Questions tagged [tls]
SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security)
5,854
questions
1
vote
1
answer
10
views
ELI5: If SSL encrypts traffic, why does it expire?
SSL, nowadays TLS, encrypts traffic between the server and client. However, the certificate is only valid for a certain period of time until its expiration.
What I don't understand is, why does TLS ...
- 11
1
vote
0
answers
38
views
TLS Server Certificate Validations 1.2 [duplicate]
I have just started to study the TLS 1.2 protocol and would like to know what checks are performed on the client side by the browser when checking the server certificate. I would be glad if you could ...
- 11
1
vote
1
answer
26
views
what should be the response of keyupdate if the initial KeyUpdateRequest is set to update_not_requested not update_requested
"The KeyUpdate handshake message is used to indicate that the sender is updating its sending cryptographic keys."
"If the request_update field is set to "update_requested", ...
- 41
5
votes
2
answers
1k
views
How did I obtain a wildcard SSL certificate without port 80 opened for a challenge?
I wanted to secure my apps running in a private subnet with SSL. Albeit not necessary, it is very nice to have.
Because of my constant changes, I opted for a wildcard ssl certificate through my DNS ...
1
vote
1
answer
88
views
How exactly do corporate companies decrypt employee SSL/HTTPS traffic on company owned corporate devices? [duplicate]
I understand that corporate companies can/do decrypt employee SSL/HTTPs traffic because the company owned device has a company owned SSL certifiate.
I thought the first certificate would encrypt the ...
- 155
-1
votes
1
answer
79
views
How do we secure our network traffic from packet sniffing tools [beyond TLS/SSL] [duplicate]
From following link: Decrypting TLS with Netsh/WireShark
I found its pretty easy to segregate the keys file from tcp requests and later decrypt with WireShark.
Are there any reliable/bullet-proof ...
- 107
2
votes
1
answer
436
views
server negotiating TLS1.3 but sent TLS1.2 ciphersuite
I sent a client hello indicating TLS1.3 support, and it contains a list of all ciphersuites that support TLS1.3, TLS1.2 and TLS1.1
And consider server negotiated TLS1.3 indicating serverHello....
- 41
1
vote
1
answer
53
views
In TLS1.3 can the client hello have the extensions which were not sent as part of HelloRetryRequest
I am having a Handshake session of PSK_only mode in TLS1.3 , where I use PSK's established out of band.
consider, client Hello is sent with the extensions of supported_versions, PreSharedKey, ...
- 41
4
votes
2
answers
1k
views
Securing HTTP File Transfer over local network
My intention is to transfer files between a computer and a cell phone in the same network. I have created a system consisting of two apps for this purpose (everyone should be able to use the apps): ...
- 41
19
votes
4
answers
8k
views
HTTP: how likely are you to be compromised by using it just once?
My question is, if somebody, today, in 2024, sent a password or a credit card number to some random HTTP website just once, how likely is that password or credit card number to be found on a hacker ...
- 188
0
votes
0
answers
26
views
Define DH parametes in python-mbedtls [migrated]
I'm using python-mbedtls library - https://github.com/Synss/python-mbedtls/tree/master
my goal is to create handshake with different cipher suites,
I've managed to do so with the given server and ...
2
votes
1
answer
61
views
Why is the browser being prompted for a client certificate without a Certificate Request in the handshake?
When I visit a particular site, foobar.com, I am being prompted for a client certificate, which is unexpected for this site.
I assumed there would be a Certificate Request message in the HTTPS ...
- 123
6
votes
1
answer
154
views
Do browsers like FireFox, Chrome, Opera, and Tor store TLS 1.3 session tickets on the disk?
Do browsers save TLS 1.3 session tickets on the disk to resume a TLS session after the browser process has been killed and restarted?
Are there any glaring security risks of caching TLS 1.3 session ...
- 61
0
votes
1
answer
49
views
Anlyzing PSK-TLS handshake (Handshake Finished record) in Wireshark
I am doing testing with some ethernet device, for which I use an own TLS implementation (using OpenSSL for the actual cryptographic functions). There are pre shared keys used. When I am connecting to ...
- 3
1
vote
1
answer
55
views
What are the risk of using http when capturing open events on an email
I want to configure a custom domain for open and click tracking in Amazon Simple Email Service (SES). However, I've encountered a limitation where Amazon SES only allows HTTPS domains for tracking ...
- 196
0
votes
0
answers
25
views
Why cannot we use TLS in the data link layer instead of EAPTLS? [duplicate]
since EAPTLS also makes use of the TLS protocol features to provide authentication why cannot we just make use of TLS in datalink layer. What is the exact difference between them.
