| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 4447.1 | ActiveX and HTTPS | NZOV02::VSEVOLODM | | Mon Feb 03 1997 23:47 | 15 |
| This is a supplement to .0 :
Sometimes You need to download ActiveX control from the WEB site You
are looking for.
There is only one way to verify such a control:check it against
a trustworthy authority like VerSign WEB site.
And You are not able to do this, because You can't run HTTPS
from within DIGITAL internetwork.
I wonder, if somebody concerned about it.
The vast majority of people simply download control without checking
it.
End of the story and security.
|
| 4447.2 | Re: Is HTTPS now allowed through our internal firewall | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Tue Feb 04 1997 00:19 | 24 |
| vickery@nzov02.enet.dec.com wrote:
: Title: Is HTTPS now allowed through our internal firewall
: Does anyone have a workaround to maintain an HTTPS session through the
: internal firewall?
:
: Whenever I attempt to do this the firewall responds with "Access Denied
: you are not allowed to access "website":443
:
: Is there a specific Proxy server configured to allow HTTPS?
:
: The proxy server that responds is www-relay2.pa-x.dec.com
Jean-Paul Rambeau told me that ExARC would be making a decision on my
request to allow https: proxying to arbitrary hosts sometime next week.
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4447.3 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Tue Feb 04 1997 08:49 | 7 |
| > The proxy server that responds is www-relay2.pa-x.dec.com
The Palo Alto proxy server does not currently allow https (SSL) through
its firewall. Stephen Stuart, who just replied to this topic, would be the one
to change this.
Danny
|
| 4447.4 | | VAXCPU::michaud | Jeff Michaud - ObjectBroker | Fri Feb 21 1997 18:47 | 6 |
| > Date: 4-FEB-1997 00:19
> Jean-Paul Rambeau told me that ExARC would be making a decision on my
> request to allow https: proxying to arbitrary hosts sometime next week.
Have they gotton back to you with their decision (assuming
they made one)?
|
| 4447.5 | Re: Is HTTPS now allowed through our internal firewall | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Fri Feb 21 1997 20:48 | 21 |
| Jeff Michaud - ObjectBroker (michaud@vaxcpu.enet.dec.com) wrote:
: Title: Is HTTPS now allowed through our internal firewall
: Reply Title: (none)
: > Date: 4-FEB-1997 00:19
: > Jean-Paul Rambeau told me that ExARC would be making a decision on my
: > request to allow https: proxying to arbitrary hosts sometime next week.
: Have they gotton back to you with their decision (assuming
: they made one)?
They did on Wednesday, with a restriction that required
clarification. I'm now (sigh) awaiting the clarification.
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4447.6 | Try going through ZKO proxy | TAVIS::IZAK | Computers,all they think of is HEX | Wed Feb 26 1997 06:17 | 6 |
| Hi,
Today I tried to use www-proxy.zko.dec.com:8080 as my "Security Proxy Server"
and it worked like a charm and I was able to retrieve https://... URLs.
Izak
|
| 4447.7 | Re: Is HTTPS now allowed through our internal firewall | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Wed Feb 26 1997 12:09 | 10 |
| EXARC just approved the use of SSL for https: proxying by all external
proxy sites.
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4447.8 | How do we use the new https proxy server? | BBRDGE::LOVELL | � l'eau; c'est l'heure | Mon Mar 17 1997 03:16 | 21 |
| Stephen (Stuart);
Pray tell, how does one make use of the new https relay. I am using
the MS Internet Explorer and I have set my "secure" proxy setting as;
www-proxy.pa.dec.com port 8080
When I try to access the url ;
https://www.microsoft.com/isapi/events/event/reg_cust_trak...<snip>....
I receive the error message ;
connect to www.microsoft.com:443 failed (Connection refused).
Proxy server at www-relay1.pa-x.dec.com on port 8080
Please advise exact settings for https proxy
Thanks,
/Chris/
|
| 4447.9 | | QUARK::LIONEL | Free advice is worth every cent | Mon Mar 17 1997 10:59 | 4 |
| There is no specific setting to use - just specify the appropriate server in
the http server field.
Steve
|
| 4447.10 | | BBRDGE::LOVELL | � l'eau; c'est l'heure | Mon Mar 17 1997 11:57 | 10 |
| >>There is no specific setting to use - just specify the appropriate
>>server in the http server field.
That's what I thought I did as described in .7
So what's your definition of "appropriate server" and if it is the same
as mine then why does the server return an error?
/Chris/
|
| 4447.11 | Re: Is HTTPS now allowed through our internal firewall | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Mon Mar 17 1997 13:08 | 32 |
| ` l'eau; c'est l'heure (lovell@bbrdge.enet.dec.com) wrote:
: Title: Is HTTPS now allowed through our internal firewall
: Reply Title: How do we use the new https proxy server?
: I receive the error message ;
:
: connect to www.microsoft.com:443 failed (Connection refused).
