Questions tagged [tls]
SSL (Secure Sockets Layer) and/or TLS (Transport Layer Security)
388
questions with no upvoted or accepted answers
7
votes
0
answers
6k
views
Running openssl s_client with an aes encrypted key fails
I'm trying to verify a 2-way SSL connection using the openssl s_client command
openssl s_client -connect localhost:8883 -CAfile ca.pem -cert client.crt -key client.key
The openssl s_client fails ...
- 221
7
votes
1
answer
596
views
TLS connection to untrusted server - client reaction for dropping connection standardized?
I played around with a man-in-the-middle proxy tool and connected different smart phones to it. As the proxy uses a self signed certificate the tested smartphone apps did not accept the presented ...
- 1,461
6
votes
0
answers
614
views
Why are banks largely absent from the HSTS preload list?
There seems to be widespread support for the idea that election-related websites, of all things, should be resistant to man-in-the-middle attacks. The secret ballot makes detecting and recovering from ...
- 61
6
votes
0
answers
6k
views
How does TLS 1.3 break inspection?
The latest research seems to indicate that TLS 1.3 completely breaks the MITM/proxy model of many current security tools.
I don't fully understand how it does that and if there are ways around this. ...
- 61
6
votes
0
answers
594
views
How does Chrome distrust Symantec Certificates?
Sometime back Google Chrome had announced plans to distrust Symantec certificates. I am trying to figure out how this is done for a POC.
When I visit chase.com on Google Chrome, I get the following ...
- 183
5
votes
1
answer
435
views
Does HTTP/3 necessitate additional - beyond HTTP/2 via TLS1.3 - restrictions on client authentication (mTLS)?
A recent Nginx release allows me to set listen 443 quic; to enable HTTP/3. Neat. I had been using HTTP/2 with TLS1.3 before, so I did not expect that change much, just optimize round trips with ...
- 370
5
votes
0
answers
595
views
Should I force Thunderbird to avoid RFC5746 and CVE-2009-3555 security bugs?
I see that the latest version of Thunderbird (38.0.1) still has the defaults set to ignore the error. Is this a big problem? Should I change the defaults to enforce greater security?
Here is ...
- 1,758
5
votes
1
answer
637
views
Should I trash my router if it still runs OpenSSL 0.9.8p and OpenVPN 2.2.2 in 2017?
I have the Easybox 904 xDSL router from Vodafone (Germany) running the latest firmware 03.17.01.17.
I wanted to upgrade the firmware but found out that the latest version is from 2015 - no updates ...
- 151
4
votes
0
answers
445
views
Create self-signed ssl certificate that can't sign other certificates
I have a LAN HTTPS server that I want to give an SSL certificate to. Since it's local-only, a self-signed certificate is sufficient for me. I have previously given it a self-signed root certificate, ...
- 125
4
votes
1
answer
1k
views
Using NameConstrains in a CA certificate
I am trying to do something similar to what has been pointed out in this nice answer by Jonathon Reinhart.
I have a CA certificate with Name Constrains (RFC):
Permitted
[1]Subtrees (0..0):
...
- 496
4
votes
0
answers
3k
views
Java Updates Restrict Unsafe SSL Renegotiation With Active Directory Servers
We have two active directory (AD) hosts, ead01.domain.com and ead02.domain.com; we also have a corresponding service domain, at eadauth.domain.com which round-robins between these AD hosts (via DNS).
...
- 161
4
votes
0
answers
1k
views
Safe communication via rest api between two known servers
I'm using Kinvey as backend but because it doesn't provide the ability to run custom code I have set up another server. So basically when x happens on Kinvey server, I send a call to my rest api on ...
- 141
4
votes
1
answer
11k
views
Why did Chrome show my connection to Youtube as not secure?
I was browsing on Youtube a while ago, when I noticed that Chrome showed it as an insecure connection even though it was over HTTPS.
I'm using Ghostery and Adblock to block trackers but nothing more, ...
- 41
4
votes
1
answer
8k
views
Why does Chrome warn about "Obsolete Connection Settings" for key exchange?
What do I have to change so Google Chrome won't say that I am using an obsolete key exchange?
Obsolete Connection Settings
The connection to this site uses a strong protocol (TLS 1.2), an obsolete ...
- 41
4
votes
1
answer
199
views
MITM or Something Else?
Problem:
When a given set of user devices (tablets/laptops) downloads files from a certain server from outside the host server's country, downloads are sporadically and routinely interrupted. The ...
- 41