Questions tagged [ssl]

SSL and its successor, TLS, are encryption and authentication protocols that encrypt the full contents of a TCP connection, as well as potentially verifying the identities of the devices making the connection.

Filter by
Sorted by
Tagged with
420 votes
15 answers

Displaying a remote SSL certificate details using CLI tools

In Chrome, clicking on the green HTTPS lock icon opens a window with the certificate details: When I tried the same with cURL, I got only some of the information: $ curl -vvI * ...
Adam Matan's user avatar
  • 13.4k
273 votes
6 answers

how to download the ssl certificate from a website?

I want to download the ssl certificate from, say, using wget or any other commands. Any unix command line? wget or openssl?
RainDoctor's user avatar
  • 4,462
254 votes
11 answers

Is it bad to redirect http to https?

I just installed an SSL Certificate on my server. It then set up a redirect for all traffic on my domain on Port 80 to redirect it to Port 443. In other words, all my traffic is ...
JasonDavis's user avatar
  • 2,658
238 votes
7 answers

How to force or redirect to SSL in nginx?

I have a signup page on a subdomain like: It should only be accessible via HTTPS but I'm worried people might somehow stumble upon it via HTTP and get a 404. My html/...
Callmeed's user avatar
  • 2,725
199 votes
1 answer

What is a challenge password?

I'm setting up SSL on an Ubuntu server. One of fields it asks for as part of setting up the CSR is a "challenge password". What is that? The default is blank. Do I need to enter one?
Will Martin's user avatar
  • 2,471
196 votes
14 answers

How to view all ssl certificates in a bundle?

I have a certificate bundle .crt file. doing openssl x509 -in bundle.crt -text -noout only shows the root certificate. how do i see all the other certificates?
pdeva's user avatar
  • 2,457
189 votes
6 answers

SSL Certificate Location on UNIX/Linux

Is there any standard or convention for where SSL certificates and associated private keys should go on the UNIX/Linux filesystem?
John Topley's user avatar
  • 2,195
148 votes
8 answers

Is there a reason to use an SSL certificate other than Let's Encrypt's free SSL?

Let's Encrypt are providing free SSL certificates. Are there any downsides compared to other, paid certificates e.g. AWS Certificate Manager?
ripper234's user avatar
  • 5,970
145 votes
8 answers

Wildcard SSL certificate for second-level subdomain

I'd like to know if any certificates support a double wildcard like *.* I've just been on the phone with my current SSL provider ( and the girl there said they don't offer ...
user avatar
141 votes
2 answers

How can I verify if TLS 1.2 is supported on a remote web server from the RHEL/CentOS shell?

I'm on CentOS 5.9. I'd like to determine from the linux shell if a remote web server specifically supports TLS 1.2 (as opposed to TLS 1.0). Is there an easy way to check for that? I'm not seeing a ...
Mike B's user avatar
  • 11.9k
119 votes
8 answers

How do I clear Chrome's SSL cache?

I have a HAProxy / stunnel server that handles SSL for our sites on AWS. During testing, I created a self-signed cert on this server and hit it from my desktop using Chrome to test that stunnel was ...
Foovanadil's user avatar
  • 1,290
110 votes
5 answers

Multiple SSL domains on the same IP address and same port?

This is a Canonical Question about Hosting multiple SSL websites on the same IP. I was under the impression that each SSL Certificate required it's own unique IP Address/Port combination. But the ...
John's user avatar
  • 7,413
105 votes
10 answers

Properly setting up a "default" nginx server for https

I have several servers running on the same machine, some with http only, some with both http and https. There are several server blocks defined in separate files which are included from the main ...
user avatar
103 votes
3 answers

What is .crt and .key files and how to generate them?

I've the following configuration: SSLEngine on SSLCertificateFile /etc/httpd/conf/ SSLCertificateKeyFile /etc/httpd/conf/ SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:...
Mohammad Ali Akbari's user avatar
94 votes
4 answers

Does each subdomain need its own SSL certificate?

I am creating a websocket server which will live on ws.mysite.example. I want the web socket server to be SSL encrypted as well as domain.example to be SSL encrypted. Do I need to purchase a new ...
user974407's user avatar
  • 1,091
91 votes
4 answers

How to inspect remote SMTP server's TLS certificate?

We have an Exchange 2007 server running on Windows Server 2008. Our client uses another vendor's mail server. Their security policies require us to use enforced TLS. This was working fine until ...
83 votes
16 answers

What causes SSH error: kex_exchange_identification: Connection closed by remote host?

