Is it possible to provide encryption over HTTPS without a certificate?
I can't afford a certificate from a CA, but I do want to provide encryption with my website... without a self-signed certificate because I hate that screen popping up on the clients computer on first visits.
I am using the curl version 7.21.0. When I try the curl command from command like, things works fine for the http sites. But when I try https I get certificate error. I have source compiled curl with latest OpenSSL. I have also tried downloading the latest certificate bundle. With the same version of curl, same version of openssl with same certificate file I can get it work on the linux. But in the QNX OS I get this error.
./curl --cacert /mnt/temp/curl-ca-bundle.crt -v https://www.paypal.com
* About to connect() to proxy 172.16.2.17 port 8080 (#0)
* Trying 172.16.2.17... connected
[code]...
A few days ago I installed a new SVN server using ubuntu 10.04 server editiopn at our company and it runs almost flawlessly. Almost that is. The server uses a self-signed certificate so all communications go over https. The strange thing is this. When I run some svn command from my (windows) pc, like update I get asked whether or not I want to accept the certificate. Then I choose "accept permanently" end all goes well. In future command I don't get that question anymore. But when my colleague does the same from his pc, he also gets the same question. Now, when he chooses "accept temporary", all goes smooth. But when he chooses "accept permanently", like I did, he gets an error saying:
RA layer request failed
svn: OPTIONS of 'https://path_to_some_repo': Could not read status line: An established connection was aborted by the software in your host machine.
Of course I googled on this and could find two things: Server settings are wrong
there's something wrong with the firmware of the router. The first couldn't almost be the case since it works for me and I followed the manuals. The second one couldn't be it either because when I log in with my account on my colleague's pc, it works. This is also the case when he logs on to my pc. So the problem exists specifically when he is logged in on his own pc. The setup of this machine is exactly the same as mine.
I have a server with Apache2 and I would like to use encryption to prevent eavesdropping POST requests and similar. I've had success using SSL with a self-signed certificate, but this will of course generate huge warnings from the web browser. It's no problem for me when I'm connecting to the server as I know what to expect, but any other user who sees such a warning will surely leave the site unless I have personally explained the procedure.
Is there really no way to encrypt HTTP without having to use certificates? I know that this is supposed to provide security by identifying the server,but my point is that an encrypted connection without a CA would in no way be inferior to one that sends passwords as plain text. All I want to do is prevent people who are using programs such as Cain or any other packet sniffer from getting their hands on my passwords. I'm not exactly running an online bank system her
I'm trying to figure out how to use ADrive.com's 50 GB's or SkyDrive's 25 GB's of free storage to backup my computer automaticaly.
Problem's:
1. With ADrive I can select all my files at once through their website's uploader vs SkyDrive where you have to select them one by one. There are some third party programs, like Gladinet, which will mount sky drive to your computer like an extra drive, though I haven't found one for linux yet. This guy came up with a cool way to backup automagically with Windows: [URL] I am trying to figure out how to do the same thing with Linux.
2. ADrive's uploader is not on https, whereas SkyDrive is. Either way I wanted to encypt my files on my computer first so when I back them up, they are safe in case they should fall into the wrong hands, not that I don't trust Microsoft or whoever ADrive is with all my most precious documents, but I'd rather error on the side of safety.
I have set up certain portions of my web site to be forced https:// How do I force, non https:// protocols. I know this sounds confusing, so let me give you an example.
[Code]...
I'm using gnome-screensaver and have installed
xscreensaver-data
xscreensaver-data-extra
xscreensaver-gl
xscreensaver-gl-extra
xscreensaver-screensaver-bso
However, any xscreensaver I select and which becomes active provides only a blank black screen, although the Preview button works fine. The default installation screensavers which come along with gnome-screensaver are working fine too. Using Debian Sid.
