port 80/443 on GAE connected to cloudflare, with no public access at all, as all traffic goes through cloudflare first. Pretty neat - zero ports open to the public and a fully operations website! The pen test guys just scratched their heads and packed up.
Oh...and FYI - it's free for this level of configuration. Happy security testing ;-)
I can confirm that you can make a request to google support and it takes up to 4 weeks to make the change. Not sure why. Hopefully they can speed things up in the future. But alternatively you can handle this logic at the application layer (in middleware) rather than the network layer. See snippet below:
// using NODEJS + TYPESCRIPT
// disable tls 1.0 and 1.1 weak ciphers
this.app.use((req, res, next) => {
// const cipher = ((req.socket) as TLSSocket).getCipher()
const protocol = ((req.socket) as TLSSocket).getProtocol()
// console.log('cipher: ', cipher);
// output eg: { name: 'ECDHE-RSA-AES128-GCM-SHA256', version: 'TLSv1/SSLv3' }
console.log('protocol: ', protocol);
// output eg: TLSv1.2
if (protocol === 'TLSv1.2' || protocol === 'TLSv1.3') {
next();
} else {
res.status(426);
res.send('request requires TLSv1.2 or greater, please upgrade');
}
});
I've not tried this so I can't guarantee it would work, but it seems like you could use a HTTP(S) Load Balancer. The SSL policies are configurable such that it would likely meet the requirements of your security review.
-=UPDATE=-
The problem I was experiencing was a case where the certificate was valid, but the site was invalid for the certificate. Leaving the default settings (either providing a profile with the certificate default settings or using the standard :selenium driver in Capybara) worked for my case. I mistakingly thought I needed to modify my Firefox profile for the driver to work, this wasn't the case.
Removing the certificate settings from my custom profile fixed the issue. Thanks Jarib.
-=Original Question=-
I'm currently trying to setup my test browsers to ignore invalid SSL certificates when using Cucumber and Capybara. I have the following in my env.rb:
Capybara.register_driver :selenium_profile do |app|
profile = Selenium::WebDriver::Firefox::Profile.new
profile.secure_ssl = false
profile.assume_untrusted_certificate_issuer = false
Capybara::Selenium::Driver.new(app, :browser => :firefox, :profile => profile)
end
Capybara.configure do |config|
config.run_server = false
config.default_driver = :selenium_profile
config.default_wait_time = 15
end
The environment seems to be setup properly, and the testcase runs fine until I hit an invalid certificate.
Is there something I'm doing wrong in the code above? Is there another option (using script/code) to create a new profile that ignores certificates? I'm trying to do some black box testing on a qa site, so self signed certificates aren't really an option. Individual Firefox profiles aren't good since the code needs to be portable. Thoughts?
Environment:
OS X.7.3
Firefox 12.0
ruby-1.9.2
capybara (1.1.2 ruby, 0.4.1.2)
capybara-webkit (0.8.0)
cucumber (1.1.9)
selenium-webdriver (2.21.2)
Did you try without profile.assume_untrusted_certificate_issuer = false
and with profile.accept_untrusted_certs = True