Our company currently have an application created in VB6 running on a Windows 7 desktop computer. This application needs to connect to a web service using HTTPS.
For some reason this application can not connect to the target server. The target server is behind an Apache web server that also acts as a load balancer.
I traced the connection via wire shark and it seems that after the Client Hello the server responded with [FIN, ACK] than a Server Hello. Can anyone tell me what the problem is.
Client Hello & Server [FIN, ACK]
[![Client HEllo][1]][1]
[1]: https://i.stack.imgur.com/btXyX.jpg
[![enter image description here][2]][2]
[2]: https://i.stack.imgur.com/O5WDq.jpg
However, we can connect successfully in the following scenarios
If we use the same application under Windows 10. Please note when using Windows 10 our SSL version is TLS1.2.
If the application connect directly to the Application Server instead of the Apache Web Server. In this case our SSL protocol is still TLS1.0
I am guessing that we need to configure the Web Server to allow our application to connect. Our Administrator told us they already activated the TLS1.0 protocols so I am not entirely sure what is wrong now.
Why the server closed the connection, or any ideas what part of the logs or Web server configuration should I check to find out?
Please note that we are aware that we are using TLS1 protocol for this connection but this application is only for internal use and its replacement is already in development. However, there is a business need to make this work for the current environment.
In the case the Server doesn't support any of the Cipher-Suites suggested in the "Client Hello" packet, it may just close the connection.
You can check what is the returned Cipher-Suite in the case it works (when you use Windows10) and then investigate how to enable this Cipher-Suite in Windows7
Related
I have recently installed an OpenVPN service on my Google Cloud Platform (Debian 10 Server) in order to test connecting to internet on this VPN protocol. The config file that is created by the server, however, fails to connect to internet when I import it in Windows 10 OpenVPN Client that I currently use to connect to internet using other config files. During set up, I installed ufw firewall and chose a password-less user and UDP connection according to a search in Google. Anyways, the config files that I have created this way all fail to connect from Windows returning a "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" as noted in the log.
Does this TLS error mean my Windows client can't reach the server due to some wrong permission/firewall settings on the server side (I have already allowed OpenVPN Client for Windows on my firewall on my Windows client)?
What changes should I make to the OpenVPN set up during installation on the server to make it work? Any suggestions?
Thanks in advance.
My Azure VM (Win 2008 R2 Datacenter) runs IIS 7.5 and hosts a half-dozen Web sites. I obtained and installed a certificate to enable SSL on one site. I tested the certificate with the downloaded SSL Diagnostics tool, and all appears great. The tool sent a sample SSL handshake with perfect results (diagnostic info along with the contents of the tiny test web page).
However, the web page is unobtainable using https://... from a browser on either the server or client. Localhost:443 or the server IP address:443 in a browser on the server also fails. No error messages are received, the browser just waits and waits.
What could it be?
If I use a browser on the server and input https://ip address without 443, I get this error in the browser: ERR_CERT_COMMON_NAME_INVALID. "Your connection is not private. Attackers might be trying to steal your information..." and it shows the info from the certificate, like the issuer etc. What's the deal?
Ugh. I needed to open port 443 in the Azure Portal, in my Network Security Group. Another question on StackOverflow steered me to that solution!
I have a IBM HTTP Web Server setup as a reverse proxy for a WebSphere application server. We use Oracle Access Manager for user authentication. There is also a Oracle Webgate running on the IHS server to intercept the requests and check them against the Oracle policy.
I can see the authentication going through and Oracle passes back the value needed in an HTTP Header, OAM_REMOTE_USER. The problem is, at some point in the process, that header is not passed on to the WebSphere Application Server.
The Oracle Webgate is monitoring port 8443, but I am not understanding if that means for the Web Server or the App Server since both are on the same physical machine and have the same server name. If I just create a virtual host on the Web Server for 8443 and do not create the port on the App Server, the headers are going through correctly. The problem with this is that I have to use PreserveProxyHeader for the request to go through the WebGate 8443 port, so after authentication it comes back looking for my Application on port 8443, which does not exist on the Web Server. The only way it can find my application on port 8443 is if I also add a port on the App server for that port, which contains the application.
I guess the main thing I am struggling to understand is if I need to define the port Webgate monitors on the HTTP Server and App Server, or if it should only be on the HTTP Server side. It seems like no matter what I do, at some point the request gets redirected from the HTTP Server to the App Server and strips out any OAM HTTP headers that were there. I've managed to prevent them from dropping by removing the 8443 port from the app server, but now my app cannot be mapped to.
