Does IIS Compression (IIS 6.0) work with SSL? I haven't been able to find any definitive articles on the subject. If it does, are there any additional set up instructions that need to be taken besides what Microsoft has explained on TechNet?
Yes, it does. Compression is applied first and then encryption (SSL).
Our site uses IIS 6 compression and SSL:
https://www.httpwatch.com/
Nothing special has to be done. SSL and compression are separately configured.
Related
We host many sites with domains on a single IP ie. www.domain1.com, www.domain2.com. We want to secure /admin using SSL. Historically each SSL cert needs a unique IP address. These are small sites and acquiring / assigning an individual IP to each site is unrealistic both in terms of maintainability and cost. Because we are not using sub domains the wildcard SSL cert approach won't work.
Googling around I found that Apache can do this by using TLS, see answer here:
https://serverfault.com/questions/109766/ssl-site-not-using-the-correct-ip-in-apache-and-ubuntu
My question is whether this is possible with IIS 7.5 too? If so, does anyone know how to set this up?
Thanks in advance
Dave
SSL and TLS basically are the same. TLS is the successor to SSL where TLS 1.0 is basically the same as SSL 3.1.
What makes the difference though is the support for SNI. This allows the browser to tell the server for which hostname the request is without the need for the server to decrypt the request.
Normally a webserver looks at the hostname header to decide for which virtual site the request is. But when SSL/TLS is used, the entire request (including all headers) are encrypted. In order to read the headers the server would have to decrypt the request but it can't do that without using the proper certificates. To know which certificate to use, it would need to know for which site the request is but it can't know that because that information is in the encrypted request. A classic chicken/egg problem. This is where SNI steps in.
SNI requires a reasonably new OS / browser / server and is not yet supported by IIS. It will be supported in Windows Server 2012 and IIS 8.0 (due for release this year).
My client ask me to do reverse ssl on his website. But i'm new on this term. Can anyone help me about this.
Please describe or refer how to do it.
Check out this wiki article.
In the case of secure websites, the SSL encryption is sometimes not
performed by the web server itself, but is instead offloaded to a
reverse proxy that may be equipped with SSL acceleration hardware.
"Doing" reverse SSL means choosing a system/server and configuring it. You should start by asking your client whether they already have a reverse proxy in place or if one needs to be set up.
So setting up reverse SSL (like standard SSL) should not impact your web site's design, the backing code and data store etc. It is Transport Level Security (TLS) and might actually be outside the bounds of the contract with your client.
One use case would be running Apache Tomcat behind an Apache Web Server which handles SSL and acts as reverse proxy. Your client should specify more specifically.
I've got a local application (which I didn't write, and can't change) that talks to a remote web service. It uses HTTPS, and I'd like to see what's in the traffic.
Is there any way I can do this? I'd prefer a Windows system, but I'm happy to set up a proxy on Linux if this makes things easier.
What I'm considering:
Redirecting the web site by hacking my hosts file (or setting up alternate DNS).
Installing an HTTPS server on that site, with a self-signed (but trusted) certificate.
Apparently, WireShark can see what's in HTTPS if you feed it the private key. I've never tried this.
Somehow, proxy this traffic to the real server (i.e. it's a full-blown man-in-the-middle "attack").
Does this sound sensible? Can WireShark really see what's in HTTPS traffic? Can anyone point me at a suitable proxy (and configuration for same)?
Does Fiddler do what you want?
What is Fiddler?
Fiddler is a Web Debugging Proxy which
logs all HTTP(S) traffic between your
computer and the Internet. Fiddler
allows you to inspect all HTTP(S)
traffic, set breakpoints, and "fiddle"
with incoming or outgoing data.
Fiddler includes a powerful
event-based scripting subsystem, and
can be extended using any .NET
language.
Fiddler is freeware and can debug
traffic from virtually any
application, including Internet
Explorer, Mozilla Firefox, Opera, and
thousands more.
Wireshark can definitely display TLS/SSL encrypted streams as plaintext. However, you will definitely need the private key of the server to do so. The private key must be added to Wireshark as an SSL option under preferences. Note that this only works if you can follow the SSL stream from the start. It will not work if an SSL connection is reused.
For Internet Explorer this (SSL session reuse) can be avoided by clearing the SSL state using the Internet Options dialog. Other environments may require restarting a browser or even rebooting a system (to avoid SSL session reuse).
The other key constraint is that an RSA cipher must be used. Wireshark can not decode TLS/SSL stream that use DFH (Diffie-Hellman).
Assuming you can satisfy the constraints above, the "Follow SSL Stream" right-click command works rather well.
You need to setup a proxy for your local application and if it doesnt honour proxy settings, put a transparent proxy and route all https traffic into it before going outside. Something like this can be the "man" in the middle: http://crypto.stanford.edu/ssl-mitm
Also, here's brief instructions on how to archive this with wireshark: http://predev.wikidot.com/decrypt-ssl-traffic
You should also consider Charles. From the product description at the time of this answer:
Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
For using https proxy to monitor, it depends on the type of handshake. If you local application does not check the server's certificate by CA's signature which you can not fake, and the server does not check your local application's certificate ( or if you have one to setup on https proxy) then you can set up a https proxy to monitor the https traffic. Otherwise, I think it is impossible to monitor traffic with https proxy.
Another way you can try is to add instrumentation probe at the routines of your client program where it send and receive messages from its https library. It needs some reverse engineering work, but should work for you for all situations.
I would recommend WireShark, it is the best tool to follow on different pieces of traffic. Although, I am not sure what can you see with SSL turned on. Maybe, if you supply it with a certificate?
How to find out whether particular web server's GZip is enabled or not and How to apply the
GZip compression for the web site under IIS 6.0?
The IIS GUI doesn't support turning compression on in IIS6. You'll need to update the IIS metabase directly with the settings instead.
The MSDN documentation gives a high level overview of HTTP compression but doesn't talk about getting the changes into the metabase. I found some instructions and a helpful metabase example.
I need to set up SSL over Active Directory. I googled a lot but could not found a decent write up about how to do this. Please if you know some good resources about this let me know.
Thanks!
Sounds easy - but I ran into quite a few problems getting trusted connections with SSL working in our environment. The article was about ADAM but is just as applicable for AD. In our environment I couldn't install domain-related services like cert-server, nor act as domain-admin.
I blogged about how I got this working a while back
http://stephbu.wordpress.com/2006/11/29/using-adam-with-asp-net-2-0-activedirectorymembershipprovider/
Dan and Erlend's postings were invaluable.
Took some backflips to get it done.
The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article.
http://support.microsoft.com/kb/321051
Can you be more specific. What is the client trying to do? Active directory support ldap over ssl by default. There is nothing that should be done to activate it. It is done in port 636/tcp. http://technet.microsoft.com/en-us/library/bb727063.aspx
The absolute fastest way to install SSL into AD is to load MS certificate services. Once this is installed, all domain controllers will request a new certificate automatically and update themselves...