I setup a SSH server online that is publicly accessible by anyone. Therefore, I get a lot of connections from IPs all over the world. Weirdly, none actually try to authenticate to open a session. I ...
soliz's user avatar
  • 932
81 votes
5 answers

Best location to keep SSL certificates and private keys on Ubuntu servers?

On Ubuntu, it looks like the best place for a private key used to sign a certificate (for use by nginx) is in /etc/ssl/private/ This answer adds that the certificate should go in /etc/ssl/certs/ but ...
Adam Nelson's user avatar
  • 1,677
80 votes
11 answers

Remove "www" and redirect to "https" with nginx

I want to create a rule in nginx that does two things: Removes the "www." from the request URI Redirects to "https" if the request URI is "http" There are plenty of examples of how to do each of ...
Devin's user avatar
  • 923
80 votes
5 answers

Does each server behind a load balancer need their own SSL certificate?

If you have 5 web servers behind a load balancer (such as haproxy) and they are serving up content for the same domain, do you need SSL certificates for all the servers, or can you use the same ...
Derek Gathright's user avatar
78 votes
6 answers

Generating a self-signed cert with openssl that works in Chrome 58

As of Chrome 58 it no longer accepts self-signed certs that rely on Common Name:!topic/chrome/zVo3M8CgKzQ;context-place=topicsearchin/chrome/category$3ACanary%...
bcardarella's user avatar
  • 1,737
73 votes
6 answers

Why are CA root certificates all SHA-1 signed (since SHA-1 is deprecated)?

I understand that SSL certs cannot be signed using SHA-1 anymore. Yet, all CA root certificates are SHA-1 signed (mostly). Does it mean the same algorithm that is no longer trusted for "you grandma ...
131's user avatar
  • 887
73 votes
8 answers

Is STARTTLS less safe than TLS/SSL?

In Thunderbird (and I assume in many other clients, too) I have the option to choose between "SSL/TLS" and "STARTTLS". As far as I understand it, "STARTTLS" means in simple words "encrypt if both ...
Foo Bar's user avatar
  • 879
72 votes
2 answers

Must CSRs be generated on the server that will host the SSL certificate?

Is it necessary to generate the CSR (Certificate Signing Request) on the same machine that will host my web application and SSL certificate? This page on SSL Shopper says so, but I'm not sure if that'...
Mike M. Lin's user avatar
69 votes
2 answers

Apache ProxyPass with SSL

I want to proxy requests from an SSL site via a non-SSL site. My Apache httpd.conf looks like this: <VirtualHost> ServerName ProxyPass / </...
tylerl's user avatar
  • 15.1k
65 votes
4 answers

How to decide where to purchase a wildcard SSL certificate?

Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, ...
user664833's user avatar
  • 1,277
64 votes
2 answers

What Should be the Permissions of Apache SSL Directory, Certificate, and Key?

I have my cert.pem and cert.key files in /etc/apache2/ssl folders. What would be the most secure permissions and ownership of: /etc/apache2/ssl directory /etc/apache2/ssl/cert.pem file /etc/apache2/...
user avatar
61 votes
11 answers

Why do I need to purchase an SSL certificate when I can generate one locally?

I am having trouble understanding why we need to purchase SSL certificates when we can generate them locally using openSSL. What is the difference between the certificate I purchase and a test ...
S-K''s user avatar
  • 1,311
60 votes
4 answers

Download SSL certificate from aws certificate manager

I am using aws certificate manager for managing SSL. Recently I purchased a wildcard ssl * Now I need that SSL certificate to deploy on enterprise git instance on aws. How can i ...
Shailesh Sutar's user avatar
59 votes
3 answers

Configure custom SSL certificate for RDP on Windows Server 2012 (and later) in Remote Administration mode?

So the release of Windows Server 2012 has removed a lot of the old Remote Desktop related configuration utilities. In particular, there is no more Remote Desktop Session Host Configuration utility ...
Ryan Bolger's user avatar
  • 16.8k
58 votes
8 answers

Apache: SSLCertificateKeyFile: file does not exist or is empty

I am configuring SSL for Apache 2. My system is Ubuntu Server 10.04 LTS. I have the following settings related to SSL in my vhost configuration: SSLEngine On SSLCertificateKeyFile /etc/ssl/private/...
blueFast's user avatar
  • 4,260
57 votes
9 answers

How can I disable TLS 1.0 and 1.1 in apache?

