I am using openssl 1.0.1 on os x el capitan. I want to enable TLS compression. I have set SSLCompression on but still doesn't do compression.
P.S. I know that compression is unsafe but I have to enable it to demonstrate CRIME attack for my class. I have also got browser that supports compression, so browser doesn't seem to be issue. The ServerHello message always decide to use null(0) compression.
Then the issue seems to be located serverside.
If you are the administrator of the server and if the server runs a recent OS, I'm afraid you'll probably have to manually compile OpenSSL with option zlib on it.
Related
I went through a lengthy process removing mod_ssl and replaced it with gnutls because I wanted to use TLS 1.3.
The difference I’ve noticed is gnutls doesn’t support older, legacy methods, only new ones.
OpenSSL supports them all. Is that a better choice? I could find very little support configuring with gnutls and Apache other than the RTFM pages.
Cons pro? Should I move back to mod_ssl? I'm leaning towards, I made a mistake with GnuTLS just for TLS 1.3 and to get a good security ranking score.
Most people use OpenSSL, and it has been updated to work with newer versions of TLS as well as older versions (backwards compatibility).
As far as which is better, I don't know, but most use OpenSSL.
And regarding "Server Fault" in the comment, the user could have been more informative, and likely was referring to the domain, serverfault.com, which they did not elaborate to, making it confusing.
I need to connect a WinCE6.0 device to a web based server using HTTPS.
The problem: WinCE6.0 uses WinInet v6 which supports SSL2, SSL3 and TSL1.0 None of which are supported in the current (2018) best practices due to their security flaws.
I doubt I can drop in a newer version of WinInet and expect it to run.
I had thoughts of porting CURL to WinCE.
I'm thinking this issue has already been addressed by the CE community, but I'm not seeing an available solution.
How can I get an old embedded device to securely connect to the WWW?
From GuruCE:
If you want to use TLS 1.1 and 1.2 on CE a suitable solution is to use mbedTLS library from ARM. It has a BSD-like license, so not too restrictive. Only one change to the makefiles is needed to get it to work on CE.
first question.
I recently put kubuntu onto my chromebook via crouton, which was painless and awesome. However, it did necessitate putting it into developer mode. For some reason, this has removed ChromeOS's ability to authenticate SSLs for a couple of sites I use for work (but not all of them). I prodded the sysadmin, and he says the problem is the NSS library. Specifically:
It is a problem with the NSS library version on the users OS. You can
by pass the problem by starting Chrome with;
$ google-chrome-stable --ssl-version-max=tls1.1
I tried running that command (with and without the $) in Crosh, shell, and even bios command prompt. Nope (command not found, or some variation there of). This page seems to suggest that NSS isn't favoured, but the sysadmin is unable or unwilling to change the protocol to OpenSSL. So I'm left with trying to install NSS support onto my post-crouton, dev-mode chromebook. Problem is, I have no idea how to do that. Worst case scenario, I can move my work environment totally from ChromeOS into the newly installed Kubuntu instance, but I'd rather not because ChromeOS is just such a pleasure to work on, for browser based work.
Does anyone know how to get NSS protocol SSLs working on dev-mode ChromeOS?
you cannot re-run chrome from within chrome, so that command won't help.
NSS/OpenSSL aren't protocols, they're libraries that implement protocols. Chrome OS uses NSS for some certificate management, but it uses OpenSSL (actually BoringSSL) for all network communication.
putting Chrome OS into dev mode though should not change its behavior at all when it comes to network protocol negotiation. without more details, it's hard to guess at the issue.
I have device with openBSD 5.6 installed. OpenSSH is integrated to this OS. As I understand from this topic, to set up the PAM usage I have to do it at the build time. Is there any way to permanently enable PAM for this OS?
Also it might be a problem that even if I will enable it than sshd function has no UsePAM keyword.
One more issue is that I need to use JAAS as PAM. Does anybody know how to set it up? I didn't found any posts or documentation about it.
OpenBSD doesn't support PAM. The links contain information related to OpenSSH Portable (i.e. the version of OpenSSH used on Linux).
It is said that openssl are widely used, however, as far as I know, the most popular browsers seem not use openssl, instead, they use other SSL libraries like:
NSS (for all firefox and chrome in Linux)
SChannel (for browsers in Windows)
Secure Transport (for browsers in Mac OS X).
Am I right? Or is there any concept I'm taking wrong?
Thanks.
OpenSSL is widely used in web server, according to netcraft survey (http://news.netcraft.com/archives/2015/06/25/june-2015-web-server-survey.html) it can be over 60% of all web servers : Apache with mod_ssl, Google and Nginx. For browser it is just not widely used.