I get it, older versions of TLS and SSL are insecure and we should not be using them. However I needed to get on an HPE Server iLO management interface last week and I
was met with this.
Firefox Error: SSL_ERROR_UNSUPPORTED_VERSION Microsoft Edge, Chrome, and Opera Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Microsoft Internet Explorer Error: This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner. Your TLS security settings aren’t set to the defaults, which could also be causing this error.
Firefox Solution : SSL_ERROR_UNSUPPORTED_VERSION
I advise you just do this to get to the page you need to and set it back afterwards. In your browser windows enter about:config, Type TLS into the search bar and locate security.tls.version.min and change its value to 1, Then tick to save.
And now, I can get to where I want to go.
IE Solution : SSL_ERROR_UNSUPPORTED_VERSION
Yeah, I know Internet Explorer is supposed to be dead, but it’s still there and you can utilise it to solve this problem, from your internet options in IE > Advanced > you can then enable TLS 1.1. and 1.2.
You will still get a warning but now you can click past it.
Related Articles, References, Credits, or External Links
A few months ago I wrote an article about getting free exchange certificates with Lets ‘Encrypt’. And that still works peachy, I implemented it on my test Exchange 2019 server (in Hybrid mode) and all appeared well.
Some time later, (remember this is my test network so it’s not in production.) I noticed that mail was not getting forwarded from O365 to the on premises Exchange server. I’ve also had to fix similar problems like this before here.
These were to sort of errors I was seeing;
450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB8EUR05FT046.eop-eur05.prod.protection.outlook.com]
450 4.4.317 Cannot connect to remote server [Message=451 4.4.0 TLS negotiation failed with error SocketError] [LastAttemptedServerName=mail.petenetlive.com] [LastAttemptedIP=x.x.x.x:25] [DB3EUR04FT033.eop-eur04.prod.protection.outlook.com]
So the problem is obviously something to do with the certificate on the on premises server, so either it’s misconfigured or Microsoft O365 does not like the ‘Lets Encrypt’ certificate.
Solution
Firstly I made sure the send and receive connecters were using the correct certificate.
Note: Above, change the server names and send connector name to match your own.
At this point I was pretty sure that the problem was with that cert so I bought myself a 12 month SSL cert (for the princely sum of $17) and used that instead.
How To Swap Hybrid Connector Certificates
Get the Thumbprint for the NEW publicly signed certificate (Get-ExchangeCertificate). Then use the following PowerShell.
Both SSL and TLS are cryptographic protocols designed to secure communications over a network (remember the internet is just a network). Originally we had SSL version 1 and version 2. But they were, (to be honest) ‘a bit bobbins’ and full of security holes, so never really took off. Version 3 however did and was widely supported. The problem with version 3 was, (again) that was also ‘bobbins’. All this came to a head with the Poodle exploit and people started getting rid of SSLv3.
So, what about TLS? Well TLS v1.0 was largely based on, (but not compatible with) SSLv3. TLS 1.1 replaced v1.0 (circa 2006). Problems with it prompted TLS 1.2 (circa 2008). Then that was the standard until TLS v1.3 (circa 2018).
However: Just because you use the newest protocols does not necessarily mean you are more secure: Most documentation you read says TLS 1.2 ‘Should’ be secure (that’s reassuring eh!) This is because these protocols are built on cryptographic ciphers and they are only as secure as those ciphers. You can corrupt a strong protocol with a weak cipher and render it less secure. In some cases, you may need to do this, or you might simply enable a web cipher to fix a ‘problem’ without understanding the consequences.
You are ‘Probably’ Reading this Because…
If you’ve had a security audit, or a company had scanned your network and produced a report that says you are running insecure protocols and you need to do something about it.
THINK: Security is a good thing, (I’m all for it,) BUT just rushing to turn things off, can cause you problems, where possible test any remediation in a test environment, many old legacy (for legacy read ‘applications that are business critical, and you can no longer update or get support on’) may still be using these old protocols. Simply disabling SSLv3.0, TLS v1.0,1.1, and/or 1.2 can have some negative effects, either on YOUR applications or in the browsers of your clients. Remember if you provide a web based service it will also need testing with any browser that your staff, or even the public may be using to access your web based platforms.
