I've enabled SSL on IIS server (running on Windows 2003) using steps mentioned here:
http://www.techpaste.com/2012/01/steps-configure-ssl-iis-windows-2003-server/
It looks like SSL is enabled properly because when I hit:
http://hostname.myhost
I get following in browser:
The page must be viewed over a secure channel The page you are trying
to access is secured with Secure Sockets Layer (SSL).
Please try the following:
Type https:// at the beginning of the address you are attempting to reach and press ENTER.
I was using this IIS as proxy to my weblogic server. All my configuration was working on HTTP (http://hostname.myhost/myapp/test.jsp).
However when I tried (HTTPS):
https://myhost/myapp/test.jsp
It doesn't work. I get following in browser:
The connection was interrupted
After googling, I found that I'll need to enable HTTPS on weblogic and I'll have to establish trust between IIS plugin and weblogic.
URL - http://docs.oracle.com/cd/E13222_01/wls/docs81/plugins/isapi.html#100382
Section: Using SSL with the Microsoft Internet Information Server Plug-In
I enabled HTTPS on weblogic by checking 'SSL Listen Port Enabled'.
Using keytool and java command, I got pem file as well for corresponding der file for corresponding certificate in DemoTrust.jks.
I added following two keys to iisproxy.ini file:
SecureProxy=ON
TrustedCAFile=c:/mycert.pem
However when I access https://hostname.myhost/myapp/test.jsp, I still get same error in browser.
In iisforward.log I see following:
Fri Aug 02 14:52:29 2013 load properties from: C:\Inetpub\WLS_IIS_Plugin\iisproxy.ini
Fri Aug 02 14:52:29 2013 WLForwardPath: /
Fri Aug 02 14:54:36 2013 TerminateFilter...
I don't see any log in iisproxy.log.
Could anyone please suggest where I am wrong?
Thanks.
Reset the iis once...
Before resetting iis the following things make sure...
you have enabled SSL port in weblogic console and make sure you have enabled that port in that server's firewall. otherwise it won't allow any outside/remote communication via that port
you have to bind an ip addess and port in IIS for ssl communication...and you must have to specify SecureProxy=ON in iisproxy.ini(the cert should be physically located..where it is specified in iisproxy.ini file like c:/mycert.pem)
Related
I have one windows server already running sharepoint on 80/443 and the site works correctly.
We're trying to add more functionality by installing NodeJS and Apache
I've set apache to listen on 8080 and the default website comes up.
Node is running on 3000 and I can access the explorer that way as well.
My questions come from this. The server has a complete certificate chain installed on it and https://:8080 comes up correctly, but I can't get the node stuff to work on https: Secondly it appears while I have proxy pass set up correctly within my httpd.conf, either something is wrong within that as if I goto the https://:8080 /api/and anything beyond that, I get 503 errors and the page can't be displayed.
I'm unsure what I'm doing incorrectly here as from reading the documentation on proxy module, it seems that everything is setup and configured correctly.
Netstat shows listening on 3000 and 8080 and 80/443 for my SharePoint farm.
I had to configure the ssl settings for the proxypass to use the IP address of the local machine. After doing that I was able to connect correctly.
This allowed for connecting on :3000 via telnet to the localmachine and allowed for explorer to be viewed with https://:8080 the correct way enforcing our certificates.
I have a server with public IP and hold a website on it. I don't have a domain and my web server is IIS, then I created a self signed certificate in the server and bind it to my website. When I want to access to my website using a link like http://.../test. I can access to the website with https in localhost in the server. but I can't access to the website from a client browser with httpsand I get this error in client browser:ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Your server most likely doesn't support TLS (v1.0 or higher) but only SSLv3. That's a common cause for this error. SSLv3 is blocked in most browsers because of the POODLE vulnerability (CVE-2014-3566). You should review your server settings and upgrade them accordingly.
You can test your website at the awesome SSL Test from SSL Labs. This will point out errors like these and it helps you create a secure config. Please keep in mind that any score below A is in urgent need of improvement.
I found out to solve it. Port 443 was closed in the server.
We have a web server (IBM HTTP Server 6.1) connected using HTTPS (using SSL certificates - SSLv3) to an application server (IBM WebSphere Application Server 6.1), the application that is hosted on the app server is not upgradable, so we cannot update WebSphere on both layers to later versions.
I'm trying to enable TLS instead of SSLv3, the steps I followed:
On the web server's http.conf file, SSLv2 and SSLv3 and their cipher suites directives were removed, and TLS cipher suites were added (2F, 35b).
On the app server, QoP were changed to TLS (also tried TLSv1) instead of SSL_TLS, removed RC4 cipher suites by creating a customer list.
