Does Mailkit SMTP support TLS 1.3?
This is a short and sweet question, but in my googling for an answer I couldn't find a definitive response. Further I couldn't find a simple test email server, or service, where I could lock down the protocols such that only TLS1.3 was supported so I could do a simple test. And I had to add this paragraph because SO didn't think my one line question was of sufficient quality.
No, MailKit does not support TLSv1.3... but only because the .NET class libraries do not support TLSv1.3.
Once .NET supports TLSv1.3, so will MailKit.
To control which versions of the SSL and/or TLS protocol versions that you want a MailKit client to use, you can set the SslProtocols property to any of System.Security.Authentication.SslProtocols values available for your version of .NET.
Note: It seems that .NET 4.8 will support TLSv1.3
Related
For one of my application, I have implemented Web socket using socket.io and hosted in IIS. Currently socket connection helping to provide two way connection between client (React) and server (node.js).
As I mentioned, I have hosted my application in IIS. I have few doubts regarding Turn Windows features on or off -> Internet Information services -> World wide Web Services -> Application Development Features -> WebSocket Protocol. I have tested my application without enabling this feature, its working fine, but I would like to confirm below stuffs.
WebSocket Protocol
Do I really need to enable WebSocket protocol feature to make websocket work in my application? If so, how now it is working fine without enabling (I haven't do performance and stress testing, I may face issue on this).
What if I not enabling this feature? in short what is the actual use of this feature?
It would be helpful if anyone answer the above questions. Thanks in advance.
WebSocket as part of the HTTP stack requires a bunch of things to be ready on Windows (across multiple components), so hope this answer helps a little.
HTTP.sys, a driver deep down in Windows OS, is upgraded to support the necessary packet communication required by the protocol.
The IIS WebSocket module, an IIS extension which many other Microsoft frameworks (like SignalR) depend on.
So WebSocket support is by default on in HTTP.sys, and you don't need the IIS module if your framework (socket.io) has no dependency there.
Note that the "Summary" section provides several useful links,
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-websocket-protocol-support#summary
and the same article also reveals that IIS WebSocket module has
conflicts with socket.io.
I am using Red Hat 8 (rhel8), my home router is Asus AC5300 running OpenVPN server. But my rhel8 VPN in Network Manager can't not connect to my OpenVPN Server.
Here is the error message I got:
[root#my-machine ~]# journalctl -f
nm-openvpn[30404]: TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
[root#my-machine ~]# openvpn --version
OpenVPN 2.4.7 x86_64-redhat-linux-gnu
I've tried by adding tls-version-min 1.0 to my .ovpn file but still not working.
Note: In Linux Ubuntu it is working just fine, BUT not Red Hat 8
seems you have a problem with TLS ... take a look to this checks , maybe have to take a look SSL certificates:
Check for Certificate Name Mismatch
In this particular instance, the customer migrating to Kinsta had a certificate name mismatch which was throwing up the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. As you can see from the SSL Labs test below, this is pretty quick and easy to diagnose. As SSL Labs states, a mismatch can be a number of things such as:
The site does not use SSL, but shares an IP address with some other site that does.
The site no longer exists, yet the domain still points to the old IP address, where some other site is now hosted.
The site uses a content delivery network (CDN) that doesn’t support SSL.
The domain name alias is for a website whose name is different, but the alias was not included in the certificate.
Certificate name mismatch
Another easy way to check the current domain name issue on the certificate is to open up Chrome DevTools on the site. Right-click anywhere on the website and click on “Inspect.” Then click on the security tab and click on “View certificate.” The issued domain will show in the certificate information. If this doesn’t match the current site you’re on, this is a problem.
Check issued domain on SSL certificate
Check issued domain on SSL certificate
Remember though, there are wildcard certificates and other variations, but for a typical site, it should match exactly. However, in our case, the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error actually prevented us from being able to check it in Chrome DevTools. That is where a tool like SSL Labs can come in handy.
Check for Old TLS version
Another possible reason is that the TLS version running on the web server is old. Ideally, it should be running at least TLS 1.2 (better yet, TLS 1.3). If you are a Kinsta customer you never have to worry about this as we always upgrade our servers to the latest and greatest supported versions. Kinsta supports TLS 1.3 on all of our servers and our Kinsta CDN. Cloudflare also enables TLS 1.3 by default.
