SSL in switches

Similar Questions

• Fichier.conf OTC has no details of the location of the ssl wallet file

  Hi gurus B2B.
  
  All by the HTTPS configuration had we observed that certain lines of were missing in the fichier.conf located in < Oracle_Home > \Apache\Apache\conf. The mentioned below, the lines are missing en.conf OTC but present OracleB2B dans.conf
  Location of the ssl file same portfolio is also absent in the fichier.conf of TBT as mentioned below.
  Can u please let us know as why these lines are missing or you manually add these lines when we do HTTPS on OTC?
  
  
  
  
  Listen 4444
  
  
  
  < VirtualHost default: 4444 >
  
  # General setup for the virtual host
  
  DocumentRoot "E:\Oracle_b2b\cachehome\Apache\Apache\htdocs".
  
  ServerName DSCP17506. TechMahindra.com
  
  ServerAdmin [email protected]
  
  ErrorLog "| E:\Oracle_b2b\cachehome\Apache\Apache\bin\rotatelogs logs/error_log 43200 "
  
  TransferLog "| E:\Oracle_b2b\cachehome\Apache\Apache\bin\rotatelogs logs/access_log 43200 "
  
  Port 443
  
  # The SSL engine switch:
  
  # Enable/disable SSL for this virtual host.
  
  SSLEngine on
  
  # Suite of SSL encryption:
  
  # List of encryption algorithms that the client is authorized to negotiate.
  
  All SSLCipherSuite!: ADH:! EXPORT56: + HIGH: + MEDIUM: + LOW: + SSLv2: + EXP
  
  # Server Wallet:
  
  # The server wallet contains the server private key certificate
  
  # and certificate trust. The value of SSLWallet in the portfolio directory
  
  # using the syntax: file: < path-to-door-currency-directory >
  
  SSLWallet file:E:\Oracle_b2b\cachehome\Apache\Apache\conf\ssl.wlt\default
  
  
  
  # Certificate lists CRL (CRL):
  
  # Set the path of the CA revocation where to find CA CRL to customer
  
  authentication # or alternatively a huge file containing all the
  
  # of them (file must be PEM encoded)
  
  # Note: Inside of the SSLCARevocationPath you need hash symlinks
  
  # to point to the certificate files. Use the provided
  
  # Makefile to update the hash symlinks after changes.
  
  #SSLCARevocationPath conf\ssl.crl
  
  #SSLCARevocationFile conf\ssl.crl\ca-bundle.crl
  
  
  
  # The authentication of the client (Type):
  
  # Client certificate verification type and depth. The types are
  
  # No, optional and require
  
  Need to #SSLVerifyClient
  
  
  
  # Access control:
  
  # With SSLRequire, you make a directory-based access control
  
  # on arbitrary complex Boolean expressions containing server
  
  # variable control and other directions of research. The syntax is a
  
  mixture of # between C and Perl. See the mod_ssl documentation
  
  # For more details.
  
  # < location / >
  
  #SSLRequire (% {SSL_CIPHER}! ~ m/^(EXP|)) (NULL)-/.
  
  # and eq % {SSL_CLIENT_S_DN_O} "powder of snake oil, Ltd.".
  
  # % {SSL_CLIENT_S_DN_OU} in {"staff", "CA", "Dev"}.
  
  # % {TIME_WDAY} > = 1 and % {TIME_WDAY} < = 5.
  
  (# % {TIME_HOUR} > = 8 and % {TIME_HOUR} < = 20).
  
  # % {REMOTE_ADDR} = ~ m/^192\.76\.162\. [0-9] + $/
  
  # < / location >
  
  
  
  # SSL engine options:
  
  # Set different options for the SSL engine.
  
  # o FakeBasicAuth:
  
  # The client X.509 translate basic authorization. This means that
  
  # the standard Auth/DBMAuth methods can be used for access control. The
  
  user name of # is 'a line' version of the X.509 client certificate.
  
  # Note that no password is obtained from the user. All entries in the user
  
  # file needs this password: 'xxj31ZMTZzkVA '.
  
  # o ExportCertData:
  
  # This operation exports two additional environment variables: SSL_CLIENT_CERT and
  
  # SSL_SERVER_CERT. These documents contain the PEM-encoded certificates of the
  
  # (still existing) server and client (existing only when customer)
  
  (# authentication is used). This can be used to import the certificates
  
  # in CGI scripts.
  
  # o StdEnvVars:
  
  # This operation exports the standard SSL/TLS related ' SSL_ * ' environment variables.
  
  # By default this export is disabled for performance reasons.
  
  # because the extraction step is an expensive operation and is usually
  
  # no need for static content. If we allow in general of the
  
  # to export queries CGI and SSI only.
  
  # o CompatEnvVars:
  
  # This operation exports obsolete environment for backward compatibility variables
  
  # for Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. use this
  
  # to ensure compatibility to the existing CGI scripts.
  
  # o StrictRequire:
  
  # This denies access when it is "SSLRequireSSL" or "SSLRequire" applied even
  
  # in a situation of "Satisfy", i.e. when it applied the access is denied
  
  # and no other module can change.
  
  # o OptRenegotiate:
  
  # This allows optimized connection handling SSL renegotiation when SSL
  
  # directives are used in the context of the directories.
  
  #SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire
  
  < files ~ "------." (cgi | shtml) $">"
  
  SSLOptions + StdEnvVars
  
  < / files >
  
  
  
  < directory "E:\Oracle_b2b\cachehome\Apache\Apache\cgi-bin" >
  
  SSLOptions + StdEnvVars
  
  < / Book >
  
  
  
  SetEnvIf User-Agent ".» * MSIE.*"nokeepalive ssl-unclean-shutdown
  
  # Server logging:
  
  # The House of a custom SSL log file. Use this setting when you want one
  
  # compact without error SSL logfile on a base of the virtual host.
  
  "CustomLog E:\Oracle_b2b\cachehome\Apache\Apache\logs\ssl_request_log"%t % {SSL_PROTOCOL} % {SSL_CIPHER} x \"%r\ x hour" %b ".
  