: Proxy server at www-relay1.pa-x.dec.com on port 8080
This message is telling you that the server www.microsoft.com is not
listening on port 443 (I take this as a sign that your browser is
configured properly - it caused the proxy to try to do the right
thing). The relay tried to service the request, but if the destination
refuses the connection, there's not a lot that the relay can do.
Are you absolutely sure that Microsoft is running a "secure" server on
the same host(s) as their regular web server? When I try the URL
"https://www.microsoft.com/" from outside the firewall, I get
redirected to:
http://www.microsoft.com/default.asp?MSID=<biglongstring>
It is possible that you just hit a window where their server listening
on port 443 was down. Are there other https: URLs that you've tried?
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4447.12 | More Details... | BBRDGE::LOVELL | � l'eau; c'est l'heure | Mon Mar 17 1997 16:09 | 27 |
| I haven't tried other https url's as I've not needed to up till now.
The url that I posted in my problem report was only a partial listing -
I guess the full url is generated on the fly so you'd have to go to their
pages to fill in a couple of forms to actually try it.
This was a genuine https attempt. I had just filled in my credit card
details and was trying to register online for Microsoft's TechEd
conference in Nice. Prior to entering the form details, I received a
warning telling me that I was starting dialog with a secure server
and asking me to confirm.
Stephen - could you please verify this behaviour - start from the url ;
http://www.microsoft.com/isapi/events/login.idc?s=3462&a=1&dst=R
You don't have to enter your credit card details - that part is
optional, but a secure (https) url is still generated for the next
steps which is where the error occurs.
The error still persists - I don't have any other https connections
that I can try with legitimacy. Do the Palo Alto logs show a clean
https attempt from me? Is there any transaction detail other than
Error 443 that I can report to Microsoft?
Thanks,
/Chris/
|
| 4447.13 | | PEACHS::GHEFF | Got a head with wings | Tue Mar 18 1997 08:19 | 17 |
| I too am an https novice. Yesterday was the first time I tried to
connect to a secure server from inside the firewall. I set my secure
proxy and attempted to contact:
https://cafe2.symantec.com/cafemac/
Just tried it and got:
connect to cafe2.symantec.com:443 failed (Connection timed out).
Proxy server at www-relay2.pa-x.dec.com on port 8080
Which is a little different. Is it somehow related? I guess that
the Symantec system could be simply unavailable. No way for me to tell
at this point. I can't get to my ISP from here to test the theory.
#Gary
|
| 4447.14 | | VAXCPU::michaud | Jeff Michaud - ObjectBroker | Tue Mar 18 1997 10:32 | 17 |
| > connect to a secure server from inside the firewall. I set my secure
> proxy and attempted to contact:
> https://cafe2.symantec.com/cafemac/
> Just tried it and got:
> connect to cafe2.symantec.com:443 failed (Connection timed out).
> Proxy server at www-relay2.pa-x.dec.com on port 8080
>
> Which is a little different. Is it somehow related? I guess that
> the Symantec system could be simply unavailable. No way for me to tell
> at this point.
The only thing different is that the host you are trying to
connect to ("cafe2") did *not* respond to the connect request,
and the previous noters host they were trying to connect to
refused the connection (usually meaning that the host is up
and reachable, but no application is listening on the requested
port, ie. their https server is not running).
|
| 4447.15 | try refresh | TUXEDO::STRUTT | Colin Strutt | Tue Mar 18 1997 11:44 | 19 |
| I too am having trouble getting to https services through the
firewall.
Consider
https://expedia.msn.com/pub/eta.dll
followed by a load of parameters which I won't include here
gets me a notification that I'm about the enter a secure page, then:
connect to expedia.msn.com:443 failed (Connection refused).
Proxy server at www-relay2.pa-x.dec.com on port 8080
I would not have expected it to be refused. This works from outside the
firewall.
However, if I refresh the page (I'm using IExplorer 3.01) then the
secure page is displayed correctly.
colin
|
| 4447.16 | | PEACHS::GHEFF | Got a head with wings | Tue Mar 18 1997 12:08 | 3 |
| For whatever the reason, I'm able to get to the Symantec server now.
#Gary
|
| 4447.17 | | BBRDGE::LOVELL | � l'eau; c'est l'heure | Tue Mar 18 1997 13:16 | 4 |
| And the Microsoft https url worked *ONCE* just now and then fell
back to the same error - bizzare.
/Chris/
|
| 4447.18 | Re: Is HTTPS now allowed through our internal firewall | QUABBI::"stuart@nsl-too.pa.dec.com" | Stephen Stuart | Tue Mar 18 1997 16:58 | 16 |
| ` l'eau; c'est l'heure (lovell@bbrdge.enet.dec.com) wrote:
: Title: Is HTTPS now allowed through our internal firewall
: Reply Title: (none)
: And the Microsoft https url worked *ONCE* just now and then fell
: back to the same error - bizzare.
No changes were made to the proxies.