I'm trying to install an Ubuntu cloud on my home network - I've been following this guide. When I arrived at STEP 6: Install an image from the store PART 3: Click on the Store tab I get the following error message on the page: Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
View 1 Replies View RelatedThe default Pidgin installation does not provide me with the option to create a MSN account. Is this normal? Must I install an additional library?
View 4 Replies View RelatedI use WLM (And yes, I realise odds are this is a problem on microsofts side) and almost every time claws mail connects WLM returns a new certificate. Valid, but I have to constantly accept or deny the certificate. Why is WLM pumping out fresh certs all the time and how can I fix this?
Whenever this pops up whatever I have at the moment shows "Signature status: No certificate issuer found" and the other shows "Signature status: Correct".
I had to do a hard shut down on my linux computer. Every since then it is not working properly and I get an invalid certificate on every page.I have never upgraded Debian since I installed it two years ago. With my experience with Gentoo I have found that upgrades can be a problem and it worked fine so I never messed with it.
View 9 Replies View RelatedI need to renew my SSL cert for my Mahara site and I follow the instructions below. But after I finish answering all the questions for the csr, I'm supposed to copy a portion of the cert into a web form. However I can't seem to find the server.csr so I can do this. Were this file goes?
Here is a step-by-step description:
Make sure OpenSSL is installed and in your PATH.
Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted):
$ openssl genrsa -des3 -out server.key 1024
Please backup this server.key file and the pass-phrase you entered in a secure location. You can see the details of this RSA private key by using the command:
$ openssl rsa -noout -text -in server.key
If necessary, you can also create a decrypted PEM version (not recommended) of this RSA private key with:
$ openssl rsa -in server.key -out server.key.unsecure
Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted):
$ openssl req -new -key server.key -out server.csr
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR by using:
$ openssl req -noout -text -in server.csr
I install debian, I when I restart apache2, I got this error
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Feb 26 11:53:45 2015] [warn] RSA server certificate CommonName (CN) `Ismo' does NOT match server name!?
How can I modify the commonName of the RSA server certificate?
I've been using VSFTPD for years but i can't seem to get over this particular issue. I'm unable to make VSFTPD 3.0.2 work with a legit STARTSSL TLS cert on Debian 8.1 kernel 3.16.0-4-amd64.
500 OOPS: SSL: cannot load RSA certificate.
Openssl 1.0.1k correctly verifies the .PEM file containing both my domain's cert and the intermediate CA one. I've tried adding the private key to the .PEM file and also using it as a separate .key file. Also tried mixing my cert with the intermediate CA one and the private key... to no avail.
Every file is inside /etc where all the conf files reside (also the user specific conf files). File permissions for the .pem and key files are 600.
I'm successfully using the same certificate for NGINX.
Configuration file:
Code: Select alllisten=YES
listen_port=40000
pasv_enable=YES
pasv_min_port=40222
pasv_max_port=40224
listen_address=192.168.1.150
[Code] ....
Having tried different approaches to install (and run!) a webserver certificate from StartSSL on an Apache2 webserver, I had no success at all since three days. There are many web pages out there in the internet, each is naming it other ways, i.e. one speaks from server./etc/ssl/certs/server.pem, another name it /etc/ssl/private/server.key etc. etc.
Is there a common-sense description how to name a private key, how to name the public key, and just important again, where to place them and what what rights they must have to protect them? And, still important, which config file to adopt (default-ssl, or default-ssl.conf).
By the way, I implemented already the certificates in an other environments, and they are all working (tested with the ssl checker [URL] .....).
How to find a common-sense web page for Apache2 on Debian 8.1?
I upgraded my server yesterday via apt-get and my Perl scripts are not able to make HTTPS connections due to certificate verification problems.
This seems to be a problem for EVERY HTTPS site.
CURL gives the following error:
Code: Select allSSL certificate problem: unable to get local issuer certificate
I know that this has something to do with root certificate updates, but if I sound ignorant about it, it's because I am.
using CURL with the -k option allows the connection to be made.