(Suggested reading: if you’re using legacy TLS versions, you might want to fix ERR_SSL_OBSOLETE_VERSION Notifications in Chrome).
This is something the SSL Labs tool can also help with. Under configuration, it will show you the current version of TLS running on the server with that certificate. If it is old, reach out to your host and ask them to update their TLS version.
TLS 1.3 server support
TLS 1.3 server support
Check RC4 Cipher Suite
Another reason according to Google’s documentation for ERR_SSL_VERSION_OR_CIPHER_MISMATCH is that the RC4 cipher suite was removed in Chrome version 48. This is not very common, but it could happen in say larger enterprise deployments that require RC4. Why? Because everything usually takes longer to upgrade and update in bigger and more complex configurations.
Security researchers, Google, and Microsoft recommend that RC4 be disabled. So you should make sure the server configuration is enabled with a different cipher suite. You can view the current cipher suite in the SSL Labs tool (as seen below).
Cipher suite
Cipher suite
Try Clearing the SSL State On Your Computer
Another thing to try is clearing the SSL state in Chrome. Just like clearing your browser’s cache this can sometimes help if things get out of sync. To clear the SSL state in Chrome on Windows, follow these steps:
Click the Google Chrome – Settings icon (Settings) icon, and then click Settings.
Click Show advanced settings.
Under Network, click Change proxy settings. The Internet Properties dialog box appears.
Click the Content tab.
Click “Clear SSL state”, and then click OK.
Restart Chrome.
Clear SSL state in Chrome on Windows
Clear SSL state in Chrome on Windows
If you are on a Mac, see these instructions on how to delete an SSL certificate.
Use a New Operating System
Older operating systems fall out of date with newer technologies such as TLS 1.3 and the latest cipher suites as browsers stop supporting them. Specific components in the latest SSL certs will simply stop working. Google Chrome, in fact, pulled the plug on Windows XP back in 2015. We always recommend upgrading to newer operating systems if possible, such as Windows 10 or the latest version of Mac OS X.
Temporary Disable Antivirus
The last thing we recommend trying if you are still seeing the ERR_SSL_VERSION_OR_CIPHER_MISMATCH error is to ensure you don’t have an antivirus program running. Or try temporarily disabling it. Some antivirus programs create a layer between your browser and the web with their own certificates. This can sometimes cause issues.
I'm working on an old project using Savon to connect to the SalesForce api. I'm getting this error:
UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https
How do I get it to use TLS 1.2? Or is there a simple alternative to Savon that does use TLS 1.2?
Savon uses HTTPI as a common interface for Ruby's HTTP libraries
Configure Savon to use a specific library with:
HTTPI.adapter = :httpclient
HTTPI.adapter = :curb
...
it currently tries the libs in the following order:
[:httpclient, :curb, :em_http, :excon, :net_http, :net_http_persistent]
If you haven't installed httpclient, it will try curbnext and so on.
You should try setting an explicit lib and see if it works for you.
Just to help others in the future who may face the same problem. It seems the TLS level is not built in the savon gem but in the httpi adapter. By changing the adapter to httpclient (installed the gem, put require 'httpclient') the savon gem starts using it without further configuration. Just remove the ssl_level params and the latest and more modern cypher is used. Problem solved.
To install Mongo DB I can see two versions of installer one with SSL & other as without SSL.
https://www.mongodb.com/download-center?jmp=nav#community
My question is if I download with SSL installer & do not configure SSL then doesn't it same as without SSL installer. What is the need of without SSL installer at first place? Is there anything specific feature which comes in Without SSL installer?
I use Monggo DB in my application but not sure which one I should recommend to my customers as I have mix set of customers who want with/without SSL.
Atul
The difference between the SSL-included version running without SSL enabled, and the SSL-excluded version, is that the version without SSL does not have the SSL libraries even present. If you are concerned about security flaws in OpenSSL, for example, then maybe you should use the version compiled without SSL.
Is there any way to make end-to-end encryption with a Smack? Does Smack have built-in support for e.g. OpenPGP (RFC 4880)?
I need to use e2e encryption with ejabberd server.
Smack has support for
XEP-0373: OpenPGP for XMPP in Smack's smack-openpgp module within the org.jivesoftware.smackx.ox package.
XEP-0384: OMEMO Encryption in Smack's smack-omemo module within the org.jivesoftware.smackx.omemo package.
smack integrated signal protocol,maybe siginal can satisfied your demand.check smack at github.