I have an application which can access a LDAP server with non-SSL connection. Now, the LDAP server has been configured to support only SSL.
So, now what are the new components or changes in the existing components which I have to do.
If your application really doesn't support SSL (btw it would've made things easier if you'd told us what program you're trying to use), you can try an SSL wrapper, such as stunnel that can be configured to connect to the SSL-protected LDAP service whenever your program connects to the "entrance" of the tunnel. This way, your program doesn't have to support SSL, but your connection to the LDAP server is still secured by SSL (if the SSL wrapper runs on the same host as your program).
You should only have to change ldap: to ldaps: in the client.
Related
I am trying to connect a client to a secure (SSL/TLS) IMAP server. The client code cannot handle SSL/TLS correctly, so I am trying to see if a proxy server can be used in the middle. I was thinking something like the following:
IMAP Client <------- Plain Text Requests -------> Proxy <------- SSL/TLS Requests -------> SSL/TLS protected IMAP server.
I think this is possible but I am curious on what products can be used for the proxy? And, is this a normal deployment option?
Thanks much,
Ash
Use stunnel. With it you can do direct TLS (i.e. imaps, port 993) and also TLS upgrade of a plain IMAP connection (port 143) using the STARTTLS command. See the documentation for more details.
This is insane. An obvious fix is to find out why your client software cannot handle TLS. Deploying proxies or standalone tunnels makes little sense.
Seriously, if your "client" cannot even establish a TLS connection, it's either severely misconfigured, has damaged installation, or so bad that it won't reliably work even after you deploy this bandaid.
I'm trying to connect to my Meteor project via SSL/TLS.
Therefore I did the following:
meteor add force-ssl
in the meteor folder.
Then I start the programm with 'meteor'.
Everything is running fine on localhost, but if I want to connect to the server with giving the IP and Port over http, I get redirected to a https connection with the same IP and an 'Unable to connect message'.
Note: I created a certificate on my own an put it into the Meteor/server folder.
Does anyone know my mistake?
If you need to enable SSL support for your Meteor app deployed with Meteor Up. Now it has the support for SSL. You just need to tell where the SSL certificate and the key are.
If you are not familiar with the process of generating a SSL certificate, follow this guide.
Disclaimer: I'm the author of Meteor Up.
You can't just put the certificate inside Meteor/server folder. You will need a web server to proxy the request and configure that server with your certificate (Docs also say that, search for force-ssl: http://docs.meteor.com/)
I recommend you to put an nginx instance as the proxy. Here an example of how to do it: http://www.digicert.com/ssl-certificate-installation-nginx.htm
We are setting up replication between RavenDB instances running in server mode. The instances are in different availability zones so we need a secure connection between the servers. According this this post SSL is not supported in server mode but
should be easy to add
Is there an extensibility point in the API where SSL support can be plugged in?
The API doesn't have any place for this currently, but I'm sure it would be a welcome contribution if you were so inclined to write this and submit a pull request. The underlying server is just a System.Net.HttpListener, which can be wired for ssl.
Your entry point would be at Raven.Database.Server.HttpServer.StartListening()
You would want the SSL certificate to be as easy to configure as the hostname or port. The cert itself should probably be pulled in from the Windows certificate store.
Context
I developed an application deployed in a Glassfish 3.1. This application is accessed only by https and sometimes it must connect to third-party webservices located out the customers networks. The customer have other applications inside his network; mine is only a new one "service".
Topology approximation
Big-ip F5 is the ssl end point. The customer have in this device the valid certificate
IIS redirects by domain to the respective service
glassfish is the machine with the application (over, of course, a glassfish 3.1)
How it works
When a user try to connect to _https://somedomain the request arrives to the F5 where the SSL encryption ends; now we have a request to _http://somedomain. In the next step F5 redirects this request to the IIS and this, finally, redirects to glassfish. This petitions are successfully processed.
Points of interest
I've full control over glassfish server and S.O. of the vm where it is located. Not other applications are or will be deployed on this server; it's a dedicated server for the app and some services it needs. The Glassfish runs on a VM with a Debian distribution as S.O. This VM is provided by a VM Server but I don't know the brand, model, etc. The glassfish have the default http listeners configuration.
I don't have any more information about network and other devices and i can't access to
any configuration file of any other device. I can't modify any part of the network for my own but maybe ask, suggest or advice for a change. Network's behavior should not change.
Actually users reach the application without problem.
The used certificate is a simple domain certificate trusted by Verysign
The customer have no idea of how to solve this.
The problem
All the third party WS the application must access have an unique https access and, in some cases, the authentication required is mutual (two-way) and here we find the problem. When the application wants to connect to WS with mutual ssl authentication it sends the glassfish local keystore configuration targeted certificate. Customer wants, if possible, use the same cert for incoming and outcoming secure connections. This cert is in the F5 and i can't add to the glassfish keystore because if I do this I would be breaking Verysign contract requirements. I've been looking for a solution at google, here(stackoverflow), jita,... but only incoming traffic solutions I've found. I understand that maybe a SSL proxy is required but I haven't found any example or alternative solution for the outcoming ssl connections.
What I'm asking for
I'm not english speaker (isn't obvious?) and maybe i doesn't use the correct terms in my search terms. I can understand that this context can be a nightmare and hard to solve but I will stand... The first think I need is to know if exists a solution (or solutions) for this problem and if it (or they!) exist where or how can I find it/them. I've prepared different alternatives to negotiate with the customer but I need to known the true. I've spent tones of hours on this.
There are a couple of solutions.
1)pay verisign more money for a second "license/cert". They will be happy to take your money for the "privilege". :)
2)Create a different virtual server listening on 443 which points to a pool that has your client's server address as the pool member. Then on the virtual server, attach a serverssl profile that is configured to use the same cert you are using for the incoming connections. Then the F5 would authenticate with the same cert along with your app server would not need a client cert installed. Also, if they need to initiate a session to you, you would have to setup a virtual server with a clientssl profile that uses the same cert and requires a client cert to connect.
If your destinations may not be static addresses, then an irule(s) would have to be created to deal with that. Can be handled in 10 or later code with a DNS call in the irule and setting a node for the session to go.
is it possible to setup an ssl connection on playbook? I found SecureSocket class in the api but it seems playbook platform doesnt support ssl connections. Any ideas?
It depends what you're trying to connect to, but if it's a web server, then you can use URLRequest to connect via https, which uses an SSL connection.
I don't think there's currently a general way to do it in AIR, without using a third-party library, however.