  < / VirtualHost >
  
  
  
  Thank you for your help in advance.
  
  Kind regards
  Priyanka

  Not sure that the CTA is expected to take in charge the entire feature. Please add entries manually. Let us know.

• With the help of mod_wl_ohs: path of rewriting Cookie in the Set-Cookie headers

  Hi all

  I have set up a reverse proxy with OHS, set mainly in the "mod_wl_ohs.conf", and - as we also use encrypted connections - in a file 'ssl.conf '.

  The reverse proxy points to two different applications, each of which has a root context and are hosted on weblogic servers. Two applications are available via the reverse proxy.

  But the two application also want and need to put a cookie "JSESSIONID" name and path "/".

  We have a use case in which jump between the two applications in the same browser window, because an application charge of it in an iFrame.

  In this case cookies overwrite each other, we want to avoid.

  I want the reverse proxy to rewrite the path in the Set-Cookie header for each application. The application should not know and who care. That is why the reverse proxy must manage cookies completely.

  Change the name of the cookie and/or the path in the application is NOT an option unfortunately.

  When I take a glance to permit guidelines in mod_wl_ohs, I can't find anything regarding the path in the rewrite Set-Cookie header.
  But I know that there is the Apache ProxyPassReverseCookiePathdirective.

  Unfortunately it is unclear if I insert it somewhere in the mod_wl_ohs configuration file. I also tried several combinations in the dist and httpd.conf file.

  So the question is:

  How to let the reverse proxy rewrite the path in the Set-Cookie header, while using mod_wl_ohs?

  Is it possible to use the ProxyPassReverseCookiePath directive?

  My mod_wl_ohs.conf file:

  # NOTE: This is a model of configuration mod_weblogic.

  LoadModule weblogic_module "${PRODUCT_HOME}/modules/mod_wl_ohs.so".

  # This empty block is needed to save mod_wl configuration related to EM to this file, when changes are made at the level of the Basic virtual host

  < IfModule weblogic_module >

  < /app1 location >

  Hostname WebLogicHost

  Port of WebLogicPort

  #ProxyPassReverseCookiePath / /app1/

  WLSRequest WE

  WLProxySSL WE

  Proxysecurise WE

  WLProxySSLPassThrough WE

  WLProxyPassThrough WE

  JSESSIONID WLCookieName

  Header Proxy RequestHeader Set 'CDRPROXY '.

  RequestHeader Set Proxy-cipher '% {SSL_CIPHER} e '.

  RequestHeader Set '% {SSL_CIPHER_USEKEYSIZE} e' Proxy-Keysize

  RequestHeader Set Proxy-Secret-Keysize '% {SSL_CIPHER_USEKEYSIZE} e '.

  RequestHeader Set Proxy-ssl-id '% {SSL_SESSION_ID} e '.

  RequestHeader Set Proxy-issuer-dn '% {SSL_CLIENT_I_DN} e '.

  RequestHeader Set Proxy-user-dn '% {SSL_CLIENT_S_DN} e '.

  RequestHeader Set Proxy-Client-Cert '% {SSL_CLIENT_CERT} e '.

  WLSSLWallet "${ORACLE_INSTANCE} / config/fmwconfig/components / ${COMPONENT_TYPE} / instances / $ {name of} component/keystore/machine.

  SetHandler weblogic-Manager

  WE idempotent

  Debug OFF

  DebugConfigInfo OFF

  < / location >

  < /app2 location >

  WebLogicHost hostname2

  WebLogicPort port2

  #ProxyPassReverseCookiePath / /app2/

  WLSRequest WE

  WLProxySSL WE

  Proxysecurise WE

  WLProxySSLPassThrough WE

  WLProxyPassThrough WE

  JSESSIONID WLCookieName

  Header Proxy RequestHeader Set 'CDRPROXY '.

  RequestHeader Set Proxy-cipher '% {SSL_CIPHER} e '.

  RequestHeader Set '% {SSL_CIPHER_USEKEYSIZE} e' Proxy-Keysize

  RequestHeader Set Proxy-Secret-Keysize '% {SSL_CIPHER_USEKEYSIZE} e '.

  RequestHeader Set Proxy-ssl-id '% {SSL_SESSION_ID} e '.

  RequestHeader Set Proxy-issuer-dn '% {SSL_CLIENT_I_DN} e '.

  RequestHeader Set Proxy-user-dn '% {SSL_CLIENT_S_DN} e '.

  RequestHeader Set Proxy-Client-Cert '% {SSL_CLIENT_CERT} e '.

  WLSSLWallet "${ORACLE_INSTANCE} / config/fmwconfig/components / ${COMPONENT_TYPE} / instances / $ {name of} component/keystore/machine.