TLS 1.0 and TLS 1.1 might be ‘depreciated’ but it’s still widely used, disabling them will probably cause you more problems than the older SSL protocols, so test, test, and test.
ISOLATE: If you have old legacy applications and you need to retain them for compliance or financial reasons, then consider simply MITIGATING the risk by taking them off the local network, and running them in isolation.
DOCUMENT: If you need TLS 1.1 then that’s fine just because a scan picked it up, does not mean that you HAVE TO run to the server room and disable it. Most compliance standards are fine with you not fixing something, providing you document what it is and why it’s still enabled.
Windows TLS 1.2 Support: Clients from Windows Vista, and Servers from Server 2008 support TLS 1.2. but all the way to Windows 8.1 and Server 2012 R2 it requires an update, so make sure you are fully up to date before attempting to use TLS 1.2.
Exchange: Support for TLS 1.1 and 1.2 wasn’t added until Exchange 2013 (CU8) and Exchange 2010 (SP3 RU9). Beware Some (Older) Microsoft Outlook clients will only work with TLS 1.0
Windows Client (Internet Explorer) Disabling SSL3 and TLS 1.0, TLS 1.1
Before disabling protocols on the server, it’s good practice to disable those protocols on the clients, some time beforehand, the easiest way to do this is via Group Policy.
Windows Server Disabling SSL3 and TLS 1.0, TLS 1.1
Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.
Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1).
Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL database for usernames and passwords, (as shown in the video). Then once you have it working, you can change the authentication (AAA) to your preferred method (see links at bottom of page).
The original article was written with ASA version 8.0(4) and ASDM 6.1(3), which was a little more difficult so I will leave that procedure at the end just in case 🙂
Note: The ASDM cannot be used on the normal port (https) on the outside interface when using AnyConnect, because HTTPS or TCP port 443 needs to be free (and also IMPORTANTLYNOT ‘port-forwarded’ to a web server / Exchange server etc. for this to work). To fix that, either change the port that AnyConnect is using (not the best solution!) Or, (a much better solution) Change the port ASDM is using.
Solution
Setup AnyConnect From ASDM (Local Authentication)
In case you don’t want to watch a video! Launch the ASDM > Wizards > VPN Wizards > AnyConnect VPN Wizard > Next.
Give the AnyConnect profile a name i.e PF-ANYCONNECT, (I capitalise any config that I enter, so it stands out when I’m looking at the firewall configuration). >Next > Untick IPSec > Next.
Note: You can use IPSec if you want, but you will need a Certificate pre-installed to do so!
Now you need to upload the AnyConnect client packages for each operating system that is going to want to connect,
Once the package (with a pkg extension) is located, you can upload it directly into the firewalls flash memory.
Repeat the process for each OS that will be connecting. (PLEASE! Don’t forget to add the macOS package! or your users will see THIS ERROR) > Next > As mentioned above I’m using LOCAL (on the ASA) authentication. I always set this up first, then test it, then if required, change the authentication method > If you don’t already have a LOCAL user created then add a username and password for testing > Next.
Next (Unless you want to setup SAML) > Here I’ll create a new ‘Pool’ of IP addresses for my remote clients to use. You can also use an internal DHCP server for remote clients, again I normally setup and test with a Pool from the ASA, then if I need to use a DHCP server, I swap it over once I’ve tested AnyConnect. If that’s a requirement, see the following article;
Enter the DNS server(s) details for you remote clients > WINS? Who is still using WINS! > Domain name > Next > Tick ‘Exempt VPN traffic from network address translation’ > Next.
Next > Finish
DON’T FORGET TO SAVE THE CHANGES!! (File > Save Running Configuration to Flash)
Now any remote client attempting to connect to AnyConnect can install the client software directly from the firewall, (This is assuming you have not already installed it for them beforehand).
For Older Versions of the ASA/ASDM
Note: The information below is OBSOLETE, I only leave it here in case someone is running some VERY old versions of the ASDM and AnyConnect
1. Open up the ADSM console. > Click Wizards >SSL VPN Wizard.
2. Select “Both Options”. > Next.
3. Enter a connection name > If you have a certificate already select it here or simply leave it on” -None-” and the ASA will generate an un trusted one. > Next.