I'm running OpenSSl 1.0.1k-3+deb8u2 on Jessie 8.2.
I would obviously prefer to not disable certificate verification on my server.
I've been trying to get an ECDSA certificate to work for my postfix installation, however, it seems that when I try to use the aECDSA protocol with a client the server gives "no shared cipher" errors.
I had created the certificate like so:
Code: Select allopenssl ecparam -name secp521r1 -genkey -param_enc explicit -out private/ec-email-server.pem
openssl req -new -x509 -key private/ec-email-server.pem -out certs/ec-email-server.pem -days 365
So I've setup a test server, and connected to it with a test client like the following:
Code: Select allopenssl s_server -accept 123 -cert /etc/ssl/certs/ec-email-server.pem -key /etc/ssl/private/ec-email-server.pem
openssl s_client -connect localhost:123
However, once again, I get "no shared cipher" errors.
I have installed debian 8 on acer aspire one, all run well but when i do the Command's VT320, i have errors with HTTPS protocol ! Since the browser Iceweasel, the connexion of web sites HTTPS work well ! This is the sample of "apt-get" with google Chrome :
Code: Select allroot@sta-krups:/home/phipo# apt-get install chromium
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances
Lecture des informations d'état... Fait
Paquets suggérés :
chromium-l10n chromium-inspector
[Code] ....
I have checked if the problem is with Openssl, the server is installed, and work well.
just found that iceweasel is unable to serf any https sites, thou can serf http sites.
View 7 Replies View RelatedThis is where it starts: I have 2 networks. The first: 192.168.1.0/24 composed by the router which has access to the internet with the IP 192.168.1 and the server (who is a gateway) with the IP 192.168.1.42 The other network: 192.168.2.0/24 composed by the gateway with the IP 192.168.2.1 and the clients (on the 192.168.2.0/24 subnet). To sum up, the gateway has 2 IPs (192.168.1.4(eth0) and 192.168.2.1(eth1)). On this gateway, I have squid installed (and listening on port 3128). I also made a redirection to redirect some computers who want to access to the web (port 80) to squid (port 3128) with this command: /sbin/iptables -t nat -A PREROUTING -m mac --mac-source CLIENT_MAC -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
At this stage, everything works fine. The clients can access the web by the proxy without "knowing". What I wanted to do, is redirect also the port 443 (HTTPS). Actually, when a client wants to access to, for example, [URL]. He cannot. So I would want to be able to redirect people (without passing by any proxy) directly to google. Like a NAT. But the problem is that I can't. The thing would be to, in the gateway, take all the packets with port 443 in destination and handle them to the router 192.168.1.1. Then, when the router sends the packet back, the gateway takes the packet and handles it to the client. I tried putting ip_forward to 1, but the problem is that all IPs and ALL PORTS are forwarded. And I just want port 443 to be forwarded.
I'm trying to get https/443 traffic go through squid.
View 3 Replies View RelatedThings beyond my control are causing me to rush a bit in getting the website moved. I'm working hard to try and get it done, but something else has come up that SSL Certificate.I know that our website's "basket" area is protected by an SSL certificate to ensure customer information, especially credit info, is secure. With the move to Amazon's service, it looks like I may need to create our own self-signed SSL certificate to ensure the basket area remains secure.
I have found guides that walk through how to make one yourself and configuring apache to allow it, but something else has come to mind. The guides I found don't really indicate where the SSL certificate goes afterwards, and also doesn't suggest which sections should be governed by the certificate (as only the basket section uses it, not anything else). How would I find out that information?
How to best manage both http and https pages on the same apache-server without conflicts. For example, if i have both 000-default.conf and 000-default-ssl.conf pointing to mydomain.com, and don't want users who visit mydomain.com without specifically type the https-prefix to be redirected to the https-page - how to handle users using browserplugins such as https-everywhere etc?