This is WebSphere App Server 8.0 and IBM HTTP Server 8.0.0.5.
In the administrative console, click Servers > Server Types > Web servers > web_server_name > Plug-in properties > Request routing. Disable "Remove special headers". Regenerate your plugin configuration XML, and redistribute it.
Not sure if i'm really up-to-date, but i'm looking in a way to convert my existing project to use HTML5 websockets.
Here's my situation :
- Client runs a modified java vnc applet with extra parameter (CONNECT).
- Modified stunnel listenin on webserver (with both public, private IP) port 443
- Client connects to 443 and sends (prior to RFB) a HTTP packet like :
'CONNECT 10.0.0.1:4001'
- Stunnel opens a new stream to 10.0.0.1:4001 using SSL wrapper
- VNC Server (#10.0.0.1:4001) responds, connection is established.
Now I want to get rid of the Java Applet and switch to Websocket using NoVNC.
I want to be able to :
- Open a single port on the webserver (HTTPS preferably)
- Have client connect using HTML5 only (no more java applet)
I cannot change :
- VNCServer will still be listening on private LAN only.
- VNCServer will still listen to a bunch of ports, each corresponding to
a virtual server
Questions are :
- How to give NoVNC the notion of target HOST:PORT ?
- Is stunnel still be usable ? Or should I change to websocket proxy ?
If anyone has a starting point, i'd really appreciate !
Disclaimer: I created noVNC so my answer may be heavily biased ;-)
I'll answer you second question first:
stunnel cannot be used directly by noVNC. The issue is that the WebSockets protocol has an HTTP-like initial handshake and the messages are framed. In addition, until binary payload support is added to WebSockets, the payload is base64 encoded by the websockets proxy (websockify). Adding the necessary support to stunnel would be non-trivial but certainly doable. In fact noVNC issue #37 is an aspirational feature to add this support to stunnel.
First question:
noVNC already has a concept of HOST:PORT via the RFB.connect(host, port, password) method. The file vnc_auto.html at the top level shows how to get noVNC to automatically connect on page load based on the host, port and password specified as URL query string parameters.
However, I think what you are really asking is how do you get noVNC to connect to alternate VNC server ports on the backend. This problem is not directly addressed by noVNC and websockify. There are several ways to solve this and it usually involves an out-of-band setup/authorization mechanism so that the proxy can't be used to launch attacks by arbitrary hosts. For example, at my company we have a web based management framework that integrates noVNC and when the user wants to connect to the console, an authenticated AJAX call is used to configure the proxy for that particular user and the system they want to connect to. Our web management interface is internal only.
Ganeti Web Manager uses a similar model and the source is available. They have a fork of VNCAuthProxy that has WebSockets support. They use a control channel from the web interface to the VNCAuthProxy to setup a temporary password associated with a specific VNC server host:port.
Also OpenStack (Nova) integrates noVNC uses a similar out-of-band token based model to allow access with their nova-vncproxy.
Some links:
Ganeti Web Manager
Wiki page about how noVNC works in Ganeti Web Manager
Ganeti Web Manager sources
Ganeti Web Manager VNCAUthProxy sources
Using noVNC in Nova/OpenStack
OpenStack fork of noVNC
Old nova-vnc-proxy code
Current nova vnc proxy code
I'm using windows server 2008 & IIS 7.0 to deploy the my vb.net 3.5 application.
I'm successfully able to run the URL on my server.
Same URL having IP address & port number configured is not working on client system.
It is showing IE default error message as "page cannot display"
Thanks
A couple of things to do:
Try it in something other than IE - Or at the very least turn off IE "Friendly http error messages" as they obscure the real problem (Tools -> Internet Options -> Advanced)
Make sure the IIS website is bound to all IP Addresses not just 127.0.0.1 (localhost)
Make sure the windows firewall / other firewalls in use are configured to allow incoming traffic on port 80 through (assuming you're using port 80)
Check the event logs - If it's a coding problem, the error message is usually dumped in there
If the client system is on a different network, make sure that all your firewalls/routers are set up to allow the appropriate traffic through
Some more information which would help us:
Where (in network terms) is the client you mention? same network?
What happen if you use the full URL the client's using from a browser on the server?
When you say it works on your server, is that the VS development server? or the same server the client is using?