SSL

  • 12 Apr

    How-To use Implicit vs Explicit SSL/TLS in LimagitoX File Mover

    When we speak about “SSL“, it usually means “implicit” SSL/TLS. The client must negotiate an SSL/TLS session immediately upon connecting to the server’s port, before then reading the server’s already encrypted greeting or sending any encrypted commands. You’ll need to enable ‘Use Implicit SSL/TLS’ in the setup.

    When we speak about “TLS”, it usually wants “explicit” SSL/TLS. The client must not negotiate an SSL/TLS session immediately upon connecting to the server’s port. It must read the server’s unencrypted greeting first, and then later it can send an appropriate STARTTLS command (if the server advertises support for it) to ask for permission to then negotiate an SSL/TLS session before sending any further encrypted commands. You’ll need to enable ‘Use Explicit SSL/TLS’ in the setup.

    Default SSL/TLS Implicit vs Explicit Server Settings:

    POP3:
    Port 110: Explicit-TLS
    Port 995: Implicit-SSL

    IMAP:
    Port 143: Explicit-TLS
    Port 993: Implicit-SSL

    SMTP:
    Port 25: Unencrypted but could support Explicit-TLS
    Port 465: Implicit-SSL
    Port 587: Explicit-TLS

    FTP(S):
    Port 21: Unencrypted but could support Explicit-TLS
    Port 990: Implicit-SSL

    If you need help, please let us know.

    Regards,

    Limagito Team

    By Limagito-Team FTP , , , , , , , , , , ,
  • 04 Jun

    SSL Error Codes

    https://www.secureblackbox.com/kb/help/ref_err_sslerrorcodes.html

    Copyright www.secureblackbox.comValuePossible reason and steps to take
    ERROR_SSL_CONNECTION_CANCELLED_BY_USER73729 (0x12001)
    ERROR_SSL_TIMEOUT73730 (0x12002)
    ERROR_SSL_UNSUPPORTED_MAC_ALGORITHM73731 (0x12003)
    ERROR_SSL_UNEXPECTED_MESSAGE75777 (0x12801)
    1. Connection is made to/from a service that doesn’t talk proper SSL (e.g. a plain HTTP connection is made to an HTTPS port). Re-check that both client and server services are talking SSL.
    2. Unsupported version of the protocol. Try to play with Versions property of the SSL component and check if any of the combination helps.
    ERROR_SSL_BAD_RECORD_MAC75778 (0x12802)The peers failed to negotiate a shared key material. Try connecting with different cipher suites one-by-one and check if any of them helps. If neither does, try to use a different protocol version.
    ERROR_SSL_DECRYPTION_FAILED75779 (0x12803)
    ERROR_SSL_DECODE_ERROR75792 (0x12810)
    ERROR_SSL_DECRYPT_ERROR75793 (0x12811)
    ERROR_SSL_RECORD_OVERFLOW75780 (0x12804)Packet size too large. Try to decrease the maximal size of the packet by adjusting the MaxFragmentLength extension.
    ERROR_SSL_DECOMPRESSION_FAILURE75781 (0x12805)Compression or decompression failure. Switch off compression (CompressionAlgorithms property).
    ERROR_SSL_HANDSHAKE_FAILURE75782 (0x12806)Incompatible versions or cipher suite lists. Try to play with version and cipher suite sets. Check that the server certificate is provided and has an associated private key.
    ERROR_SSL_ILLEGAL_PARAMETER75789 (0x1280D)
    ERROR_SSL_NO_CERTIFICATE75783 (0x12807)The certificate provided by the peer is not valid.
    ERROR_SSL_BAD_CERTIFICATE75784 (0x12808)
    ERROR_SSL_UNSUPPORTED_CERTIFICATE75785 (0x12809)
    ERROR_SSL_CERTIFICATE_REVOKED75786 (0x1280A)
    ERROR_SSL_CERTIFICATE_EXPIRED75787 (0x1280B)
    ERROR_SSL_CERTIFICATE_UNKNOWN75788 (0x1280C)
    ERROR_SSL_UNKNOWN_CA75790 (0x1280E)
    ERROR_SSL_ACCESS_DENIED75791 (0x1280F)The requested application-layer resource cannot be accessed by the requestor. Check with the administrator of the remote resource.
    ERROR_SSL_EXPORT_RESTRICTION75794 (0x12812)The peer is only configured to use exportable cipher suites. Switch on support for “EXPORT” cipher suites.
    ERROR_SSL_PROTOCOL_VERSION75795 (0x12813)The peers have not been able to negotiate a version to use (no shared protocol versions).
    ERROR_SSL_INSUFFICIENT_SECURITY75796 (0x12814)The cipher suites mutually supported by the peers are too weak and do not provide an adequate level of security.
    ERROR_SSL_INTERNAL_ERROR75797 (0x12815)Contact the vendor.
    ERROR_SSL_USER_CANCELED75798 (0x12816)Application layer has shut down the connection.
    ERROR_SSL_NO_RENEGOTIATION75799 (0x12817)One of the peers requested a renegotiation, which was refused by the other. Note that you will get this error (as a warning) if you return Allow = false from the OnRenegotiationStart event handler.
    ERROR_SSL_CLOSE_NOTIFY75800 (0x12818)Does not indicate an error condition. The SSL connection was closed gracefully and can be restored or cloned in future.
    ERROR_SSL_UNKNOWN_PROTOCOL_ERROR75801 (0x12819)
    By Limagito-Team Error , ,
  • 27 May

    Web Remote Client SSL option

    Dear Users,

    We’ve added SSL (HTTPS) to our Web Remote Server.  To enable SSL you need to provide 3 certificate files:

    • (Public) Certificate File: This file contains the certificate public key part.
      So everything between and including these two statements:
      —–BEGIN CERTIFICATE—–
      —–END CERTIFICATE—–
    • (Private) Key File: This file contains the private key part.
      So everything between and including these two statements:
      —–BEGIN PRIVATE KEY—–
      —–END PRIVATE KEY—–
    • (Public) Root Certificate File: The final file that SSL requires is the Certificate Authority certificate file.
      You can obtain this from the Internet Explorer in Trusted Root Certificate Authority dialog.
      Select the Authority that issued your certificate and export it in Base64 (cer) format.
      This format is also the same as PEM format so after export simply rename the file to root.pem

    The type of certificates we need are .pem files.  The PEM extension is used for Base-64 encoded X.509 certificates. They contain ASCII armored data between “—– BEGIN …”  and “—–END …” lines. Sometimes the certificates come in a single pem file. In this case, you need to open it with a text editor and save the individual certificates in separate pem files.

    Certificates can be obtained from a trusted certificate authority. You can also generate your own but the browser will not trust this and will display a warning.

    If you have a certificate in .pfx format, you’ll have to convert it first. In this case we need a utility called openssl.exe.  First, download and install the OpenSSL Windows binaries from here (at you own risk). 

    • Start a command prompt with administrative privileges
    • At command prompt issue the following command:
      • openssl.exe pkcs12 –in <your file>.pfx –out <your file>.pem

    Openssl.exe will ask you for the password of the pfx file. Leave it blank if you did not specify one. It will also ask you for a new password for the .pem file (= optional). The certificates are converted to single pem file. You need to open the converted pem file with a text editor and save the individual certificates in separate pem files.

    Also online certificate conversions are available:

    Web Remote Setup is available in our LimagitoX Config Tool.

    Regards,

    Limagito Team

    By Limagito-Team Remote Tool , , ,
SEARCH