Enforce SSL in code in an ashx handler
I have a site, which contains several ashx handlers, on a couple of the handlers I want to reject non-SSL requests. Is there a way that I can do this in code? ...
ssl
Coding Dojo with IE and SSL
My application is using Dojo 1.1.1 on an SSL-only website. It is currently taking advantage of dijit.ProgressBar and a dijit.form.DateTextBox. Everything works fabulous in Firefox 2&3, but as soon as I try the same scripts in IE7 the results are an annoying Security Information dialog: This page contains both secure and nonsecure item...
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Do I risk losing sales by disabling SSL 2.0 and PCT 1.0 in IIS5? Clarification: Sales would be lost by client not being able to connect via SSL to complete ecommerce transaction because SSL 2.0 or PCT 1.0 is disabled on the web server. Microsoft kbase article: http://support.microsoft.com/kb/187498 ...
What does a PHP developer need to know about https / secure socket layer connections?
I know next to nothing when it comes to the how and why of https connections. Obviously, when I'm transmitting secure data like passwords or especially credit card information, https is a critical tool. What do I need to know about it, though? What are the most common mistakes you see developers making when they implement it in their ...
Why is access denied when installing SSL cert on IIS 5?
I'm working with a support person who is supposed to be able to install SSL certs on a web server he maintains. He has local admin rights to the server via a domain security group. He also has permissions on our internal CA running Windows 2003 Server Certificate Authority: "Request cert" and "Issue and Manage certs". The server he's ...
Using XmlRpc in C++ and Windows
I need to use XmlRpc in C++ on a Windows platform. Despite the fact that my friends assure me that XmlRpc is a "widely available standard technology", there are not many libraries available for it. In fact I only found one library to do this on Windows, (plus another one that claims "you'll have to do a lot of work to get this to compi...
What must I do to make content such as images served over HTTPS be cached client-side?
I am using Tomcat as a server and Internet Explorer 6 as a browser. A web page in our app has about 75 images. We are using SSL. It seems to be very slow at loading all the content. How can I configure Tomcat so that IE caches the images? ...
Are REST request headers encrypted by SSL?
I'm developing a client/server app that will communicate via rest. Some custom request data will be stored in the header of the request. Both the server sending the request and the receiving server have an SSL certificate - will the headers be encrypted, or just the content? ...
How can I get LWP to validate SSL server certificates?
How can I get LWP to verify that the certificate of the server I'm connecting to is signed by a trusted authority and issued to the correct host? As far as I can tell, it doesn't even check that the certificate claims to be for the hostname I'm connecting to. That seems like a major security hole (especially with the recent DNS vulnera...
Failures caused by logrotate on Apache 2 with passphrase protected SSL key
I have an Apache 2 installation on Debian with mod_ssl installed. The server private key is protected by a passphase that needs to be entered on start-up. The error and access logs are subject to logrotate on a weekly basis. I find that Apache crashes with a passphrase-related error shortly after logrotate runs. I understand that log...
Java Code Signing Certificates...same as SSL Certificate?
I'm looking around for a Java Code Signing certificate so my Java applets don't throw up such scary security warnings. However all the places I've found offering them charge (in my opinion) way too much, like over $200 per year. While doing research, a code signing certificate seems almost exactly the same as a SSL certificate. The mai...
Force HTTPS. How is it possible?
I've got just one page that I want to force as an HTTPS page (PHP on Apache). How do I do this without making the whole directory require HTTPS? Or, if you submit a form to an HTTPS page from an HTTP page, does it send it by HTTPS instead of HTTP? Here is my example: http://www.mysite.com/buyCrap.php needs to only be accessed through:...
.NET's SslStream is always negotiating to the least secure cipher I have. How can I change this?
SslStream is supposed to negotiate the cipher type, key length, hash algorithm, etc. with its peer SSL stack. When using it in my code, I find that the negotiation always defaults to RC4 & MD5. I would like to use 3DES or AES for some added security. Looking around the web I find only a few references to this problem and no solutions; o...
Strong SSL with Tomcat 6
I'm trying to create a self signed certificate for use with Apache Tomcat 6. Every certificate I can make always results in the browser connecting with AES-128. The customer would like me to demonstrate that I can create a connection at AES-256. I've tried java's keytool and openssl. I've tried with a variety of parameters, but can't...
Python sockets suddenly timing out?
I came back today to an old script I had for logging into Gmail via SSL. The script worked fine last time I ran it (several months ago) but now it dies immediately with: <urlopen error The read operation timed out> If I set the timeout (no matter how long), it dies even more immediately with: <urlopen error The connect operation time...
Partial site SSL using asp.net login control
I'm attempting to convert a home-grown login system to the standard asp.net login control included in .net. I want all communication on the website for a user not logged in to be in clear text, but lock everything in SSL once the user logs in - including the transmission of the username and password. I had this working before by loadin...
Temporarily load SSL Client Key for Client Authentication in C#
I am using the WebBrowser control to add a WebInterface to C# app. My desire is to verify that only such app is able to connect to our Web server using SSL client certificates. My idea was to embed the client certificate in the app and just use when connecting via my app. Anybody have a sugestion on how to do this? Or the only way to ma...
Does IE6 Support AES 256 bit encryption?
Will IE6 negotiate a 256 bit AES SSL connection if the server is capable? ...
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
Take a look at the ssl_requirement plugin. Shouldn't it check to see if you're in production mode? We're seeing a redirect to https in development mode, which seems odd. Or is that the normal behavior for the plugin? I thought it behaved differently in the past. ...
Why is this X.509 certificate considered invalid?
I have a given certificate installed on my server. That certificate has valid dates, and seems perfectly valid in the Windows certificates MMC snap-in. However, when I try to read the certificate, in order to use it in an HttpRequest, I can't find it. Here is the code used: X509Store store = new X509Store(StoreName.Root, StoreLocat...