  SetHandler weblogic-Manager

  WE idempotent

  Debug OFF

  DebugConfigInfo OFF

  < / location >

  < / IfModule >

  My fichier.conf:

  ###################################################################

  # Mod_ossl oracle HTTP Server configuration file: ssl.conf #.

  ###################################################################

  # Directive the Listen below has a comment which is used at the SST time to provisioning.

  # The comment can be removed from the file in an instance of OSH, but * NOT * DO delete the comment to $PRODUCT_HOME/templates/conf/ssl.conf

  Listen {SSL_PORT} #OHS_SSL_PORT

  < IfModule ossl_module >

  ##

  # Context Global SSL

  ##

  # All SSL configuration in this context applies as well to

  # the main server and all the virtual hosts SSL active.

  ##

  # Some MIME types for the certificates and the CRL download

  AddType application/xxxxxxx .crt

  AddType application/xxxxxxx .crl

  # Pass the expression dialog box:

  # Configure the password collection process.

  # Filtering dialog box program ("builtin" is an internal

  terminal dialog box #) must provide the password on stdout.

  SSLPassPhraseDialog builtin

  # Inter-process Session Cache:

  # The SSL Session Cache configuration: first the mechanism

  # to use and the second the time-out (in seconds).

  SSLSessionCache "shmcb:/usr/local/lamp/httpd-2.2.8/logs/ssl_scache(512000): ${ORACLE_INSTANCE} /servers/$ {COMPONENT_NAME} / logs/ssl_scache (512000).

  SSLSessionCacheTimeout 300

  # Semaphore:

  # Configure the path to the mutual exclusion semaphore the

  # SSL engine uses internally for inter-process synchronization.

  < IfModule mpm_linux_module >

  SSLMutex "Shem".

  < / IfModule >

  < IfModule mpm_winnt_module >

  SSLMutex "none."

  < / IfModule >

  < IfModule! mpm_winnt_module >

  SSLMutex pthread

  < / IfModule >

  # Disable SSL renegotiation

  SSLInsecureRenegotiation off

  #Disable FIPS

  SSLFIPS off

  # SSL Debug

  SSLTraceLogLevel debug

  ##

  # SSL virtual host context

  ##

  < VirtualHost *:{SSL_PORT}> #OHS_SSL_VH

  < IfModule ossl_module >

  # The SSL engine switch:

  # Enable/disable SSL for this virtual host.

  SSLEngine on

  # Headers before, included CertData

  SSLOptions + StdEnvVars + ExportCertData

  # The authentication of the client (Type):

  # Client certificate verification type and depth.  The types are

  # No, optional and require.

  SSLVerifyClient no

  # SSL protocol support:

  # List of the supported protocols.

  SSLProtocol nzos_Version_1_2 nzos_Version_1_1 nzos_Version_1_0

  # Suite of SSL encryption:

  # List of encryption algorithms that the client is authorized to negotiate.

  SSLCipherSuite XXXXXXXXXXXXX

  # Valid are on and outside

  SSLCRLCheck off

  #Path in the portfolio

  SSLWallet "${ORACLE_INSTANCE} / config/fmwconfig/components / ${COMPONENT_TYPE} / instances / $ {name of} component/keystore/identity.

  < FilesMatch "------." (cgi | shtml | phtml | php) $">"

  SSLOptions + StdEnvVars

  < / FilesMatch >

  < directory "${ORACLE_INSTANCE} / config/fmwconfig/components / ${COMPONENT_TYPE} / instances / $ {name of the component} / cgi - bin" > ".

  SSLOptions + StdEnvVars

  < / Book >

  BrowserMatch "MSIE [2-5]".

  nokeepalive ssl-unclean-shutdown.

  downgrade - 1.0 force-response - 1.0

  < / IfModule >

  < / VirtualHost >

  < / IfModule >

  > I guess that iRAV: directives in the Apache Module mode_headers

  Yes, course :))

• Switch to SSL after connection open (i.e. STARTTLS)

  While some protocols allow you to connect directly with active SSL (incidentally "ssl: / / ' to Connector.open), others require that you first open a plain TCP socket connection, then send the command"STARTTLS", then start talking about SSL.

  I want to know is how you move from a simple StreamConnection to a SecureConnection in full flight.

  I noticed that when I open a secure connection, Connector.open instantiated actually TLS10Connection. This class has a constructor that allows her to wrap an existing StreamConnection.  However, my own experimentation has shown that I'm even not I want to instantiate directly with TLS10Connection (I tried on the Simulator).  All attempts end a kind of exception, as this class don't request to be created in order to encapsulate a StreamConnection is not yet open.

  Its so rare not to find protocols that want to connect in the clear, this initial verification capabilities, then switch to SSL mode, so it becomes a real obstacle.  While these protocols are sometimes implemented with a right-SSL port, which is often a less common implementation.

  I can't believe I have not understand that more early, but assuming you can generate code that instantiated TLS10Connection (requires the Cryptography, key signing, not sure of any legal problems exist), in fact you can do this.  It takes just a bit of cunning.

  First, you open your connection as usual:

  StreamConnection socket = ((StreamConnection) Connector.open)

  "socket: / /" + serverName + ":" + serverPort,.

  (Connector.READ_WRITE, true);
  DataInputStream entry = socket.openDataInputStream ();
  DataOutputStream output = socket.openDataOutputStream ();

  So do you whatever the Protocol I/O is necessary at the handshake with the server, questioning his abilities, etc.  Finally, you send 'STARTTLS\r\n' and I want to now change the shooting mode.  Here's how:

  TLS10Connection tlsSocket = new TLS10Connection)
  new StreamConnectionWrapper (socket, input, output),
  serverName + ":" + serverPort,.
  (true);

  entry = tlsSocket.openDataInputStream ();

  output = tlsSocket.openDataOutputStream ();

  The secret to this is StreamConnectionWrapper.  You see, if you try to create a TLS10Connection with the original StreamConnection, it will try to open the stream in/out again.  This causes break exceptions of I/O who has everything.  So, here's the very simple code in the wrapper:

  private class StreamConnectionWrapper implements {StreamConnection}
  flow of StreamConnection private;
  private DataInputStream dataInputStream.
  private DataOutputStream dataOutputStream.
         