Does anyone know why i can't disable tls 1.0 and tls1.1 by updating the config to this. SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 After doing this, i reload apache I do an ssl scan using ...
David's user avatar
  • 683
56 votes
6 answers

Can an SSL certificate be on a single line in a file (no line breaks)?

SSL certificates by default have line breaks after 67 characters. I'm trying to create SSL certificate files using Chef. Essentially I want to create the entire certificate file from a string variable ...
wrangler's user avatar
  • 3,130
56 votes
3 answers

Configure Nginx as reverse proxy with upstream SSL

I try to configure an Nginx server as a reverse proxy so the https requests it receives from clients are forwarded to the upstream server via https as well. Here's the configuration that I use: http ...
Alex Flo's user avatar
  • 1,791
56 votes
3 answers

How to fix 'logjam' vulnerability in Apache (httpd)

Recently, a new vulnerability in Diffie-Hellman, informally referred to as 'logjam' has been published, for which this page has been put together suggesting how to counter the vulnerability: We have ...
Christophe De Troyer's user avatar
53 votes
8 answers

On IIS, how do I patch the SSL 3.0 POODLE vulnerability (CVE­-2014­-3566)?

How do I patch CVE­-2014­-3566 on a Windows Server 2012 system running IIS? Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?
Eric Lathrop's user avatar
53 votes
4 answers

Difference between SSLCertificateFile and SSLCertificateChainFile?

Normally with a virtual host an ssl is setup with the following directives: Listen 443 SSLCertificateFile /home/web/certs/domain1.public.crt SSLCertificateKeyFile /home/web/certs/domain1.private....
chrisjlee's user avatar
  • 1,015
53 votes
9 answers

How do I disable TLS 1.0 without breaking RDP?

Our credit card processor recently notified us that as of June 30, 2016 we will need to disable TLS 1.0 to remain PCI compliant. I tried to be proactive by disabling TLS 1.0 on our Windows Server 2008 ...
Mike's user avatar
  • 1,273
52 votes
16 answers

SSL Error - unable to read server certificate from file

I've been setting up SSL for my domain today, and have struck another issue - I was hoping someone could shed some light on.. I keep receiving the following error messages: [error] Init: Unable to ...
williamsowen's user avatar
  • 1,167
51 votes
5 answers

Failed tls handshake. Does not contain any IP SANs

I'm trying to set up logstash forwarder, but I have issues with making a proper secure channel. Trying to configure this with two ubuntu (server 14.04) machines running in virtualbox. They are 100% ...
connery's user avatar
  • 545
51 votes
6 answers

SSL for devices in local network

Initial question We make devices which run a webserver and the user can control some functionality of the device by browsing directly to the IP of the device. This can be a fixed IP when a direct WiFi ...
Daan Pape's user avatar
  • 611
50 votes
3 answers

stop apache from asking for SSL password each restart [duplicate]

Using instructions from this site but varying them just a little i created a CA using -newca, i copied cacert.pem to my comp and imported as trusted issuer in IE. I then did -newreq and -sign (note: i ...
user avatar
50 votes
3 answers

How can I detect if a server is using SNI for HTTPS?

I'm looking for a simple way to know if a server is using the Server Name Indication SSL extension for its HTTPS certificate on a website. A method that uses either a browser or Unix command line is ...
spookylukey's user avatar
49 votes
9 answers

Is there any reason not to enforce HTTPS on a website?

A website I frequent have finally decided to enable TLS to their servers, only not to mandate it as a lot of websites out there do. The maintainer claims that TLS must be optional. Why? On my own ...
Maxthon Chan's user avatar
48 votes
2 answers

Serve http (port 80) and https (port 443) on same VirtualHost

I need to setup my VirtualHost on Apache to serve on both http and https (using standard ports) If I enable the SSL Engine (as per below) - I get an error when on port 80. The reason is, parts of ...
kron's user avatar
  • 755
47 votes
7 answers

How to update cURL CA bundle on RedHat?

I am running into issues where the CA bundle that has been bundled with my version of cURL is outdated. curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL ...
Andrew's user avatar
  • 3,473
47 votes
6 answers

Does HTTPS use TCP or UDP?

Does HTTPS use TCP or UDP?
Steven's user avatar
  • 617

2 3 4 5