Stephen
--
- -----
Stephen Stuart stuart@pa.dec.com
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]
|
| 4447.19 | IE and 128 bit and/or https proxies ? | NPSS::BENZ | I'm an idiot, and I vote | Thu Mar 27 1997 23:39 | 20 |
| Another https site to check the proxy is https://webxpress.fidelity.com
With Netscape, I can't get there - it requires 128 bit RSA, and I have
the standard 40 bit version from the IBG server. But at least it tells
me that "Netscape and this server cannot communicate securely because
they have no common encryption algorithm(s)."
With Internet Explorer, I can't tell whether or not I've configured my
proxy properly - I set it up as www-proxy.das.dec.com, 8080 (just like
.8 had his), but when I try to connect, I get "Cannot connect to
server". I do have all cryptography enabled.
Has anyone made a https connection using Internet Explorer through our
proxy servers ?
How can I tell whether or not I have a 128 bit version of Internet
Explorer ? I'm running version 3.0 (4.70.1158), but there does not
seem to be any indication anywhere about international/US versions.
\chuck
|
| 4447.20 | | teco.mro.dec.com::tecotoo.mro.dec.com::mayer | Danny Mayer | Fri Mar 28 1997 09:06 | 35 |
| > Another https site to check the proxy is https://webxpress.fidelity.com
>
> With Netscape, I can't get there - it requires 128 bit RSA, and I have
> the standard 40 bit version from the IBG server. But at least it tells
> me that "Netscape and this server cannot communicate securely because
> they have no common encryption algorithm(s)."
>
I suspect that this site is not running a valid SSL implementation or
that it is using a different encryption algorithm from the standard ones
used in SSL. SSL allows 40-bit and 128-bit RSA to interoperate.
On the other hand, I just looked. It's running Netscape Fastrack 2.01.
Strange.
> With Internet Explorer, I can't tell whether or not I've configured my
> proxy properly - I set it up as www-proxy.das.dec.com, 8080 (just like
> .8 had his), but when I try to connect, I get "Cannot connect to
> server". I do have all cryptography enabled.
>
> Has anyone made a https connection using Internet Explorer through our
> proxy servers ?
>
> How can I tell whether or not I have a 128 bit version of Internet
> Explorer ? I'm running version 3.0 (4.70.1158), but there does not
> seem to be any indication anywhere about international/US versions.
>
You can tell because you only downloaded it. You have to make a special
effort to get the 128 bit version. You won't have the 128 bit version.
You should download the 3.02 version from the IBG Software Distribution
Server since the version you are currently running has security holes in it
and Corporate Security requires that you upgrade right away.
> \chuck
|
| 4447.21 | | SMURF::PBECK | Who put the bop in the hale-de-bop-de-bop? | Fri Mar 28 1997 09:33 | 8 |
| > I suspect that this site is not running a valid SSL implementation or
> that it is using a different encryption algorithm from the standard ones
> used in SSL. SSL allows 40-bit and 128-bit RSA to interoperate.
Yes, but if it does so by downgrading to 40-bits, the Fidelity site
is probably saying "that's not secure enough for us, go away". That
was my understanding of that site, in any event, when I looked at it
a week or so ago.
|
| 4447.22 | | NPSS::BENZ | I'm an idiot, and I vote | Fri Mar 28 1997 15:32 | 9 |
| > You should download the 3.02 version from the IBG Software Distribution
> Server since the version you are currently running has security holes in it
> and Corporate Security requires that you upgrade right away.
Hmmph. Since the IBG dist server version is probably the 40 bit
version, I'll go to Microsoft instead to see if I can get the 128 bit
version there.
\chuck
|
| 4447.23 | | NPSS::BENZ | I'm an idiot, and I vote | Fri Mar 28 1997 15:52 | 10 |
| Eeep...
>> I'll go to Microsoft instead to see if I can get the 128 bit
Contrary to the experience reported in 4497.0, Microsoft doesn't seem
to make the 128 bit version the default that comes up. In fact, I
don't see it anywhere obvious (unless they give it out without telling
you). Oh well.
\chuck
|
| 4447.24 | | NPSS::BENZ | I'm an idiot, and I vote | Sat Mar 29 1997 23:31 | 9 |
| More on getting the 128 bit versions of Netscape and Internet Explorer:
a page at Fidelity will direct to the appropriate pages at Netscape and
Microsoft (don't have the page at hand - sorry). Both take you through
a form where you declare that you're legit, etc... Microsoft seems to
currently offer a 3.01 version instead of the new 3.02, but attempting
to download gets an empty file anyways, so they may be in the middle of
fixing that.
\chuck
|
| 4447.25 | | BEGIN::ROTITHOR | | Thu Apr 03 1997 17:12 | 7 |
| I use netscape 3.01 gold on a Unix platform.
If I open two browser windows and try to connect to two separate secure servers I run into a problem.
Usually an error is reported (for the second one, the first one has gone through).
I do not have this problem if I connect to them individually (the connection goes through fine).
Is this a known problem, am I doing something outside spec, is it only specific to server sites that I am trying
to connect, is there a workaround for the problem (other than the obvious one of using one at a time).
Thanks for suggestions
|