l**n
发帖数: 7272 | 1 【 以下文字转载自 PDA 讨论区 】
发信人: llin (一路陌生人), 信区: PDA
标 题: Android 安全: Poor SSL Implementations Leave Many Android Apps Vulnerable
发信站: BBS 未名空间站 (Sun Oct 21 00:00:40 2012, 美东)
FYI:
https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-
app-ssl-implementations-101912
"There are thousands of apps in the Google Play mobile market that contain
serious mistakes in the way that SSL/TLS is implemented, leaving them
vulnerable to man-in-the-middle attacks that could compromise sensitive ... 阅读全帖 |
|
g*******a
发帖数: 1383 | 2 Hi all,
I'm experiencing problems w/ SSL in my Webapp.
if I turn on SSL (required) and the webapp will crash
Right after 10min of inactivity, error shows the app is trying to
access some session variable which expired or null.But my session
state is supposed to time out after 20 min. and if I disable SSL
then everything works fine. Webapp times Out at 20 min and nothing
crashes. So I'm suspecting there is a timer in SSL session ID but I couldn't locate it. I
Wonder if you have any ideas about th |
|
c********1
发帖数: 421 | 3 【 以下文字转载自 Programming 讨论区 】
发信人: coupondea1 (coupon and deal), 信区: Programming
标 题: 这么多SSL证书,到底有什么区别?
发信站: BBS 未名空间站 (Wed Jul 30 15:08:52 2014, 美东)
这么多SSL证书,到底有什么区别?
https://www.namecheap.com/security/ssl-certificates/single-domain.aspx
怎么选择?请懂行的来说说。多谢
PositiveSSL
PositiveSSL Wildcard
PositiveSSL Multi-Domain
EssentialSSL
EssentialSSL Wildcard
RapidSSL
RapidSSL Wildcard
QuickSSL Premium
Thawte SSL 123 |
|
g*******a
发帖数: 1383 | 4 【 以下文字转载自 BuildingWeb 讨论区 】
【 原文由 gogowanda 所发表 】
Hi all,
I'm experiencing problems w/ SSL in my Webapp.
if I turn on SSL (required) and the webapp will crash
Right after 10min of inactivity, error shows the app is trying to
access some session variable which expired or null.But my session
state is supposed to time out after 20 min. and if I disable SSL
then everything works fine. Webapp times Out at 20 min and nothing
crashes. So I'm suspecting there is a timer in SSL session ID but I couldn't |
|
|
r**y
发帖数: 25 | 6 Apache 2.x https web server
如果知道ssl session ID
怎么样关闭这个SSL session?
怎么样auto detect一个ssl session的reset?
万分感谢! |
|
g******e
发帖数: 998 | 7 如果http://a.mycompany.com/ and http://b.mycompany.com/在一个server上 (virtual hosting),一个ip, 1个SSL license 就可以了吗?
from http://en.wikipedia.org/wiki/Virtual_hosting, ‘Another issue with virtual hosting is the inability to host multiple secure websites running Secure Sockets Layer or SSL. Because the SSL handshake takes place before the expected hostname is sent to the server, the server doesn't know which certificate to present when the connection is made.’- but in my case, 我有一个license 不正好吗?
我有一个app,需 |
|
a*******t
发帖数: 85 | 8 ssl certificate granted to yourdomain.com does not work on "subdomain.
yourdomain.com" unless you use url redirect rules to direct subdomain.
yourdomain.com to the parent domain. Otherwise, you will see errors for the
ssl connection. Each IP can only have one ssl certificate. |
|
r**y
发帖数: 25 | 9 Apache 2.x https web server
如果知道ssl session ID
怎么样关闭这个SSL session?
怎么样auto detect一个ssl session的reset?
万分感谢! |
|
b****u
发帖数: 1027 | 10 consuming ssl is not any different than consuming non ssl.
only difference is you can supply your own certificate policy, just check
HttpWebRequest's ssl policy property and see how to do it. but even that
should be optional.
just give it a try, it'll work just like http. |
|
r**y
发帖数: 25 | 11 Apache 2.x https web server
如果知道ssl session ID
怎么样关闭这个SSL session?
怎么样auto detect一个ssl session的reset?
