Is there any other way apart from openssl/netstat to check sslv3 existence.
I am using websphere application server version 8.5.5.6, according to IBM 8.5.5.4 and later versions will have the remediation for disabling sslv3 by default. Added i just double checked using openssl and netstat to find its presence
My result received as per my expectations as
"SSL Handshake failure Exception"
but when my application goes for scan it fails and falls under the poodle attack.
My server is configured in a way that all application servers uses TLv1 and webserver uses TLSv2....
Is there anything that i should be more focused here?
Any thoughts?
Related
I am puzzled a bit about Postgres option sslmode=prefer. It implies that it negotiates with the server to figure out whether the server supports TLS or not.
I am curious how it's done. Does it try TLS first and if it fails, try without TLS or am I missing something in TLS (or Postgres) which allow them to truly negotiate this?
Does it try TLS first and if it fails, try without TLS
Yes. And when both attempts fail, this might be visible, as two different error messages might be produced.
Some additional info on top of #janes answer:
https://www.postgresql.org/docs/current/protocol-flow.html
To initiate an SSL-encrypted connection, the frontend initially sends
an SSLRequest message rather than a StartupMessage. The server then
responds with a single byte containing S or N, indicating that it is
willing or unwilling to perform SSL, respectively. The frontend might
close the connection at this point if it is dissatisfied with the
response. To continue after S, perform an SSL startup handshake (not
described here, part of the SSL specification) with the server. If
this is successful, continue with sending the usual StartupMessage. In
this case the StartupMessage and all subsequent data will be
SSL-encrypted. To continue after N, send the usual StartupMessage and
proceed without encryption.
My company has 4 different third party applications that use 4 different gmail addresses to send mail over port 587. One of the applications is distributed across over a hundred clients.
All four apps stopped working last week. I've been struggling to figure this out with GSuite support for the past week and they have so far been very unhelpful. One representative pointed to this recent update as the likely culprit:
https://gsuiteupdates.googleblog.com/2020/04/improve-email-security-in-gmail-with-TLS.html
But I don't have a ton of experience with mail servers and much of this is going over my head. I'm not sure why exactly the above update cause our apps to stop working.
The apps are failing to establish a TLS connection to the server and result in the following error:
handshake failure
Closing connection in response to fatal SSL/TLS alert.
Aborting handshake due to fatal alert
This comes after receiving a "Ready to start TLS" response from the smtp.gmail.com server.
All of the apps are using the Chilkat Mailman Active X component for the mail features.
https://www.chilkatsoft.com/refdoc/xChilkatMailManRef.html
Assuming the recent update is the actual culprit, I'm wondering if someone can explain why this caused our applications to stop working? Has GMail stopped supporting StartTLS? I also need to know if there is anything we can do from our GSuite account to get this working again without having to update over a hundred client applications.
The first support rep I spoke to suggested doing the following in the google admin console:
Apps -> G Suite -> Settings for GMail -> Advanced Settings -> Secure transport (TLS) compliance:
We unchecked the "Require CA-signed certificate" box and saved the setting. This has not resolved our problem.
The support rep also briefly mentioned the "Alternate Secure Route" setting in Gmail advanced settings, but I'm not sure if he knew what he was talking about or if this is applicable to our issue.
Edit
It looks like this is a combination of the GMail server update and some sort of incompatibility in the Chilkat mail component. I tried testing with a trial of a newer version of the component and SMTP works using the same settings with this component.
The developer of the component says he is not able to help me with this issue unfortunately. So I'm still wondering why the GMail server update caused the old component to stop playing nicely. I'm hoping that if I can understand what the specific change is, I can find a solution that doesn't require a major rollout.
My java mail client also just stopped working not long ago. I was using TLS connection as well. I got authentication errors.
I look forward to your findings!
-- I found my issue:
https://myaccount.google.com/u/1/lesssecureapps was no longer less security
I'm a new comer to using the overseas server. Recently I bought a vps from virmach in order to see foreign websites like google and wiki.
I've been trying for a long time configuring my shadowsocks on my server.
However, when I was using shadowsocks-qt5 to connect my server, it was timeout.