4. For this example we are going to use the ASA’s Local database to hold our user database, however, if you want to use RADIUS/Windows IAS select those options and accordingly, and then follow the instructions. Note: To set up IAS read my notes HERE > Enter a username and password.
5. Add. > Next
6. We are going to create a new policy in this case called SSL Users > Next.
7. You can now add bookmarks (Links on the VPN portal page) > Manage > Add > Type in a name > Add. > OK.
8. Give it a name and subtitle (look at step 18 to see how that displays) > Enter the internal URL for the web site > OK.
9. Add > OK.
10. OK.
11. Next.
12. Create an IP Pool (IP range to be leased to the VPN clients that is DIFFERENT to your LAN IP range) > New > enter a name, IP addresses, and the subnet mask > OK.
13. Point the ASA to the Anyconnect client you want to use (Note you can upload a software image from your PC here as well) Next > Accept the warning about NAT Exemptions (Note if you do get a warning to add a NAT Exemption see the note at the end).
14. Finish.
15. Before it will work you need to Select Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Double click the Connection profile you created earlier in step 3 > Enter a name in the Aliases section i.e. AnyConnect > OK. > Tick the box that says “Allow user to select connection profile by its alias………” > Apply.
16. File > Save running configuration to flash.
17. Connect externally to https://{public_IP} (Note this has to be in the browsers trusted site list) > Enter a username and password > Login
18. You are now on the “Portal” site any bookmarks created above will be visible > Click the AnyConnect Tab.
19. Double click to launch AnyConnect.
20. The Anyconnect client will install if not used previously (User needs to be local admin) and connects.
NAT Exemptions: Note if you received a warning about needing to add the remote VPN pool as a NAT Exemption (After step 13) you will need to add the following lines to the ASA
Syntax;
[box]
access-list {name} extended permit ip {LAN behind ASA} {Subnet behind ASA} {VPN Pool Range} {VPN Pool Subnet}
nat (inside) 0 access-list {name}
Working example
access-list nonat extended permit ip 10.254.254.0 255.255.255.0 10.254.253.0 255.255.255.0
nat (inside) 0 access-list nonat
[/box]
WARNING: Make sure the name matches any existing no NAT ACLs or your IPsec vpns will fail!
Related Articles, References, Credits, or External Links
If you run https services (Note: I say services, this does not have to be a website), the actual security is handled by SSL/TLS, one of the things this does is encrypt the traffic between the client and server. (This is why your online banking and shopping is done over https and not http.)
Thats great, but encrypting and decrypting all that traffic takes a lot of processing cycles, if you have http servers doing that work it will divert a lot of CPU/vCPU time away from its normal job of providing web services. If you have a very busy site, you may start to scale those servers out, and load balance them, but the http servers themselves will still need the extra grunt to do the decryption/encryption work.
You can install SSL accelerators, (often refereed to as Crypto Offload Cards,) into your servers to hand-off that workload, but in a modern virtual datacenter, that does not scale well at all.
So what if you get your ‘load-balancer’ to decrypt the traffic coming in, and re-encrypt it on its way out? The https servers no longer have to do the ‘heavy lifting’. Whats more, if you put an SSL accelerator in your load balancer, that makes it run more efficiently. Thats exactly what Citrix have done, their hardware NetScalers have a Cavium CN1620-NFBE3- 2.0-G or Cavium CN1120-NFB accelerator card in them, to take this job on. (Note: This does not apply to the virtual appliance, (obviously) but that can still perform SSL offloading).
Put Simply: Your forward facing services are HTTPS, your ‘back-end’ services are HTTP.
Solution
Before you start, I’m assuming you already have your back end servers setup in NetScaler, and have those servers presented as either a ‘service group’ or as individual ‘services’. If you are unsure how to do this, follow the article below, (all the way to setting up the Virtual Server.)
I’m also assuming you have uploaded into the NetScaler, the certificate you are going to present publicly, and the CA-Root certificate, (and any intermediate CA certificates if required). If you are using ‘self-signed’ certificates you might want to see the following article;
Log into the NetScaler > Configuration > Traffic Management > Virtual Servers > Add.