万分感谢! |
|
k***g
发帖数: 4904 | 12 最近买了个二手T420,发现无论在什么版本的win7 64bit系统下,无论使用什么浏览器
,只要连接google相关网站,包括youtube登录等这种,就显示无效SSL证书或者SSl证
书过期,这是啥原因呢?我的其他电脑都没这问题,是不是这个电脑硬件哪里有故障,
导致SSL证书错误?
这个问题太棘手了,希望大侠能出手相助啊!!! |
|
J*X
发帖数: 1001 | 13 【 以下文字转载自 BuildingWeb 讨论区 】
发信人: JTX (JTX), 信区: BuildingWeb
标 题: 大佬们问个SSL certificate的问题
发信站: BBS 未名空间站 (Sat Aug 11 13:43:34 2018, 美东)
我在linode上租了个vps,在godaddy上买了个域名。昨天折腾了一晚,最后搞不定Let'
s Encrypt SSL certificate
错误信息如下:
[Sun Aug 12 01:27:03 CST 2018] Domain does not exist.
[Sun Aug 12 01:27:03 CST 2018] Error add txt for domain:_acme-challenge.xxx.
com
[Sun Aug 12 01:27:03 CST 2018] Please check log file for more details: /usr/
local/acme.sh/acme.sh.log ... 阅读全帖 |
|
A**o
发帖数: 1550 | 14 i have an apache/jboss stack which works ok with both http and https.
now i'm adding a load balancer (lb) in front of the apache.
and the load balancer can do the ssl for the apache.
however, if the lb does the ssl termination,
the apache doesn't know it's from ssl anymore
and it's kind of screw up the redirects from tomcat below.
and suggestions? |
|
d**k
发帖数: 1223 | 15 最近要求改了,原来用来做authentication的ldap要求用ssl connection. 巨土的是怎
么也连不上。用ldap browser都没有问题,到了code里就是不行。我用的是ldapjdk的
package, 就下面几行code....
String dn="cn=testUser,ou=services,dc=myDomin,dc=org";
String password="ldapSvc";
java.security.Security.addProvider(new
com.sun.net.ssl.internal.ssl.Provider());
netscape.ldap.factory.JSSESocketFactory skt_fctry =
new
netscape.ldap.factory.JSSESocketFactory(null);
... 阅读全帖 |
|
r**y
发帖数: 25 | 16 Apache 2.x https web server
如果知道ssl session ID
怎么样关闭这个SSL session?
怎么样auto detect一个ssl session的reset?
万分感谢! |
|
|
r**y
发帖数: 25 | 18 Apache 2.x https web server
如果知道ssl session ID
怎么样关闭这个SSL session?
怎么样auto detect一个ssl session的reset?
万分感谢! |
|
r**y
发帖数: 25 | 19 Apache 2.x https web server
如果知道ssl session ID
怎么样关闭这个SSL session?
怎么样auto detect一个ssl session的reset?
万分感谢! |
|
v*******s
发帖数: 450 | 20 Why do we need SSL Warranty? If SSL is secure, how come can customer lose
his credit card information? |
|
b********2
发帖数: 855 | 21 SSL保证的是TRANSACTION的安全性,也就是你点下PLACE ORDER后,你的信用卡资料在
传递过程中是相对安全的。至于为什么信用卡资料被盗,这个和SSL没啥关系吧。人家
黑客有水平直接把数据库给黑了呢 |
|
v*******s
发帖数: 450 | 22 那SSL的WARRANTY就是保证传递过程是安全的,是吗? 那256BIT的加密肯定是安全的吧
,那为什么WARRANTY的金额和价格不一样呢? 还有那么多不同的服务商呢? SSL应该
无法攻破吧。 |
|
o**v
发帖数: 1662 | 23 ☆─────────────────────────────────────☆
hanshen (汉神) 于 (Fri May 28 03:46:15 2004) 提到:
服务器地址: hanshen..mynetwork.org
连接端口: 990 (FTP with TLS/SSL - implicit)
用户请用支持 secure FTP 的软件,如 CuteFTP Pro 。
然后向我索取服务器的 certificate 和 private key ,然后用 CuteFTP Pro
生成个人密匙。这样以后就可以安全地连接上服务器了。
PM 你的 QQ 或者 MSN 或者 email 以便发放 certificate 和 private key 。
一开始设置会有点麻烦。之后就跟以前用起来一样了。
☆─────────────────────────────────────☆
ooev (国静) 于 (Fri May 28 12:41:06 2004) 提到:
使用flashfxp的同学可以方便点,
查看站点属性,点选ssl那一页,将 |
|
A*L
发帖数: 2357 | 24 如果host的SSL目录已经都激活,虚拟路径已经建立好了,
是不是我把文件传到SSL目录下面,
就可以用https访问这些文件了?
