Questions tagged [tls]
SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security)
5,854
questions
0
votes
1
answer
83
views
How to get debug output from `openssl s_server` when (PSK-only DTLS) handshake fails?
We have tested our DTLS client using the openssl s_server program from OpenSSL 3.2.1. The handshake failed because we used the wrong PSK on the client. To our surprise, the server neither responded ...
0
votes
0
answers
31
views
Does Vault (or basically any other system) require TLS when it only connects to a host on the LAN? [duplicate]
I'm trying to understand where TLS is required. I've heard that TLS encrypts data when a client communicates with a server through HTTP by verifying the server and passing encryption keys. This ...
0
votes
0
answers
33
views
Is it possible to see HTTPS traffic without intercepting? (With a copy of the traffic) [duplicate]
I have a WAF solution that can work both inline and out-of-band. And we want to try the OOB option first. And possibly want to see HTTPS traffic as well.
But the vendor says if we want to see the ...
0
votes
1
answer
154
views
How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
...
0
votes
1
answer
57
views
How can you protect against a man-in-the-middle forging a TLS Client Hello that offers insecure algorithms?
According to PAN-OS documentation for "Traceability and Control of Post-Quantum Cryptography",
Traffic encrypted by PQC [post-quantum computing] or hybrid PQC algorithms cannot be decrypted ...
0
votes
1
answer
90
views
Can API Security/WAF tools decrypt "mirrored" traffic?
We're doing a PoC on a new API Security/WAF tool, and we're planning to place this solution out-of-ban rather than inline. So traffic wont go through the solution and we'll send the mirrored traffic ...
0
votes
0
answers
54
views
What is the security impact of disabling certificate check [duplicate]
I have this line of code in a client server project:
sslContext.init(null, new TrustManager[]{new TrustAnyManager()}, null);
A security guy pointed out that this is skipping the validation of the ...
0
votes
0
answers
52
views
In TLS, how are the Diffie-Hellman exchange parameters protected from a MITM attack? [duplicate]
Authentication alone will not stop a MITHM from intercepting and modifying plaintext exchanges, since he can let the authentication occur, then begin modifying the exchange data and neither end will ...
0
votes
1
answer
96
views
How can Amazon add its own headers when I make HTTPS requests to a web application?
I was playing with httpbin.org to test a client and discovered that some sites will get an header I did not set (X-Amzn-Trace-Id). If I do a curl https://httpbin.org/headers (which will respond with ...
0
votes
1
answer
125
views
Why does this application include a private RSA key?
I downloaded an application, based on electron. I then decompiled the app.asar file. And I found two strange files: "server.cert" and "server.key".
The private RSA key corresponds ...
2
votes
3
answers
174
views
Why data exchange between 2 web apps using redirection with query parameters or auto-form-post CANNOT be trusted by each other, even when using HTTPS?
Why data exchange between two web applications using redirection with query parameters or auto-form-post CANNOT be trusted by each web application, even when using HTTPS?
Note:
I understand that data ...
0
votes
1
answer
93
views
Would there be any utility for multiple clients sharing the same TLS session key?
I was wondering if there is any utility for multiple hosts sharing the same TLS session key. I have come across proxies and the way they intercept TLS connections is to make the client accept its ...
0
votes
2
answers
258
views
What is the impact of disabled TLS hostname verification?
If I have a java client that connects to a server, but in the java client code where the connection is built, it skips hostname verification disabled.
When a client tries to connect to serverA.com, ...
0
votes
3
answers
664
views
Using HTTP header to transmit client certificate for mTLS
My client says their API traffic must take the path WAF -> Custom Firewall -> Backend API. Also, mTLS must be terminated after the traffic has gone through the network appliance.
I have created ...
0
votes
0
answers
82
views
Checking Against the CN Of Every Certificate In The Certificate Chain
Is it possible to check against the CN (Common Name) or SAN (Subject Alternative Names) of each and every certificate in the certificate chain for a match ?
I have 2 docker containers hosted on my VM, ...