0
votes
1
answer
62
views
mTLS set up - Does it require any offline certificates exchange?
My company is exposing a few APIs to one of our partner systems (external).
We're looking at mTLS authentication here than any credentials based Auth schemes.
My understanding is,
My system (server) ...
- 101
0
votes
1
answer
74
views
export burp certificate to wireshark for inspection
I am trying to figure out if i can take the burpsuite certificate and export it to wireshark to be able to inspect the traffic going through it. My main goal here is to test a website i own to see ...
- 39
1
vote
0
answers
102
views
Is it safe to use a laptop on a public WiFi with VPN? [duplicate]
Im in a situation where Im moving between apartments and need to live at an extended stay hotel for a week or two.
The hotel does have free WiFi but it is public. If I use my company’s VPN and visit ...
- 249
1
vote
0
answers
62
views
ECDSA certificates not impacted by Let’s Encrypt certificate chain change?
We received an email from Cloudflare about the upcoming Let’s Encrypt certificate chain change.
At some point, it states that "Additionally, this change only impacts RSA certificates. It does not ...
1
vote
1
answer
55
views
Does the CORS asteriks / wildcard include both encrypted and unencrypted origins?
Does the CORS asteriks / wildcard (*) include both encrypted (https) and unencrypted origins (http)? And is the null origin (i.e., when a local file is doing a xmlhttprequest, or within an iframe ...
- 11
0
votes
1
answer
72
views
How many ephemeral session keys made when loading web page
I'm trying to understand the concept of ephemeral session keys as it pertains to perfect forward secrecy. There's an example I wasn't sure if.
Let's say I have a webpage served over TLS at the url ...
- 275
0
votes
3
answers
125
views
Goal of CA is to allow clients ability to determine if TLS was tampered with while "in-transit"?
I believe my question will be a continuation of questions such as:
What's the point of the CA?
How does a digital certificate prove authenticity?
In short, I still don't have a firm grasp on why a ...
- 275
1
vote
1
answer
53
views
TLS-1.3 gnutls_aead_cipher_init from SSLKEYLOGFILE secret
I have a pcapng file with its corresponding SSLKEYLOGFILE. This file contains valid (random/secret) couples. I know my SSLKEYLOGFILE is valid because I can decrypt packets with Wireshark. I'm using ...
3
votes
1
answer
433
views
Multiple certificate chains on a single server for TLS
Is it possible for a single server to use two different certificate chains for TLS?
For instance, rootCA1, intermediateCert1, serverCert1, rootCA2, intermediateCert2, serverCert2.
If this is possible, ...
- 33
2
votes
1
answer
52
views
SSL cert for mailserver, which domain? mail client refuses self-signed
I've got a mailserver and the hostname is mx.domain.com. Of course the server is configured to send emails to $mydomain and/or $myhostname.$mydomain in Postfix. Do I need to create the CSR/key for the ...
- 21
1
vote
0
answers
42
views
3rd-Party CDN SSL Inspection for Financial/Banking API Traffics
We have 3rd-Party CDN in front of Financial/Banking APIs which involves sensitive data, login, access token, cookies, etc.
We would like to leverage WAF and SSL Inspection capability of CDN. This ...
- 13
1
vote
1
answer
222
views
How does TLS-CRYPT-V2 work in OpenVPN?
I am configuring an OpenVPN server and I would like to use TLS-CRYPT-V2. For that, in the documentation, it is said that I have to create a TLS-CRYPT-V2 key for the server and one for each client, ...
- 113
0
votes
0
answers
36
views
how to alter a value in RMI TLS communication
I am pentesting a java thick client application, and the communication between client and server is RMI over TLS.
On a certain button, there is an action triggered from the client to the server. In ...
- 67
0
votes
1
answer
54
views
Nexpose reporting ciphers not present in machine
Nexpose reports the following vulnerability:
TLS/SSL Server Supports The Use of Static Key Ciphers. Negotiated with the following insecure cipher suites:
TLS 1.2 ciphers: ...
0
votes
1
answer
83
views
How to get debug output from `openssl s_server` when (PSK-only DTLS) handshake fails?
We have tested our DTLS client using the openssl s_server program from OpenSSL 3.2.1. The handshake failed because we used the wrong PSK on the client. To our surprise, the server neither responded ...
- 111
0
votes
0
answers
31
views
Does Vault (or basically any other system) require TLS when it only connects to a host on the LAN? [duplicate]
I'm trying to understand where TLS is required. I've heard that TLS encrypts data when a client communicates with a server through HTTP by verifying the server and passing encryption keys. This ...