  (public) StreamConnectionWrapper

  StreamConnection flow,

  DataInputStream dataInputStream,

  DataOutputStream dataOutputStream) {}
  This.Stream = stream;
  this.dataInputStream = dataInputStream;
  this.dataOutputStream = dataOutputStream;
  }
         
  public DataInputStream openDataInputStream() throws IOException {}
  return dataInputStream.
  }
  public InputStream openInputStream() throws IOException {}
  return dataInputStream.
  }
  public void close() throws IOException {}
  Stream.Close ();
  }
  public DataOutputStream openDataOutputStream() throws IOException {}
  dataOutputStream return;
  }
  public OutputStream openOutputStream() throws IOException {}
  dataOutputStream return;
  }
  }

  And that's all there is to it!  Seriously, I can't believe I don't think that this workaround solution years ago.

• Impact security to disable the content switch SSL closure alert?

  HI: I have a few problems troubleshooting of applications at the level of the SSL layer. Based on a few known bugs of IE with Cisco solutions for the content switch with SSL accelerator, we intend to disable the

  where to pass the content of the feature sends not SSL closure alert.

  Wondering if anyone out there have ideas if this (disable SSL closure alert to the server) will have an impact or if there are security holes?

  Thank you

  Ravi

  For the CSM = "close-Protocol No" tells the SSL module not

  for sending the SSL close notify alert all by closing the connection.

  One of the ramifications of this could be that IE browser client might

  not to negotiate the resumption of the SSL session for later ssl

  connection...

  This does not impair the functionality, could result in gradient

  performance from the SSL module should establish more new sessions

  instead of the resumed session.

• correct password does not work; deleted all stored; Hotmail; tried to switch to imap, POP3 and port 995, 993; Password normal SSL/TLS; Linux

  Hello. As the Question States, I tried to delete all passwords stored, then adding the hotmail with the problem account. the other two accounts (gmail and another hotmail address) work very well. I was wondering if after looking at the screenshot attached that a mistake could be found, or if I should choose another e-mail program? I use Linux Ubuntu Mate 16.04. I have the version of TB: 45.4.0. Thank you

    Anthony
  

  We had a great many users see problems to hotmail. This poster provides a work around:

  https://support.Mozilla.org/en-us/questions/1147439

• Xcode Server installation failed (ssl configuration infrastructure)

  After the upgrade to Server 5.2 today, I am unable to start the service of Xcode as a result of a mistake.

  The first time, I tried to implement the service, after having chosen the Xcode application, I was asked to create a service user account Xcode. So, I followed the guests to create a Xcode Server user account.

  Then I saw a message that Xcode Helper should be allowed to make UI script, to which I agreed.

  Finally, a progress bar appears where, apparently, that was under the service of Xcode configuration.

  And then an error stating:

  Xcode Server installation failed (ssl configuration infrastructure)

  Try clicking on choose Xcode and selecting a new version of Xcode or upgrade to a newer version of the server.

  Given that I had just installed the latest version of Xcode previously, I advanced and checked that Xcode launches without problem, and no message appears.

  Then I went to System Preferences > Security & privacy > accessibility and verified that an entry is added for Xcode Helper, and I checked the box next to it to allow access.

  Also, I have advanced and connected to the server of Xcode user account and used the fast user switching option to return to my main account.

  Unfortunately, trying to start again service results in the same error. I even tried to start the service when you are logged on the server of Xcode user account. Whenever it has failed with the same message.

  Whenever I try to start the service, I see this (or very similar) message sequence struck the system log:

  20 September 15:50:36 servermgr_xcode Server [867]: getSetXcodePathProgressWithRequest: {}

  control = getSetXcodePathProgress;

  currentPercentageCompleteRangeMaximum = 10;

  currentPercentageCompleteRangeMinimum = 10;

  currentStep = 'Xcode stop server';

  percentComplete = 10;

  status = running;

  }

  20 September 15:50:37 Server servermgr_xcode [867]: task completed (State 0)

  20 September 15:50:37 Server servermgr_xcode [867]: stderr output for the job:

  (4 / 6) [START] stop nginx daemon

  (3 / 6) Server [START] stop API

  (1 / 6) [START] stop CouchDB

  (6 / 6) [START] stop builder

  (5 / 6) [START] daemon stop control

  (2 / 6) [START] stop repeat

  (5 / 6) [END - 0.05 S] Stop control daemon

  (1 / 6) [END - 0.05 S] Judgment of CouchDB

  (2 / 6) [END - 0.05 S] Stopping repeat

  (3 / 6) [END - 0.05 S] Stop server API

  (4 / 6) [END - 0.14 S] Stop the nginx daemon

  (6 / 6) [END - 0.16 S] Stop generator

  A successful!

