Does IPsec in Windows XP Sp3 support AES-256 encryption?
Update:
Windows IPsec FAQ says that it's not supported in Windows XP, but maybe they changed it in Service Pack 3?
http://www.microsoft.com/technet/network/ipsec/ipsecfaq.mspx
Question: Is Advanced Encryption Standard (AES) encryption supported?
origamigumby, please specify where, because I cannot find it.
I'm using Windows XP SP3.
When I add a new IPsec filter rule, the only options for ESP I get are DES and 3DES, so the FAQ is correct - there is no support for AES prior to Windows Vista.
EDIT http://technet.microsoft.com/en-us/library/dd125380.aspx indicates that my original link (https://web.archive.org/web/1/http://search.techrepublic%2ecom%2ecom/search/microsoft+windows+and+network+security.html) was wrong.
It is not supported prior to Vista.
Related
I know this topic has been covered comprehensively on SO and several other forums by now. I'm hoping someone can shed some light on my issue. TL;DR: I can get this script to see if a URL is valid when the server uses Tls1.2, but not a URL where the server uses Tls1.2 and Tls1.3.
I'm writing a script for a lowest common denominator audience (Win7, .NET Framework 4.8, WMF 3.0/4.0, all updates installed as of 12/2022) and part of the script checks to see if a given KB update has a support page and/or a MS update catalog download link using Invoke-WebRequest.
I can successfully test https://www.catalog.update.microsoft.com/Search.aspx?q=KB2506143 to see if it has any download buttons.
This particular search result does not have any download buttons/links.
Initially I received a Could not create SSL/TLS secure channel error, but resolved this by including this in the script:
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor [System.Net.SecurityProtocolType]::Tls12
I cannot test https://support.microsoft.com/en-us/kb/2506143 to see if the URL exists or not. I still receive the Could not create SSL/TLS secure channel error.
When I use [Net.ServicePointManager]::SecurityProtocol = 'Tls13' I get a different exception (expected on Win7):
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
Every other combination of SecurityProtol produces the SSL/TSL secure channel error message.
support.microsoft.com looks like it uses Tls 1.2 and Tls 1.3.
www.catalog.update.microsoft.com looks like it uses Tls 1.2 only.
I'm open to other methods simply to check if a URL exists in PowerShell 3.0/4.0 but have come up empty.
I'm certain I'm missing a crucial detail in terms of comparing both SSL reports. I assumed that I would be able to use Invoke-WebRequest using Windows 7 and Tls1.2 (with .NET 4.8 installed and after registry edits, etc) with both websites, but only the catalog URL is working for now. I tried a Win8.1 VM for kicks and got the same results - catalog URL works but the support URL still fails with the SSL/TLS secure channel error. This works on Windows 10 for me though.
What am I overlooking or missing (other than there are people/companies using Win7 that shouldn't be)?
In this case, the issue is not about the TLS 1.2/1.3 Protocol it is about the Cipher Suites that are supported.
The TLS protocol supports many different methods for exchanging keys, encrypting data, and authenticating message integrity. As a Protocol, it defines how packets move between you and the server, the Cypher suites supported between both client and server, and how to select the encryption protocol. Earlier versions of the Protocol were susceptible to protocol related issues like Man-In-The-Middle attacks (and nothing related to encryption). TLS 1.2+ (with certain Cipher Suites) is regarded as secure.
Protocols are like roads and highways. They have pavement, lines, and markings that allow cars and trucks to move from one point to the next. Earlier protocols didn't have protective guard rails, new ones now do.
Cipher Suites are like the cars and trucks. There are dozens of ways to encrypt a packet of data. Some have elliptic curves, some do not. Some have government level encryption with huge number of bits, some have less. Likewise some cars have no doors on them, and some trucks have 256bit steel reinforced doors on them. They both can go down the same protocol highway, but one of these is not secure.
In this case, the web server is saying that it allows both TLS 1.2 and 1.3 protocols (highways with guard rails). It is also saying that it only allows certain secure Cipher Suites that have not been deemed insecure (e.g. no cars without doors are allowed).