怎么搞不定阿?
多谢多谢!救急救急. |
|
J*X
发帖数: 1001 | 25 我在linode上租了个vps,在godaddy上买了个域名。昨天折腾了一晚,最后搞不定Let'
s Encrypt SSL certificate
错误信息如下:
[Sun Aug 12 01:27:03 CST 2018] Domain does not exist.
[Sun Aug 12 01:27:03 CST 2018] Error add txt for domain:_acme-challenge.xxx.
com
[Sun Aug 12 01:27:03 CST 2018] Please check log file for more details: /usr/
local/acme.sh/acme.sh.log
Let's Encrypt SSL Certificate create failed!
我不明白它为啥说domain doesn‘t exist,因为现在如果访... 阅读全帖 |
|
|
c**********e
发帖数: 236 | 27 如果带毒访问SSL网站,online pay什么的,SSL 还管用吗? |
|
p***p
发帖数: 559 | 28 做一个项目,就是类似移动的户口登记,也就是网上派出所:))
JSP,WEB SERVICE,XML DB。反正彼此之间都是HTTP,所以
应该是用SSL加密,请问JAVA免费的SSL平台有什么呢 |
|
d**k
发帖数: 1223 | 29 man! so glad to talk about this with so many DANIUs :-)
Actually in this case, I just need encrypt the data between client and
server. Either server or client authentication doesn't matter, at least for
now. And smectite, thanks a lot: your three things is a very good summary
for the understanding of SSL. But like goodbug's comment, I still doubt
only configure web.xml is enough: If server side has no ssl configured, even
web container change http to https, it still not gonna work. |
|
k***r
发帖数: 4260 | 30 if you want to avoid the ssl hassle in java, you can use a front-end
web server to handle ssl and only process http requests in java.
for
even |
|
c*c
发帖数: 447 | 31 >> java.io.EOFException: SSL peer shut down incorrectly
this sounds like SSL handshake problem。you may need to import HTTPS cert to
the keystore on client side..
You can easily generate webservice client from WSDL with netbeans..
it seems WS-Security is involved, you'll need some kind of framework to put
WS-Sececurity token in to WS header. You can do it in your code, but it'll
be nasty... |
|
g**********y
发帖数: 14569 | 32 是不是跟trusted certificate有关?
我查了一下以前的code, 连ssl之前都检查一下这个是不是call过 --
private void trustAllCerts() {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted (X509Certificate[] certs,
String authType) {}
... 阅读全帖 |
|
x****d
发帖数: 1766 | 33 impossible. you can only know if the response is using https.
What is the use case for this? I can't think of a reason.
Use other tools, very easy, but not in JS. Java you use javax.net.ssl.
HttpsURLConnection, and getServerCertificates(). Very simple.
Maybe I misunderstood? You just want to get connected via https? That is
possible and easy. What do you mean by "接受一个server的 SSL certificate",
if you want to access the certificate detail, impossible in JS. |
|
c*********e
发帖数: 16335 | 34 aws host的网站,没有自己的ssl certificate,只到用godaddy上买的ssl certificate
,但是在aws不好用。第一次还好,第二次就出现问题。
哪位大虾有解决办法? |
|
o****p
发帖数: 9785 | 35 以前一直以为弃婴狠牛逼,看了你这段狗屁不通的大论终于认清你有多扯蛋了,dsb相
比之下比你靠谱多了
ssl |
|
C*****n
发帖数: 1049 | 36 今天登陆csr账户发现这个howl ssl cloud $4.2立马打电话给chase换了一张卡。貌似
这个howl专门搞chase的信用卡,reddit上很多讨论 |
|
P***a
发帖数: 774 | 37 我从Network Solutions买的SSL Certificate, 但是不工作。
访问 https://huarencun.com/test.php是工作的
但是访问 https://huarencun.com, 最开始的1-2秒能看到cerfificate在URL最前面出
现了,但是当页面全都load完后, URL前面那个cerfificate就消失了。
点击看详细的时候,显示 verified by: not Specified.