  Total time: 0.32 seconds

  20 September 15:50:37 Server servermgr_xcode [867]: launch/usr/bin/xcrun xcscontrol - initialize - build-service-user xcodeserver

  20 September 15:50:37 Server servermgr_xcode [867]: wait for task to leave

  20 September 15:50:37 Server lsd [961]: LaunchServices: could not store file lsd-identifiers to /private/var/db/lsd/com.apple.lsdschemes.plist

  20 September 15:50:37 Server servermgr_xcode [867]: xcscontrol reported progress: (1/29) checking that Xcode is accessible

  20 September 15:50:37 Server sudo [1422]: root: TTY = unknown; PWD =; USER = nobody; /Applications/XCode.app/Contents/developer = / usr/bin/file COMMAND

  20 September 15:50:37 Server servermgr_xcode [867]: xcscontrol reported progress: (1/29) checking that Xcode is accessible

  20 September 15:50:37 Server servermgr_xcode [867]: xcscontrol reported progress: running (4/29) xcode-selector - /Applications/Xcode.app

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: integration of control to prepare (9/29)

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: (11/29) setting up the config for Redis file

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: (12/29) setting up the config for CouchDB file

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: launchd jobs (13/29) system configuration

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: (14/29) creative group for users of service if required

  Note : There was a lot of posts like this that I missed:

  20 September 15:50:38 syslogd server [69]: notice of Configuration:

  ASL Module 'com.apple.AccountPolicyHelper' claims the selected messages.

  These messages may not appear in the standard system log files or in the database of the ASL.

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: configuration record (16/29)

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: users of creative services (17/29) if necessary

  20 September 15:50:38 Server servermgr_xcode [867]: xcscontrol reported progress: infrastructure configuration of SSL (18/29)

  20 September 15:50:39 Server servermgr_xcode [867]: getSetXcodePathProgressWithRequest: {}

  control = getSetXcodePathProgress;

  currentPercentageCompleteRangeMaximum = 75;

  currentPercentageCompleteRangeMinimum = 20;

  currentStep = "Configuring SSL infrastructure."

  percentComplete = 54;

  status = running;

  }

  20 September 15:50:41 com.apple.SecurityServer [114 Server]: displaying guest Keychain for Applications/Xcode.app/Contents/Developer/usr/bin/xcscontrol(1421)

  20 September 15:50:41 Server servermgr_xcode [867]: xcscontrol reported progress: FAILED (18/29): configuration of SSL infrastructure

  20 September 15:50:41 Server servermgr_xcode [867]: task completed (Status 5)

  20 September 15:50:41 Server servermgr_xcode [867]: stderr output for the job:

  (1/29) [START] make sure Xcode is accessible

  (1/29) [END - 0.20 S] Make sure Xcode is accessible

  Audit (2/29) [START] version of Xcode is supported

  (2/29) [END - 0.00 S] Check if the version of Xcode is supported

  Developer mode (5/29) [START] if necessary activation

  [START] Running (4/29) xcode-selector - /Applications/Xcode.app

  (29/3) [START] check if the server version is supported

  (3/29) [END - 0.02 S] Check if the server version is supported

  Data directories (6/29) [START] creation by default (if they are missing)

  (6/29) [END - 0.00 S] Creation of data directories by default (if they are missing)

  (7/29) [START] create a symbolic link to the current path of the Xcode application

  Access to the repository (8/29) [START] HTTP configuration

  Integration of control (9/29) [STARTED] preparation

  Access [START] SSH configuration repository (10/29)

  (8/29) [END - 0.12 S] Access to the HTTP repository configuration

  (7/29) [END - 0.12 S] Create a symbolic link to the current path of the Xcode application

  (10/29) [END - 0.12 S] The access to the repository SSH configuration

  (11/29) [START] establishing the file config for Redis

  (12/29) [START] set up the config for CouchDB file

  (13/29) [START] Setup launchd job system

  (5/29) [END - 0.16 S] Enabling developer mode if necessary

  (9/29) [END - 0.23 S] Preparation of control integrations

  (11/29) [END - 0.16 S] Setting up the config for Redis file

  (12/29) [END - 0.20 S] Setting up the config for CouchDB file

  (13/29) [END - 0.20 S] Launchd jobs system configuration

  Group creation [START] (14/29) for users of service if required

  Saving configuration [START] (16/29)

  (15/29) [START] configuration CouchDB to use all cores

  (14/29) [END - 0.02 S] Creation of service if required users group

  Users of creative services [START] (17/29) if necessary

  (4/29) [END - 0.41 S] Running xcode - select - switch for /Applications/Xcode.app

  (15/29) [END - 0.08] Configuration of CouchDB to use all cores

  (16/29) [END - 0.33 S] Configuration of the recording

  (17/29) [END - 0.52 S] Creation of users of the service if necessary

  Configuration of SSL infrastructure [START] (18/29)

  (18/29) [END - 3.03 S] FAILED: SSL infrastructure Configuration

  Failed: could not export the certificate of the server API: error Domain = =-25308 Security Code 'user intervention is not permitted.' UserInfo = {NSLocalizedDescription = User interaction is not allowed.}

  Total time: 4.13 seconds

  The service initialization error: could not export the certificate of the server API: error Domain = =-25308 Security Code 'user intervention is not permitted.' UserInfo = {NSLocalizedDescription = User interaction is not allowed.}

  20 September 15:50:41 Server servermgr_xcode [867]: response: {}

  error = "Xcode Server Configuration has failed (ssl configuration infrastructure)";

  errorCode = "-1";

  errorDomain = ServermgrXcodeErrorDomain;

  errorLocalizedDescription = "Configuration of Xcode Server failed (ssl configuration infrastructure)";

  errorLocalizedFailureReason = "failed to install Service in step: Setup ssl infrastructure";

  errorLocalizedRecoverySuggestion = "try clicking on choose Xcode and selecting a new version of Xcode or upgrade to a newer version of the server.

  errorString = "Configuration of Xcode Server failed (ssl configuration infrastructure)";

  status = 1;

  }

  20 September 15:50:41 com.apple.xpc.launchd [Server 1] (com.apple.dt.XCSDeviceService [1417]): Service not out 5 seconds after SIGTERM. Sending SIGKILL.

