Blog - Everything within Reason

Entries in ssl (9)

Friday

Jun152012

Junos Pulse, Apple iOS, and Split-Tunneling

Friday, June 15, 2012 at 23:15

When you create (SSL)VPN access for you employees, you might enable split-tunneling to save corporate bandwidth. No split-tunneling means that all traffic is forwarded into the VPN tunnel. So if you browse the internet with an active VPN, the traffic goes through the VPN, and accesses the Internet through the corporate Internet connection. This isn't a big problem with a couple of employees, but with hundreds on the road or working from home, this might frustrate the employees in the building.

Click to read more ...

Willem |

2 Comments |

tagged

Junos,

Pulse,

VPN,

iOS,

ssl in

Apple,

Saturday

Jan072012

Changing SSL Certificates in a ISPConfig v3 Configuration

Saturday, January 7, 2012 at 0:09

When you install a Perfect Server based on Centos and ISPConfig v3.x, the system / 'installer' creates for the components self-signed certificates. All these certificates will generate different warnings in your browser, mail clients etc. So time to eliminate those warnings.

First I needed to find out where all those certificates are located, and what there formats are. In my case, there are three services that use SSL/TLS in some form;

Postfix SMTP service
Courier IMAP service
http / Apache2 webservice

Checking the configuration files will reveal their locations.

Click to read more ...

Willem |

1 Comment |

tagged

CentOS,

ISPConfig,

certificates,

ssl,

xCA in

Linux,

Wednesday

Jun082011

Microsoft Internet Explorer and IP Addresses in Certificate SAN

Wednesday, June 8, 2011 at 22:55

A fairy long title, but it describes exactly what this post is about. Once again a post about a Microsoft product and the way it works (or rather doesn't work) with your average Internet standard.

This week I was busy with RADIUS, 802.1x, PKI and the protection of websites with SSL encryption. For the implementation of 802.1x, I needed a PKI environment, so I used the Microsoft Certificate Services for that purpose. Along the way, I needed an SSL certificate for an internal website, but this particular website needed to work properly based on different FQDN's and or IP addresses without throwing warining or errors regarding the SSL connection.

The way to do this is to add Subject Alternative Names (SAN) to the certificate. This enables you to access the website in different ways, e.g.;

Access a webmail host from the internet based on its official FQDN (https://webmail.somedomain.com)
Access the same webmail host from the inside of the corporate lan based on its internal name (https://webmail.acme.local)
And access the host from legacy DNS-unaware software on its IP address (https://192.168.1.254)

Click to read more ...

Willem |

2 Comments |

6 References |

tagged

FireFox,

Google Chrome,

PKI,

SAN,

Safari,

Subject Alternative Name,

ssl in

Friday

Mar112011

Configure SSL Certificate for Juniper J-Web Interface

Friday, March 11, 2011 at 10:03

By default, the J-Web interface (GUI for the Juniper SRX firewalls) has SSL enabled. Like most devices with SSL out-of-the-box, the protection is based on a self-signed certificate. Self-signed certificates are easy (they come basically out-of-the-box), but they tend to nag you every time you connect to the GUI. So, it's time to install a proper certificate.

In this case, I use the XCA (1) software to create a new certificate. This certificate is signed by my own root CA, which I installed on all of my devices and Operating Systems. Basically, I trust myself.....

According to the Juniper support pages on SSL certificate usage, I found out that the certificates are to be in the PEM format. No problem for XCA.

Click to read more ...

Willem |

2 Comments |

tagged

J-Web,

OpenSSL,

certificate,

juniper,

ssl,

xCA in

Hardware,

Security,

Tips'n Tricks

Friday

Mar112011

AVN Fritzbox and the 'Exposed Host' Setting

Friday, March 11, 2011 at 1:08

The Fritzbox 7340 is the only real available VDSL modem/router in the Netherlands. Too bad, since it has some bugs (but what piece of software hasn't???). Fortunately, the router works well, just as long as you use it as the only networking device in your (small) network.

In the last couple of days I've been busy to add the Juniper SRX100 branch firewall to my local home network. The idea was the following:

The Fritzbox (FB) will remain the Internet router
My web/mail/ssh server is placed behind the SRX100
All the individual portforward rules in the Fritzbox are directed to the SRX100 by selecting the 'Exposed Host' in the FB.

Click to read more ...

Willem |

2 Comments |

tagged

Fritzbox,

NAT,

SRX100,

TLS,

ssl in

Friday

Dec182009

The Twitters Are Gone....

Friday, December 18, 2009 at 7:56

For many, the world is was in disarray. It seems that the Twitters have been hacked (read: defaced) by the infamous (never heard of them though) Iranian Cyber Army.

Twitter rerouted to an Iranian Cyber Army page.

Click to read more ...

Willem |

Adobe Flash Player Problems

Wednesday, December 16, 2009 at 14:03

Updated on Wednesday, December 16, 2009 at 22:26 by Willem

Since I encountered some problems with flash on certain websites, I decided to check if my Flash player has been updated since 1972. Normally you can check the Flash settings (incl auto-update functions) through a page on the Adobe/Macromedia website. Which is weird, since you would think that this is a local setting (incl. privacy settings and audio functionalities).... But no. Macromedia/Adobe decided that you have to do that through their website.
The reason being that they can check whatever you are doing with your player.......

Click to read more ...

Willem |

Citrix ICA Client SSL Error 61

Thursday, July 16, 2009 at 10:52

The great thing about Citrix is that you can access company resources from almost anywhere. They have several solutions for remote access and thin client computing. They also have an ICA client for Apple OSX (Yeeehaaaaa).

I've been using the OSX ICA Client for a couple of months now to access my mail on the company intranet. Apart from some little quirks (like not functioning well when having two displays), the experience is good. Up till now.

Today, completely out of the blue came this error:

The error message suggests that I have changed something on my Mac, but not that I know. For someone who works with PKI, one would think that they would remember choosing NOT to trust a public VeriSign CA.

Click to read more ...

Willem |

5 Comments |

tagged

citrix,

error,

ica,

ssl in

Annoying,

Software,

Tips'n Tricks

Sunday

Jun032007

Installation Root CA on Nokia E61 Made Easier

Sunday, June 3, 2007 at 17:13

Updated on Wednesday, February 10, 2010 at 8:53 by Willem

From this day on, you can install certificates from non-trusted CA's on your Symbian-based phone (like the Nokia E61) using this page euh.. this page.

UPDATE: it seems that most other phone brands and types work as well (the S40 based devices are left out... sorry).

All you need to do is make sure that the certificate is in the DER format. The webpage doesn't verify if the certificate is in the correct format. This is up to the uploader.

I created this page, because I work a lot with digital certificates, so I don't want to be bothered with the workaround described in the earlier post. The current version is quick-and-dirty (no error messages). I'll try to make it more user friendly in the next couple of days (like having the option of sending the URL to an e-mail address). Just make sure that you obey the guidelines shown on the page, and all should go well.

Feel free to add a comment on how to improve this.

Click to read more ...

Willem |

105 Comments |

1 Reference |

tagged

Nokia E61,

Symbian,

certificate,

nokia,

ssl,

symcaimport in

Symbian,

Tips'n Tricks