Another option would be to create a subdomain ssl.mudomain.com and have users who want to reach the ssl site to have to type ssl. I have tested several things with https everywhere enabled in my own browser, and it seems really hard to make this working the way i want, in one way or another i always end up getting redirected to the ssl-site automatically.
The reason i need this to work is because i run one site that i don't care much about SSL, that is the "official" part of that site, and i also host some things for friends and family on the SSL-part. This would not have been a problem if it wasn't that i use self-signed certificates for my ssl-site and the major user become afraid when a certificate-warning pops up in their browser and therefor leave the site.
I don't care for domain 'authentication' by an "Authority". I don't trust no one, so CA's to me are as trustworthy as the gypsy in the park.
I can use a self-signed certificate, but the problem is most browsers makers are Fn idiots that say the connection is not secure, when it actually is, but because I did not folk out cash, it makes my website look bad. I can understand the need for a 3rd party to verify the domain host to prevent man in the middle attacks, but I do not care for this.. and browser makers should take more responsibility and introduce different padlocks for types of authentication, rather than saying "this connection is encrypted, but not secure because its self-signed". What a load of horse s***!
How many times does people stop to read certificate authoraties? I sure don't. I only care weather or not the connection has been encrypted.. so, I am looking for a way for simply providing encryption for my website.
From what I understand, when you submit a CSR to a CA, it includes the private key, meaning that the CA would be able to see the encrypt data, should they get hold of it. This is not acceptable for me.
Is there anything other way to use encryption other than the SSL model that is used typically amongst HTTPS browsers today?
I have been trying for close to 7 hours now to create a working encrypted bootable usb key for debian now.
I start by running the debian installation dvd (1 of 3. I downloaded and burnt all three ISO's that I found here: [URL] .... (2015-06-06 17:33) to disk), and when I get to the partitioning part, I cannot get an encrypted volume that will hold the root filesystem.
Here is what I have tried:
I have tried the Guided partitioning option to use the entire disk and set up encrypted LVM, to no avail.
I am left with a primary boot partition of 254.8 MB, at ext2 with /boot mountpoint on it, and a logical partition of 15.8 GB, with crypto as it's file system that says it's "not active". This bit here seems to be a running theme as I keep coming back to this set up, (give or take some space arrangement). From what I've read and seen, I should be seeing an Encrypted Volume container similar to LVM, but called an "Encrypted Container" that I can create additional partitions in like / and /home, and what have you.
And I can't "activate" the partition either. I have tried both the Configure Logical Volume Manager, which changed the partition to an LVM partition that dosn't encrypt anything inherently (and I have checked), and I have tried the Configure encrypted volumes option, which leads to the same results basically.
I have tried manually creating the partitions, a 512 MB ext4 /boot partition and then partitioning the rest of the space as "physical volume for encryption" with aes encryption, 256 key size, xts-plain64, Passphrase encryption key, erase data flag, bootable flag off.
Same result, 1 primary boot partition, 1 logical (I later tried making it a primary partition to, with the same results) crypto volume that is "not active".
I also tried setting up the a logical volume manager, which created a container to create additional partitions in which I could encrypt, but it was either a partition dedicated to something (i.e. root (/) or /home, or /swap, etc) or it could be encrypted, but not both. I even tried creating a root partion, and then selecting Configure encrypted volumes, and then selecting the root partition, and here is where I thought I was getting somewhere, because then it comes up giving me all the same options above, but it also specifies mount point under encryption. Which is /, which is what I'm after. So I accept that, and it goes back to being crypto, "not active" and when I check the partition again, the mount point option is gone.
Last thing I tried was going back to having a 512 MB /boot partition, and an encrypted partition set up with Configure encrypted volumes option, and then specifying the encrypted partiton with the Logical Volume Manager as the place to create logical groups and volumes, to little avail. I can create more volumes that are either encrypted, or a useful non encrypted volumes like / (root), /home, /swap, and the like, but not both at the same time.
Following this guide: [URL] ....