  20 September 15:50:42 Server servermgr_xcode [867]: getSetXcodePathProgressWithRequest: {}

  control = getSetXcodePathProgress;

  currentPercentageCompleteRangeMaximum = 75;

  currentPercentageCompleteRangeMinimum = 20;

  currentStep = "FAILED: SSL infrastructure configuration ';

  error = "Xcode Server Configuration has failed (ssl configuration infrastructure)";

  errorCode = "-1";

  errorDomain = ServermgrXcodeErrorDomain;

  errorLocalizedDescription = "Configuration of Xcode Server failed (ssl configuration infrastructure)";

  errorLocalizedFailureReason = "failed to install Service in step: Setup ssl infrastructure";

  errorLocalizedRecoverySuggestion = "try clicking on choose Xcode and selecting a new version of Xcode or upgrade to a newer version of the server.

  errorString = "Configuration of Xcode Server failed (ssl configuration infrastructure)";

  percentComplete = 54;

  status = FAILURE;

  }

  This article is interesting:

  20 September 15:50:41 com.apple.SecurityServer [114 Server]: displaying guest Keychain for Applications/Xcode.app/Contents/Developer/usr/bin/xcscontrol(1421)

  No prompt was displayed at this time. I had to see a real Keychain prompt? In any case, this article seems to be the cause of the problem:

  Failed: could not export the certificate of the server API: error Domain = =-25308 Security Code 'user intervention is not permitted.' UserInfo = {NSLocalizedDescription = User interaction is not allowed.}

  Help to get the Xcode service backup and race would be much appreciated!

  I had this same problem. I typed in the following in the terminal:

  sudo /applications/xcode-beta6.app/contents/developer/usr/bin/xcscontrol--reinitialiser

  After the reset, I tried to enable the server to Xcode from the macOS GUI server and it worked

• How to disable the verification of all ssl - sec_error_ca_cert_invalid

  Is it possible to disable SSL any verification of any sort in firefox?

  I'm stuck with this error. (copied from another post) https://support.CDN.Mozilla.NET/media/uploads/images/2014-08-04-14-05-02-bc62ea.PNG

  I already have mozillapkix to false. I don't want to import the self-signed certificates for all my servers in firefox. I also deal with "ssl broken", as strings of incomplete certificates, etc... on load balancers or other strange Machines.

  I had a version of night who worked with mozillapkix set to false but looks like she auto-updated: (so it is now 33.0.2 and is more like my certificates self-signed again.) (Which reminds me that I have to disable auto-update if possible).

  If there is no way to completely disable ssl checking in Firefox, there at - it a night build version or build version prior (I forgot what version this new ssl audit begins), I can use that will prevent this strict ssl audit (why there is no 'add exception' is still confused...)?

  If it is a puzzle, you can use the Extended Support Release of Firefox 31 version. In my view, the preference to disable the use of PKIX still works in this version. You could test with the 'Portable Apps' version first before switching.

  More information about ESR: http://www.mozilla.org/firefox/organizations/

  Laptop (not official) to build for testing: http://portableapps.com/apps/internet/firefox-portable-esr (using his own local profile, get out your normal Firefox first)

• The e-mail application does not connect to the Dreamhost servers. Perhaps because of how they configure their SSL certificate for their subdomains.

  http://wiki.DreamHost.com/Certificate_Domain_Mismatch_Error

  Certificate SSL of Dreamhost for their mail servers only at one level of subdomain while many of their clusters of e-mail exist on a second level subdomain. In my view, this translates into an error message 'bad security' of the e-mail application.

  I contacted DreamHost and they say they are unable to solve this problem, or that they will allow me to install an SSL certificate on my virtual domain pointing to my cluster e-mail (even if I had to buy a).

  I understand, it is possible to manually add certificates via adb in a way similar to this: http://www.pending.io/add-cacert-root-certificate-to-firefox-os/

  However what I read this: 1. does not work on the ZTE Open 2. Can only fix only navigation not the web mail client.

  Is there any option that is available to me short of switching hosts?

  Fabian,

  Are you familiar with Firefox OS? The reason why I say this is because the e-mail client cannot create an excaption certificate. In fact, it's design. It's design: https://wiki.mozilla.org/Gaia/Email/Features#Security

  This request for support to Mozilla was placed specifically for the product Firefox OS, for which there is only a single mail client.

  That said many people in the Mozilla Bugzilla, have been able to show me how to find another alias for those servers that actually works and in fact corresponds to SSL certificates. Although Dreamhost support could not provide me with any such information, and such information is not actually in the DreamHost wiki.

  I have a repeated insistence of Dreamhost possibility I should just live with the exceptions of SSL certificate, when there is real existing valid server names to match the certificates in question, silly.

  The fact that you post this solution for one product, so that it is not yet applicable beyond useless. It serves to muddy waters.

• The proSafe (JGS524E + GS116E) Switches: Configuration Management Web GUI in VLAN specific

  Hello

  I use a JGS524E and a GS116E. The two are connected via a 802. 1 q uplink with all defined VLANS in him.

  A 802. 1 q other interfaces goes to a pfsense firewall, which serves as a router and dhcp server for each VLAN that I use.

  How can I configure the switches plug are in one VLAN specific and get his IP address of the dhcp server in this VLAN?