The Cipher Suites allowed on this site is:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp256r1 (eq. 3072 bits RSA)
Since new Cipher Suites are developed all the time, Windows 7, 8, and 8.1 while supporting the TLS 1.2 protocol don't have the newest developed Cipher Suites installed to actually know how to decrypt the packets (e.g. fancy new alien space ships are allowed to travel down the TLS 1.2 protocol highway, but your old school town doesn't know how to open one because you don't have the newest elliptical curve spanners). See Windows 7 Supported Cipher Suites.
In this case, the new Cipher Suites weren't developed and installed until Windows 10. See Windows 10 Supported Cipher Suites. Remember Windows 10 came out 10 years after Windows 7, so not having the latest technology is the situation here, and since it is out of mainstream support, it won't be fixed. Basically, this website will never be able to visit this particular website.
I was using JDBC to connect to IBM DB2 AS400 for iSeries in my Rails Application. Now it looks like I will have to move to use the ibm_db gem.
https://github.com/ibmdb/ruby-ibmdb
I attempted this with irb first and used the following in a command like:
require 'ibm_db'
conn=IBM_DB.connect("DATABASE=ABCUATDT;hostname=TEST.HERE.COM;PORT=9471;SECURITY=SSL;PROTOCOL=TCPIP;AUTHENTICATION=SERVER;UID=username;PWD=abc1234;", "", "")
This gives me the following error:
SQL30081N A communication error has been detected. Communication
protocol being used: \"SSL\". Communication API being used:
\"SOCKETS\". Location where the error was detected: \"\".
Communication function detecting the error: \"sqlccSSLSocketSetup\".
Protocol specific error code(s): \"414\"
I then try without SSL:
conn=IBM_DB.connect("DATABASE=ABCUATDT;hostname=TEST.HERE.COM;PORT=446;PROTOCOL=TCPIP;AUTHENTICATION=SERVER;UID=username;PWD=abc1234;", "", "")
SQL30082N Security processing failed with reason \"15\" (\"PROCESSING
FAILURE\"). SQLSTATE=08001 SQLCODE=-30082"
These ports and username/pw etc all work fine with JDBC, but not using the ibm_db gem.
EDIT: I tried using different ports, I know that 8471 is open for non-SSL and 9471 is open for SSL. I decided to skip SSL altogether and I started using the db2cli on my Mac OSX.
db2cli execsql -connstring "database=ABCUATDT;hostname=TEST.HERE.COM;port=8471;uid=username;pwd=abcd1234"
This just hangs and doesn't give me a prompt to write SQL:
IBM DATABASE 2 Interactive CLI Sample Program (C) COPYRIGHT
International Business Machines Corp. 1993,1996 All Rights Reserved
Licensed Materials - Property of IBM US Government Users Restricted
Rights - Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
I then tried the python library AND the DB2 CLI - both of which gave the same errors. Is there something needed to be changed at the DB2 side?
Why would it work for JDBC but not for the IBM ODBC driver?
Speak with your i administrator(s) or management team. Stackoverflow may not be not what you need right now. When asking questions, it's smart to fully detail your environment for obvious reasons, if necessary speaking with relevant persons at the client site to establish the facts before asking questions.
Find out whether there is a Db2-connect server (separate purchase) already installed on the i-series. The regular Db2-client for MAC can then communicate with CLI/ODBC via that product which does the required protocol conversions while acting as a gateway.
Find out if there is a Db2-connect server already deployed anywhere that runs on Windows/Linux/Unix that you can use (it does the required protocol conversions while acting as a gateway) once configured with connections for i-series. The regular Db2-client for MAC OS X can then use that as a gateway for CLI/ODBC to i-series.
IBM does not currently sell "IBM i access" for MAC OS X afaik, which offers the CLI/ODBC interface and does not require a Db2-connect server. That product is available for Microsoft Windows and Linux platforms. Those platforms may offer you an alternative if MAC OS X is currently unsupported.
The regular Db2-driver from IBM for MAC OS X requires for CLI/ODBC a Db2-connect server for the protocol conversions with i-series, so db2cli tool will not work without a Db2-connect gateway.
Other non IBM vendors may offer solutions in this area.
Another possibility is to use a ODBC to JDBC bridge, running on your MAC OS X, which would reroute ODBC calls to your working jdbc driver. You might research that.
How can smartly/remotely control a Raspberry-PI system through android apps. I have found an android app named "Raspberry Control" (source). I have followed all the steps as given in the above URL.
