Our application has government requirement for all HTTP requests to include SSL client certificate and all application servers to check incoming requests for client certificates.
Does ejabberd community edition support c2s certificate auth?
https://www.process-one.net/en/ejabberd/protocols/ says that XEP-0178 on community edition is only implemented for S2S communications, but on https://process-one.net/logs/ejabberd#conference.process-one.net/2018/07/09.html someone called says,
"'c2s_' is for client auth, as opposed to 's2s_'. Maybe you've seen old docs that said it's a Business-only feature, this went into the Community Edition at some point."
So, is it in community edition as well?
Related
We are trying to integrate Xero API in our web system, however, we are experiencing a particular problem which has not been responded at Xero forum pages, therefore, I had no choice to share it here.
It is a partner application integration and it requires to have some certain files & password within the software.
We have generated the .p12 and pfx files and addressed in the configuration file.
We have downloaded the wrapper solution from Github which is officially supported by Xero and all we did is to change the settings in the configuration file and run the Console App which is named "Xero.Api.Example.Counts" and OAuthTokens.css class throws an exception which is IIS 7.5 Detailed Error - 403.7 - Forbidden.
This response is generated from Xero API and we can retrieve more information in detail as "The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes"
The certificates are confirmed by Xero and we are using the correct Consumer Key & Secret in the configuration file.
We have also tried some other simple solution which does talk to Xero API using the partner application that has got the same result.
Is there any advise that you can share with us? Thank you
Install the certificates on your client machine and then use them.
For Partner Application of Xero, you need
Xero Entrust Certificate - Called Partner Certificate (issues by Xero)
and Signing Certificate - Generated by yourself and registered with Xero.
The Client Machine where you are trying to connect, you need to install these certificates in the Certificate Store.
If it is Windows, you can find instructions to install certificates over here:
Instructions
Environment:
1. Websphere 7
2. Microsoft platform
Both are exposed to public using an instance of IBM WebSEAL and TAM infrastructure.
Application running on Websphere uses IBM TAI++ mechanism to provide SSO to client.
Application running on microsoft implements SSO by talking to user repository (proprietary SSO).
WebSEAL allows LOW ciphers, Both application allow only HIGH ciphers
Issue:
App running on Websphere 7 is responding to the requests from client using LOW encryption, however, application on microsoft is failing handshake for LOW ciphers.
If the app on Websphere is accessed with direct URL (not through WebSEAL), it successfully fails the LOW cipher requests.
How to restrict allowed ciphers to HIGH only?
I'm having a Play! (2.2.1, Java) Application and I want to allow:
Client Side Certificates - Only client authentication using a client side certificate can use the application API.
Server Side Certificates – Clients must be able to authenticate the certificate presented by the server via their trusted list of CAs.
What are Play! best practices for doing that?
In addition, do you know what cryptographic algorithm Play! is using? (TLS 1.2, 1.1, 1.0, SSL 3.0, SSL 2.0, etc.) and if it's not using TLS 1.2, can I enforce Play! to use it?
When you are using SSL/TLS for Play! What do you use for front end HTTPS Server?. Apache, Nginx, Netty.IO or Play! Build in the server? (Because according to the official documentation, the non Play! servers can handle HTTPS request better).
Play uses JSSE for TLS, so you configure Play using the SSLEngine that comes with JSSE. If you are using Play as an HTTPS client, then WS will do the hostname verification for you. If you're using Play as an HTTPS server and need to do client authentication, you should configure a custom SSLEngineProvider.
There is an activator template that shows how to use Play as both HTTPS client and server, using client authentication:
https://github.com/typesafehub/activator-play-tls-example
I can't for the life of me find how to configure client certificate validation with Heroku SSL endpoint. Is is supported at all? Is there an alternative add-on that does support it?
I asked their support about this and this was their answer: https://help.heroku.com/tickets/128194
So it would appear that server side verification of client certificates isn't supported by heroku right now if you rely upon their web server. I.e. having a server hosted on heroku check the client certificate provided by the connecting client. This requires a check at the web server level.
However I did come across this for nodejs:
https://www.npmjs.org/package/client-certificate-auth
which would lead me to believe that for nodejs is should be possible, since you have full access to the http(s) server. I haven't tried it though
I was evaluating appharbor and azure framework or a cloud application.
I came across an article in this url: http://blog.appharbor.com/2012/06/10/some-notes-on-the-recent-azure-launch , which says
Azure Web Sites has no way to add your own SSL certificates at all. If your app needs SSL, you’re stuck with running on the Azure subdomain and piggy-backing off their certificate.
I am a little confused here and so the question:
1) Does this mean that I cannot register and use a ssl certificate for my domain (eg: www.mydomain.com) if my application is hosted in azure?
If that cannot be done- isnt this a fairly basic requirement for a secure web application? why is it not implemented in azure?
2) Azure articles talk of shared ssl certificate. So, if I use a shared certificate, what will the user see in certificate details? will they see something like myapplication.cloudapp.net?
This is true as of today. But please do note that Azure Web Sites is a preview feature and things do change. Having a custom SSL certificate for an Azure Web Sites is something that the team in Redmond is definitely after (check here). Also, please do note that this limitation is only valid for Windows Azure Web Sites. Website addresses usually maps to myapp.azurewebsites.net.
This is not the situation with Windows Azure Cloud Services (that maps to myapp.cloudapp.net). You check some articles and sample how to configure custom SSL for Azure Cloud services here and here.
Azure websites now do support SSL certificates, with the ability to buy an SSL certificate or bring your own.
see this article for the configuration:
https://azure.microsoft.com/nl-nl/documentation/articles/web-sites-configure-ssl-certificate/
Also free SNI certificates are available as of now for Basic, Standard and Premium App Services:
https://azure.microsoft.com/en-us/updates/ssl-connection-pricing-changes/