  At present, it seems to be random access: it is not predictable that range from intellectual property, it takes its IP configuration via dhcp...

  How management function works internally?

  Thank you

  Markus

  Hello

  Thank you. I tried it out, but the behavior seems to be a little different:

  I configured a static IP address for the switch (10.1.0.13 / 24). I have access to the switch web gui via the ip address of the host of a host directly connected (connected via a trunk port, where I put 1 VLAN on the trunk), but it is all the same, what VLAN that I use:

  When it is connected to the VLAN 1 I have access, but also through 10 VLANS, VLAN 20 and so forth (assumed, I configure my computer appropriate staticly in the IP network, for example 10.1.0.20 / 24). So it seems not be limited only to the VLAN 1. You have access to each vlan, only the IP configuration must be in the same network.

  I'm not sure, how it behaves when cascading the two switches, I have not tried.

  If this information can be useful for other users with the same question about this switching product line.

  For me, this behavior is not very well implemented from my point of view. For security reasons, you must limit access to the administration, for example by allowing access from a specific hardware port or a vlan. With the effective implementation, centralized management for a cascade topology is not easy to set up, perhaps because the behavior is not very clear and not documented in the manuals.

  Mentioned on the edge: there is no available TLS/SSL encryption when accessing the web gui (not https). So the password is transmitted in clear text... not a very good idea, I think.

  Thanks a lot for your help.

  Best regards

  markusd112

• LabVIEW and SSL certificate

  So I come back on an interesting question that can cause significant problems, unless I can find a reasonable solution.

  Until yesterday a number of software programs that run in a number of remote sites were running all fortunately accessing a database.  This database is accessible via the HTTPS POST and screw HTTPCLIENT, and for the past two years, everything worked fine while having the true flag to check server, the database is part of a site that is all signed and certified.

  However, as of yesterday, they all decide to stop, investigate the server itself it seems that the SSL certificate has switched from the previous period. While browsing the forums of LAVA, I managed to find the reference to the problem with which a LabVIEW ca - bundle.crt file making the obsolete object so not check the validity of the new certificate.

  Now, while there is here a workaround which the server verify the Pavilion from true to FALSE switching, I can do all programs work again, there's the issue of having to update and rebuild several years worth of programs. So I was expecting something that I could do outside of LabVIEW to try to solve the problem, I had considered to replace ca - bundle.crt, but I'm not sure of the validity of this idea.

  So, any ideas are likely to be accepted if they mean that I don't have to go to several versions of LabVIEW.

  TLDR:

  

  I can do something with it to solve the problem?

  

  Welll the good news is that I found a solution. The problem is that I don't know to what extent this solution will get me, it should mean at least I can reach the single database I'm targeting.

  Subsequently to the rear since the database certificate (COMODO) provider I found they provide CA bundle which when used to replace the LabVIEW supplied ca - bundle.crt allows the system HTTP access the database without problem.

  For remote computers, it's probably fine as it is guaranteed to have the only secure site SSL they will try to access the database that I know the data are compatible with. For my development system however it may still remain a problem that I don't know when I'll have to try to access another site certified and whether or not the new authority will work. Although in all fairness for the moment I don't know if the LabVIEW provided one or the other will work.

  I might have to come back to this thread at a later date and to make the point about how everything worked.

• Internal and external customers see certificate of Cisco router, NOT Exchange SSL certificate

  Cisco 876 Integrated Services router (ISR)
  Exchange Server 2010 SP1

  Customer: 2013 Outlook, OWA, ActiveSync WP7/WP8 (?)

  Put us in place a new Cisco ISR. Almost everything works fine, with a few exceptions. Exchange e-mail stopped altogether for several days until I realized that I needed to redirect the ports, SMTP, HTTP, and HTTPS, by external to the Exchange Server. Now, mail flow is fine, but...

  Every time I start Outlook, I get a certificate error. When I look at the certificate in the error popup, it points actually to certificate self-signed Cisco router. When we try to use the Windows phones, they get a "certificate error" and direct the user to the network administrator. Even with OWA: a certificate error, even if it can be "accepted" / overridden.

  Each customer can still work, with the exception of Windows phones. In Outlook and OWA, mail is always be sent and received, but must be accepted manually that the certificate is wrong before the customer takes care, and then it takes a little longer to load.

  Any ideas?

  I did "" port forwarding on the pots of 25, 80 and 443. Again, I did it yesterday and now mail seems to flow, whereas before, even if we could enter the client with Certificate error, message not be received. (There was also a problem with mail however not passed, but that was due to our mail relay provider and was set yesterday as well...)

  Everything worked fine with the previous router (obviously). It was a high-end, the level of consumption Fritz! Box commonly used in Germany. I also had to allow ports through this box is not unlike using the nat ip inside static commands on the 876, but I don't know what he could have let his own or why SRI is the Exchange Server application SSL certificate hijacking.

  Thanks in advance for any help.

  jeremyNLSO
  CCNA Routing & Switching, CCNA security
  MCITP, MCTS
  Berlin, Germany

  If we have actually figured this out today. The internal DHCP Server distributing the a DNS Server public as well as the internal DNS. The internal DNS was time and the customer became the external IP address of the public DNS and it received an unexpected cert of the router. Once we removed the public DNS servers from the DHCP server and used only DNS servers in-house, that the issue went away. Logical after we realized what was going on.