0
votes
0
answers
33
views
Is it possible to see HTTPS traffic without intercepting? (With a copy of the traffic) [duplicate]
I have a WAF solution that can work both inline and out-of-band. And we want to try the OOB option first. And possibly want to see HTTPS traffic as well.
But the vendor says if we want to see the ...
- 3
0
votes
1
answer
154
views
How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
...
- 67
0
votes
1
answer
57
views
How can you protect against a man-in-the-middle forging a TLS Client Hello that offers insecure algorithms?
According to PAN-OS documentation for "Traceability and Control of Post-Quantum Cryptography",
Traffic encrypted by PQC [post-quantum computing] or hybrid PQC algorithms cannot be decrypted ...
- 2,883
0
votes
1
answer
90
views
Can API Security/WAF tools decrypt "mirrored" traffic?
We're doing a PoC on a new API Security/WAF tool, and we're planning to place this solution out-of-ban rather than inline. So traffic wont go through the solution and we'll send the mirrored traffic ...
- 3
0
votes
0
answers
54
views
What is the security impact of disabling certificate check [duplicate]
I have this line of code in a client server project:
sslContext.init(null, new TrustManager[]{new TrustAnyManager()}, null);
A security guy pointed out that this is skipping the validation of the ...
- 67
0
votes
0
answers
52
views
In TLS, how are the Diffie-Hellman exchange parameters protected from a MITM attack? [duplicate]
Authentication alone will not stop a MITHM from intercepting and modifying plaintext exchanges, since he can let the authentication occur, then begin modifying the exchange data and neither end will ...
- 23
0
votes
1
answer
96
views
How can Amazon add its own headers when I make HTTPS requests to a web application?
I was playing with httpbin.org to test a client and discovered that some sites will get an header I did not set (X-Amzn-Trace-Id). If I do a curl https://httpbin.org/headers (which will respond with ...
- 101
0
votes
1
answer
125
views
Why does this application include a private RSA key?
I downloaded an application, based on electron. I then decompiled the app.asar file. And I found two strange files: "server.cert" and "server.key".
The private RSA key corresponds ...
user307034
2
votes
3
answers
174
views
Why data exchange between 2 web apps using redirection with query parameters or auto-form-post CANNOT be trusted by each other, even when using HTTPS?
Why data exchange between two web applications using redirection with query parameters or auto-form-post CANNOT be trusted by each web application, even when using HTTPS?
Note:
I understand that data ...
- 23
0
votes
1
answer
93
views
Would there be any utility for multiple clients sharing the same TLS session key?
I was wondering if there is any utility for multiple hosts sharing the same TLS session key. I have come across proxies and the way they intercept TLS connections is to make the client accept its ...
- 1
0
votes
2
answers
258
views
What is the impact of disabled TLS hostname verification?
If I have a java client that connects to a server, but in the java client code where the connection is built, it skips hostname verification disabled.
When a client tries to connect to serverA.com, ...
- 67
0
votes
3
answers
664
views
Using HTTP header to transmit client certificate for mTLS
My client says their API traffic must take the path WAF -> Custom Firewall -> Backend API. Also, mTLS must be terminated after the traffic has gone through the network appliance.
I have created ...
- 101
0
votes
0
answers
82
views
Checking Against the CN Of Every Certificate In The Certificate Chain
Is it possible to check against the CN (Common Name) or SAN (Subject Alternative Names) of each and every certificate in the certificate chain for a match ?
I have 2 docker containers hosted on my VM, ...
0
votes
2
answers
143
views
Automatically check if a certificate matches specific ciphers
My nginx backend server supports the following ciphers:
ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:...
- 1
1
vote
1
answer
146
views
What is the exact danger of not waiting for peer's close_notify response?
OpenSSL documentation says the following: (Source: https://openssl.org/docs/man3.0/man3/SSL_shutdown.html)
It is acceptable for an application to only send its shutdown alert and then close the ...
- 13
0
votes
0
answers
99
views
Testing in case of TLS 1.3 with AES-GCM
At work, I'm used to sniffing and capturing on network interfaces by which client and server intercom on LAN in my domain so as to grab genuine business data, followed by my customized replaying to ...
- 101
0
votes
0
answers
87
views
Decrypt TLS (DHE cypher) inside of TDS (Microsoft SQL Tabular Data Stream protocol)
Is there a possibility to decrypt TLS data encapsulated within TDS Microsoft TSQL protocol?
The TLS handshake seems to occur within TDS data, right after the TDS pre-login
The handshake itself is ...
- 113
0
votes
0
answers
100
views
Connecting Logstash To Elasticsearch via SSL (Docker Container)
My environment consists of 2 docker containers, one running Logstash and another running Elasticsearch on the SAME host & SAME docker network.
I am trying to setup SSL between the 2 of them (this ...