This leads me to a useable system, but the system wasn't encrypted. When I booted, I wasn't asked for a passphrase, and I checked the stick with my old linux mint dristro, and I was able to mount the logical volume and look at the contents, /etc, /home, /var by activating the partition in GParted and mounting it.
A number of users seem to mark an encrypted partition as lvm and then create more logical volumes within that that either actually become encrypted, or they don't check. I'm not sure which after my testing.
[URL] .....
I have also read this: [URL] .... and this [URL] .....
I found this which shows the container I believe I should be seeing if I do this right, but I can't get it : [URL] ....
I have also watched movies on youtube about it : [URL] ....
Could the issue be that I'm using a Lexar JumpDrive? 16 GM USB 3.0.
I've gotten debian to run off of it on it's own so I kind of doubt it.
I would like to configure my Debian Jessie system in this way.
Two partitions:
1) /boot on /dev/sda1
2) everything else on /dev/sda2
I want to encrypt the second partition with LUKS. And then install over it a LVM volume. Inside the LVM volume i will create the / (root), /var, /opt and /home virtual partitions. In this way, i'll get asked only once for the password to decrypt all partitions. Because if i don't use LVM, then i'll get asked for the password for each encrypted partition.
I can follow and understand almost everything of this HOW-TO for Archlinux: [URL] ....
Only two passages are unclear to me:
1) Configuring mkinitcpio
I don't understand what i should do here in order to complete this. What should i do in Debian to configure "mkinitcpio"? what is the equivalent thing to do here?
I thought that the kernel would automatically recompile itself with all installed modules on the Debian system, once cryptosetup/LUKS or LVM2 get installed.
2) Configuring the boot loader
I don't understand what should i write in /etc/default/grub. Will GRUB automatically load the LUKS and LVM2 modules? Also, I don't think that i could boot the system in this way:
cryptdevice=/dev/sda2:LVM root=/dev/mapper/LVM-????
Actually the "root=" volume is the whole volume to mount as LVM. It isn't the final root partition.
With all the talk about disk encryption for Apple devices, I wanted to ask about how full disk encryption compares between debian linux and mac OS X. Is the code for debian linux fully available for people to inspect for flaws or backdoors? Apparently although part of the encryption code is available for OS X the full code for Filevault 2 is not public. What are the advantages and disadvantages of each method of encryption for each operating system?
View 8 Replies View RelatedThe laptop runs Debian Squeeze XFCE installed from the Live iso (uname -a gives 2.6.32-5-686 as the kernel) and has Wicd 1.7.0 for network management and uses the ipw2100 wifi firmware/drivers. It connects fine using WEP encryption at home and to unencrypted connections found in a couple of public areas. I have had one problem with a WEP encrypted connection in a cafe (got through encryption, but could not get an IP address. There are workarounds which I will try next time I have coffee there When changing my router to use WPA2, I get 'bad password' errors. There is quite a literature on 'bad password errors' and Wicd and kernel 2.6.32, however a lot of the pages are contradictory. The Wicd log showed this...
2011/06/07 17:25:59 :: WPA_CLI RESULT IS ASSOCIATING
2011/06/07 17:26:00 :: wpa_supplicant authentication may have failed.
2011/06/07 17:26:00 :: connect result is Failed
[code]...
I'm fine using WEP at home, but I need to connect out and about as well and meet WPA2 connections in some locations
I recently bought a new hard disk for my /home tree. I don't have encrypted home directories currently, but I was wondering if there is an easy way to encrypt my home directory so that it is automatically decrypted when I'm logging in (console/kdm). Basically I would like to manually do same thing as Debian installer would have done.
I'm running Squeeze.
I've a Lenovo G50-80T with W8.1. I want to install Debian 8.1 in dualbooting mode. I've done this other times without problems. But this time I want encrypt the Linux partition (not the Windows partition). I'll use dm-crypt to do that. I want to know if this way is secure for protect the data on Linux partition or if I need encrypt the entire drive.
View 3 Replies View Related