And of course I can't access google correctly.
What I want to ask is the reason why I failed.
Here are things that I do remember to do:
stop the firewall on both computers;
build the .json file which I referred to blogs in China.
Here are the outline of my shadowsocks.json on my server:
{
"server":"0.0.0.0",
"server_port":8388,
"local_address":"127.0.0.1",
"local_port":1080,
"password":"XXXX",
"timeout":600,
"method":"aes-256-cfb"
}
Other useful(maybe) information:
my client OS version: Ubuntu 18.04.3 LTS
my server OS version: Ubuntu 16.04.6 LTS
the client I choose is from: https://github.com/shadowsocks/shadowsocks-qt5
I could not help but wandered, are there any other possible reasons I've forgot? Can anyone inform me some helpful details to solve this puzzling problems? Thanks a lot!
I have not set up my own VPS but I have instead subscribed to the server provided by caonima.io, so I can't speak for any server related issues. Additionally, I have no affiliation with caonima.io. I did however successfully set up my client on Ubuntu 16.04 after having some issues connecting to GFW-blocked (China's Great FireWall) websites.
From what I understand from my solution, the client configuration is NOT the only step of setup. There are two layers of proxy access that need to be completed:
Client Configuration. Configure your client with the server and connection information. A successful connection looked like this for me with my command line interface
shadowsocks-libev command line client successful connection
System or Browser Proxy Configuration. You will need to configure either your browser or web access tool to use a proxy, or set system-wide proxy settings. To set system wide proxy settings, go to system settings > network > network proxy and enter the proxy information. Setting Socks host to localhost:1080 resulted in successful GFW-blocked website access (as shown below)!
Ubuntu network settings proxy manual configuration
I installed Eclipse and the Jboss Tools plugin with Wildfly.
I can run Wildfly in Eclipse in non-debug mode with no problems. But when I start Wildfly in debug, I can use it for a few minutes, and then it suddenly stops processing, the server ends.
I checked the log and there's nothing. What could be wrong?
Please note the JBoss Tools 4.9.0 is validated against 2018-09 but not against 2018-12.
Do you see something in the server log when the server dies ?
We had this issue and it was because we changed our config to close the management port, which had been used to detect that the server had started. Eclipse could no longer detect that the server had started, so it shut down the process after a set time (450 seconds)
To resolve the issue, we did the following in the Eclipse's Overview panel for our JBoss Server:
Changed the Start Timeout to 30, so it would only fail if it actually couldn't start in 30 seconds rather than waiting for 450
Changed our "Server State Detectors" to detect a Web Port for Startup Poller and Process Terminated for Shutdown Poller.
Changed the Server Ports to match our new configuration
Excerpt from JBoss Community Archive
The tooling was unable to verify your server started. Our tooling has several methods to see if your server is up or not. The two most-often used methods are either "Web Port Poller" or "Management Poller".
You can see which your server is using by opening the server object (In Servers view, double-click your server) and on the right side you'll see a section on polling.
If your server adapter (fancy word for the tooling's representation of your server) is using the Management Port Poller, you should make sure your server is actually exposing the management port. For local servers this shouldn't be an issue, since local servers should automatically expose the management port. You may want to verify in the Ports section (also in the server editor) that the management port is correct. To check if the server is up, we run a management command against the server. If the server responds properly, we declare the server to be started.
If you're using the web port poller, then you may want to verify your web port is correct. To verify the server is up, the Web Port Poller opens a URL connection on {serverHost}:{webPort} and sees if we get a valid connection.
My play framework web application sends automatically emails to user using Apache commons email library, everything works fine on my machine, but when I deploy it on an Ubuntu server it is unable to send email.
It throws exceptions like org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.googlemail.com:465 (I also tried different configuration with smtp.google.mail port 465,25 and 587 with or without ssl and tls)
and connection timed out.
I starting to believe that is a problem of some configuration of my ubuntu server.
Any suggestion?
If i type ufw status command I receive status disabled.
Thanks
I am going to close this question, because I found the solution. Basically my Server provider (Scaleway) has a security configuration where SMTP is blocked. I asked them to unlock It.