• Update of Firmware SG200-08/ssl

  Hello, I recently bought the SG200-08 and I was wondering if/when there is another update of firmware coming for the switch that I bought.  I noticed there is no SSL protocol which I can't understand why Cisco has decided to not include the switch.  I would also like to be able to configure SNMP on the switch, but from what I can tell, it cannot connect to a server which is what I need.  I would like to know if these are features coming to SG200-08 or if I just need to buy a new switch that I prefer not to have to do.

  Thanks for your time,

  karlribble

  Hello

  SG200-08 is the little brother of the 200 series of switches and as such it has all of the features contained on everything on the other series. This device is not supported on a SSL server or an external SNMP server, but through any other model on the series.

  The administration guide for the switches of the SG200 series which shows the configuration of the Server SNMP and SSL are:

  http://www.Cisco.com/c/dam/en/us/TD/docs/switches/LAN/csbss/sf20x_sg20x/...

  Also, here is a link to an emulator for an another SG200 online so that you can see all the features:

  http://www.Cisco.com/assets/Sol/SB/SG200_Emulators/SG200_Emulator_v1-2-9...

  At present, there is no information indicating that this characteristics must be included in a new version of the firmware.

  Please do not forget to mark a response as correct if it was useful for you, so that other members can benefit from.

  I hope this helps.

• SSL connection to the server on the Internet on the BIS to Airtel plan

  Dear experts,

  I am a newbie in the development of BlackBerry and have developed an application that requires users to register via the BlackBerry https connection.

  I test the app on BlackBerry 9000 "BOLD" with an upgrade of the OS to version 5.0 provided by Airtel carrier.

  I searched the many posts here and tried to use the ConnectionFactory to check that I have selected the right access point for the network. Recording works fine on WiFi.

  However, im using a BIS plan and when I try to record OTA it fails

  Based pointers to the code below and the application event log would be really useful.

  int[] preferredTransportTypes = {TransportInfo.TRANSPORT_TCP_WIFI,
                  TransportInfo.TRANSPORT_MDS,
                  TransportInfo.TRANSPORT_WAP2,
                  TransportInfo.TRANSPORT_TCP_CELLULAR,
                  TransportInfo.TRANSPORT_BIS_B
                  };
  
          ConnectionDescriptor conDescriptor = factory.getConnection(req.getUrl());
          HttpsConnection request=null;
  
          if ( conDescriptor != null ) {
  
              // connection suceeded
              int transportUsed = conDescriptor.getTransportDescriptor().getTransportType();
  
              Logger.log("Using transport type:" + transportUsed);
  
              // using the connection
              request = (HttpsConnection) conDescriptor.getConnection();
          }
          else
          {
              ServerResponse response = new ServerResponse();
              response.setErrorMessage("No connectivity to Server!");
              response.setStatusCode(-1);
              return response;
          }
  
          addHeaderParams(request, req);
  
          switch (req.getReqType()) {
          case RequestType.GET: {
              request.setRequestMethod(HttpConnection.GET);
  
              break;
          }
          case RequestType.POST:
          case RequestType.PUT: {
              request.setRequestMethod(HttpConnection.POST);
              addBodyParams(request, req);
              break;
          }
  
          }
          return executeRequest(request);
  
  }
  
  private static ServerResponse executeRequest(HttpsConnection request)
              throws Exception {
  
          ServerResponse resp = new ServerResponse();
  
          resp.setStatusCode(request.getResponseCode());
  
          if (request.getResponseCode() != HttpConnection.HTTP_OK) {
              resp.setErrorMessage(request.getResponseMessage());
          } else {
              InputStream is=null;
              try
              {
                  is = request.openInputStream();
  
                  int len = (int) request.getLength();
                  if (len > 0) {
                      int actual = 0;
                      int read = 0;
                      byte[] data = new byte[len];
                      while ((read != len) && (actual != -1)) {
                          actual = is.read(data, read, len - read);
                          read += actual;
                      }
  
                      resp.setBody(new String(data).toString());
                  }
                  else if (len == -1)
                  {
                      StringBuffer out = new StringBuffer();
                      byte[] b = new byte[4096];
                      for (int n; (n = is.read(b)) != -1;) {
                          out.append(new String(b, 0, n));
                      }
  
                      resp.setBody(out.toString());
  
                  }
              }catch(Exception e)
              {
                  Logger.log(e);
              }
              finally
              {
                  if (is!=null)
                      is.close();
              }
  
          }
  
          return resp;
  
      }
  

  Here is the log of the events of the connection failed

  I have net.rim.networkapi - net.rim.device.cldc.io.ssl of the FATF.

  It is indeed a good question.  I suspect the answer may depend on your provider, in this case Airtel.  Their package allows port 443 over WAP?

  The only way I know, tests, that it is to create a small program of socket based and do try port 60, who must work, and then port 443.  But it is probably easier to contact Airtel and ask.

• Import a certificate SSL on SG500X

  I try to use SSL certificates disconnected by the internal CA on all our SG500X and SG500 rocker, the manual is a little vague on the process of importation of the real process, I have generated demand for the switch without specifying a new key (so I guess it used the default value), has presented the request of my CA and downloaded the cert. Because the import option does not allow the import of the cer file, I open with a text editor and copied the cert, including start and end markers, when I submit, in it I get the error: SSL could not import the certificate - conversion of entry to the certificate failed.

  Hello Steve,.

  Here is a step by step guide to import the SSL certificate. I hope this helps.

  http://sbkb.Cisco.com/CiscoSB/UKP.aspx?VW=1&docid=49843175a37149768dc4c331a05dce92_Edit_SSL_Server_Authentication_Settings_on_SG500x_Series_Sta.XML&PID=2&respid=0&SNID=3&DISPID=0&cpage=search

  Nana