When opening the website URL from browser, Internal Server Error appears (means that the web is unable to communicate with the app server). When selecting the SSL_TLS again in the app server's QoP settings (keeping the SSLv2 and 3 disabled on the web server level), the website opens properly!
Is it possible the application is not compatible with TLS, pls advise?
Thank you.
The WAS Plugin tries TLS1.0 by default in 6.1.0.31 and later. To debug whatever's going on with your system, you'll have to actually watch the handshake in a packet capture and that will tell you which side to focus on.
Running 6.1 is ill advised, but running 6.1 without the latest maintenance is borderline negligent.
When you right-click a Web site in the Microsoft Internet Information Services (IIS) Microsoft Management Console (MMC) snap-in, and then you click Start, the Web site does not start and you receive the following error message:
The process cannot access the file because it is being used by another process.
What have to do.
To resolve this issue i got this solution:
You must use the Netstat.exe utility at the command line to see if another process is using port 80 or port 443.
But how to ensure that is these Ip are in use or not ? in terms of status ? What should its status ?
Second solution is : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\ListenOnlyList.
But this key is not found .
Lalit, this should probably be on ServerFault.com as this is more of a server administration question. With that said, you probably have more than one website listening on port 80 or 443 without the use of host headers. When using port 80, you cannot have more than one site on the port without specifying the domain name(s) to use in your website bindings. 443 (HTTPS) gets a little more tricky as you typically cannot have more than one site use 443 even if you are using host headers (there are exceptions like wildcard SSL certs). This is due to IIS not being able to read the host headers and know which SSL cert to use to decrypt them since they are encrypted.
http://support.microsoft.com/kb/890015 for more information
More links:
http://support.microsoft.com/kb/308163
Google
Finally i keep error as it is and I reinstall IIS and required software.
I am trying to configure an IIS website to require SSL client certificates. The website is set up in both IIS 6 and 7, though I am more interested in making it work for 7. I set the require client certificates property in IIS and it works fine when accessing the site through a web browser, but a Java-based client is having trouble accessing it.
I believe the problem is that IIS does not request a client certificate during the initial SSL handshake. Instead it negotiates a normal SSL connection, checks to see if the resource requires client certificates, and if it does it then initiates a new SSL handshake that requests a client certificate. IIS does this so support sites that only require the client certificates for certain resources. Even when the requirement is specified for the entire website, IIS still initiates two SSL handshakes. I want to force IIS to request the client certificate on the first SSL handshake, which will hopefully get things working for the client. (The client is developed by an external partner and I have virtually no knowledge of how it is set up and no access to its source code)
Has anyone dealt with this problem in IIS before?
Here's how I did this, on IIS 7.5:
Run the following in an admin command prompt: netsh http show sslcert
Save the output in a text file. Will look something like this:
IP:port : 0.0.0.0:443
Certificate Hash : [a hash value]
Application ID : {[a GUID]}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Create a batch file using that info:
netsh http show sslcert
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=[your cert hash from above] appid={[your GUID from above]} certstorename=MY verifyclientcertrevocation=enable VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable clientcertnegotiation=enable
netsh http show sslcert
(Yes, you have to delete and re-add; you can't just alter clientcertnegotiation in-place. That's why it's important to save the hash and GUID, so it knows what to re-add.)
Run that batch file, check for any errors, done.
Keep in mind that this setting is applied per-certificate, not per-server. So if you use multiple certs, or change/update your cert, you will have to do this again.
It took me a while to find this metabase setting. We were having this same problem with our client using the new certicom libraries. Since the discovery of the MITM attack arround SSL Renegotiation, the answer in alot of circles has been to hangup on renegotitation requests.
running the following cmd from \inetpub\adminscripts will force IIS to always request a client certificate.
For IIS 6:
cscript adsutil.vbs set \w3svc\siteID\SSLAlwaysNegoClientCert True
(So for the default website, cscript adsutil.vbs set \w3svc\1\SSLAlwaysNegoClientCert True)
Keep in mind that some clients Internet Explorer prompt for client certificates when it recieves that packet wether the client certificate is needed or not.
For IIS 7:
Save the following text to a file called "Enable_SSL_Renegotiate_Workaround.js"
var vdirObj=GetObject("IIS://localhost/W3svc/1");
// replace 1 on this line with the number of the web site you wish to configure
WScript.Echo("Value of SSLAlwaysNegoClientCert Before: " + vdirObj.SSLAlwaysNegoClientCert);
vdirObj.Put("SSLAlwaysNegoClientCert", true);
vdirObj.SetInfo();
WScript.Echo("Value of SSLAlwaysNegoClientCert After: " + vdirObj.SSLAlwaysNegoClientCert);
Run the following command from an elevated / administrator command prompt:
cscript.exe enable_ssl_renegotiate_workaround.js
(Jacked from the KB article for 977377)