那位大侠能帮我配置一下? 万分感谢。
Common Name (CN)设置的是 huarencun.com,不是www.huarencun.com, 让他们改,他
们不给改。 |
|
|
P***a
发帖数: 774 | 39 搞定了。 我新加了一个picture在foot里面, 链接用的是 http://,导致SSL partial secure. 改成 https://就行了。 |
|
b********n
发帖数: 5997 | 40 任何东西都有漏洞。256位理论上也可以破解,只是很困难罢了。ssl是保证你传输过程
中加密,两头跟它没关系。东西照丢不误。如果不是要求严格的商业网站,搞个self
assigned 的就成。 |
|
z*********n
发帖数: 94654 | 41 虽然一直就知道,如果不用ssl,你在网上的任何东西都是透明的
但是亲眼看到还是觉得很有趣
最近在evaluate一些nework analysis tools,几个商家来demo,呵呵
基本上,如果你上网不用https,上bbs 不用ssh而用telnet
一切一切都是透明的,包括使用公司的电话(现在大部分是ip phone)
全部都是透明的,很好玩
几个公司demo都有例子,比如如果某个用户抱怨网络有问题上网慢,你事后想分析原因
都能完全replay当时那个用户的session,比如那个用户当时上的是youtube,你都不需
要再连到youtube,直接就能replay他那个session看他当时看的是啥。当然demo的例子
是说帮助用户解决问题,其实要是老板想replay你干啥也一样可以,哈哈
如果有人抱怨电话线路有问题,也可以replay那段ip phone 对话,当然demo这是说帮
用户troubleshoot为啥,那岂不是老板想听你到底电话讲啥了也可以? 呵呵
这一切都是网络监听,不需要在你的电脑装任何东西,且这年头storage越来越便宜,
啥数据都能一直放在网络硬盘里将 |
|
z*********n
发帖数: 94654 | 42 haha
你到底看懂我说的是啥没,http就是裸奔
https算是穿了个裤衩,如果政府调查你让网站提供了ssl key,你那个裤衩也没了 |
|
a*****s
发帖数: 450 | 43 这两天正在写php来发送ssl邮件。。
感觉应用还不够广泛啊~~~ |
|
g*******a
发帖数: 1383 | 44 also i found someone had same problem w/ Orion server, but
i'm only using IIS web service so their fix can't help me.
(the orion server has a file called *-web-site.xml where
you can change SSL session to Http session, where is this
done in IIS??) |
|
c******k
发帖数: 237 | 45 请大俠指教:怎样在windows平台下实现 Apache + SSL ? |
|
a**w
发帖数: 156 | 46 【 以下文字转载自 Programming 讨论区 】
发信人: anew (anew), 信区: Programming
标 题: 老问题:大家都是在哪里买的SSL证书?
发信站: BBS 未名空间站 (Thu Nov 6 16:39:37 2014, 美东)
便宜好用不用人工认证的 |
|
y*****y
发帖数: 66 | 47 网站现在准备用Paypal Pro来负责客户的信用卡支付,但是问了Paypal,他们说对于
Paypal Pro客户,需要自己提供PCI compliance,那么我需要让开发人员按照PCI来开发
购物车和支付吗?我查了下,好像只有特别大的公司支付网站才有实力做这个。有没有
办法购买第三方服务呢?但是我的购物车界面又是自己设计的,不想改成其他的样式。
除了PCI,我知道我还要买SSL,还有其他的要买的嘛?
多谢 |
|
J*X
发帖数: 1001 | 48 多谢大佬回复。问题是我已经在godaddy里设置成linode管理DNS,所以godaddy里没法
添加了,只能在linode里操作。你的意思是letsEncrypt会发个文本串过来?这个我好
像没收到啊。我基本上是follow这个link做的 https://lnmp.org/faq/letsencrypt-
wildcard-ssl.html,试了文章里提到的自动和手动方法都不行。其中手动方法里会在
终端显示TXT 的name和value。我copy到DNS 的new TXT里也不work。 |
|