I have installed the android app in my phone (samsung galaxy note, recent release in 2014) followed tried to make a connection of android app with my RPI system (I have followed the steps mentioned in this Youtube video). But as shown in video, when the app started from phone, it needs a SSH connection (showed at 0.25 in the video). Unfortunately, I have faced an error like "check installation on RPi".
Thanks in advance for your precious time. Do I need to install any software on raspberry pi or am I missing any steps?
Secure Shell (SSH) is a network protocol that allows data to be
exchanged over a secure channel between two computers. Encryption
provides confidentiality and integrity of data. SSH uses public-key
cryptography to authenticate the remote computer and allow the remote
computer to authenticate the user, if necessary. SSH is typically used
to log into a remote machine and execute commands, but it also
supports tunneling, forwarding arbitrary TCP ports and X11
connections; file transfer can be accomplished using the associated
SFTP or SCP protocols. An SSH server, by default, listens on the
standard TCP port 22. An SSH client program is typically used for
establishing connections to an sshd daemon accepting remote
connections. Both are commonly present on most modern operating
systems, including Mac OS X, GNU/Linux, Solaris and OpenVMS.
Proprietary, freeware and open source versions of various levels of
complexity and completeness exist.
-Wiki
You found a complete guide/dossier in this link. The install instruction can change depending on the system.
You can control rpi trought ssh simply from windows, linux, android, iOs using a ssh telnet/client. Your app simply after press a button send to rpi the correct ssh comand.
If you have debian(or raspbian) this guide is for you:https://wiki.debian.org/en/SSH.
So, you must enable the ssh service on your rpi. Username and password are user/pass of your rpi account.
When using a raw TCP socket, there is a need for doing message framing, as explained here, either with a length prefix, or with delimiters.
I came accross the "SOCK_SEQPACKET" socket option today, which could apparently do the message framing almost transparently.
What is the availability of "SOCK_SEQPACKET" amongst platforms and OSes at the moment? (Windows, OSX, Linux, IOS, Android...)
I you uses SOCK_SEQPACKET of AF_INET, this way:
socket(AF_INET, SOCK_SEQPACKET, 0);
You won't get a TCP socket. The socket will be a SCTP socket, if your platform supports it.
SCTP is not yet widely used. Latest Linux versions supports it (if SCTP is enabled).
There are some libraries also for Windows.
SCTP is still not available on Mac OS X (El Captain).
There is a 3rd party open-source kernel extension at https://github.com/sctplab/SCTP_NKE_ElCapitan - But it is unsigned, therefore you have to disable Apple System Integrity Protection.
See e.g. https://apple.stackexchange.com/questions/114217/sctp-kernel-extension-for-mavericks
Equally, you cannot use SOCK_SEQPACKET with AF_UNIX on Mac OS X too.
Linux: available since version 2.6.4
Mac OS: not available (better source?)
Windows: not available
I am trying to programatically send out ICMPv6 echo requests (ping6) using WinSock2. The ICMPv6 checksum is calculated based on the whole IPv6 packet that will be sent out. For that reason - from what I understand - the OS (kernel?) is supposed to calculate it and write it into the ICMPv6 header when sending the packet.
This works very well on a SUSE Linux Enterprise Server 11, however, Windows XP does not seem to do this. It leaves the checksum to what I set it by default (zero, I analyzed this using Wireshark), thus the receiving end will discard it and not reply.
IPv6 is correctly set up on this WinXP machine. With the help of Wireshark I even found out that it responds correctly to ICMPv6 pings from the SUSE Linux server, sent using the very same code. So it cannot be that Windows XP doesn't support ICMPv6. However, I wonder whether WinSock2 under Windows XP does.
The WinSock2 API does provide the IPPROTO_ICMPV6 protocol which I create my raw socket for. Is there any special socket option I need to set for the ICMPv6 checksum to be calculated automatically, or are there any other tricks?
Most probable reason for the behavior you describe is checksum offloading. It means, checksum calculation might be delegated to networking hardware, so that sniffed packet doesn't contain the correct checksum value. Refer to http://www.wireshark.org/docs/wsug_html_chunked/ChAdvChecksums.html or to http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Checksum_offload