Give the Virtual Server a name > Protocol will be SSL > Set the IP (VIP) > The port will be 443 > OK.
Now add in your service group (or service(s)). I have two http servers setup in a service group, (see the article above). Click ‘No Load Balancing Virtual Server Service Group (or Service) Binding.
Search arrow.
Locate and tick your back end service group > Select.
Bind
Continue.
At this point you can upload the certificate and CA certificate.
Done.
It can take a little while to ‘go-green’ if there is a problem, click the drop down error on the left for more information. If this is a new deployment you may encounter the following problem;
This was driving me nuts on my Windows 7 x64 Laptop.
Log Name: System
Source: Schannel
Event ID: 36888
Task Category: None
Level: Error
User: SYSTEM
Description:
The following fatal alert was generated: 10. The internal error state is 10.
I was getting a dozen of these an hour!
Solution
This error is caused (from what I can gather) by an error in certificate negotiation, your machine is trying to initiate communications with another machine/server using a certificate and TLS and the process is producing this error TLS1_ALERT_UNEXPECTED_MESSAGE (10).
1. If your browser is the cause of the problem, then simply open Internet Options > Advanced > Untick all the TLS options > Apply.
2. However this DID NOT WORK for me, so something is programmatically chatting from my laptop using TLS. The bottom line is, this problem is probably not even on your machine, so I’m simply going to disable SCHANNEL logging.
Note: If your Error does NOT say “The following fatal alert was generated: 10. The internal error state is 10“. then I would suggest NOT doing this.
3. In the search run box type regedit and navigate to the following key;
[box]
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Control > SecurityProviders > SCHANNEL
[/box]
Change the EventLogging value from 1 to 0 (that’s a zero).
Related Articles, References, Credits, or External Links
There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of <domain>. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of <domain> should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task
Cause: One of the server installed certificates that has the “S” attribute (SMTP) has expired, If its the main certificate for the serve then you will need to replace it. However this is common on server that still have a copy of the certificate they self signed and used when exchange was first installed. So you are not using them anyway.
Solution
I’m assuming that the certificates that have expired are not the ones you are using in anger, lets make sure.
1. To see what certificates are being used for what. Launch “Exchange Management Shell” > Issue the following command;
[box] Get-ExchangeCertificate [/box]
2. Above you can see I’ve got three certificates and they all are being used for SMTP, lets make sure they are all in date.
3. Click Start > mmc {enter} > File > Add/Remove Snap-in > Certificates > Add > Select “Computer account” > Next > Accept the default of “Local computer” > Finish > OK > Expand Certificates > Personal > Certificates.
4. Look down the expiration date section and you can see which ones are out of date, compare this list to original one, and you can see which certificates need removing.
5. You can remove the expired certificated from here by right clicking > Delete.
6. OR, you can delete the certificates from within powershell with the following commandlet;
[box] Remove-ExchangeCertificate {thumbnail of certificate} [/box]
7. Then press Y and {Enter} to confirm.
8. Either when you are finished you should be looking more like this.
Note: Without an SMTP certificate with the FQDN of the server you may see Event ID 12014.
Error:
Microsoft Exchange couldn’t find a certificate that contains the domain name <name> in the personal store on the local computer. Therefore it is unable to offer the STARTTLS SMTP verb for any connector with a FQDN parameter of <name>. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for every connector FQDN.
You can simply create a self signed certificate with the FQDN of the server and import it, then set it for SMTP (Note: it WONT overwrite the one you are using). Or click here.
Related Articles, References, Credits, or External Links
One of my colleagues, rolled out an SBS 2008 domain the other week. The client then had an independent security review, which recommended they disable SSL 2.0 on their Windows 2008 Server. Queue lots of head scratching and shoulder shrugging.
After trawling a few forums we pieced together a working registry fix.
Solution
1. On your server apply the following registry fix. (or download it here).
I was trying to do some online VMware training today, and this was really annoying me, every link I clicked up it came.
Popup:
Only secure content is displayed – What’s the risk? – Show all content
Eventually after clicking show all content (A LOT) I could take no more, and had to disable it.
Solution
Warning: There’s a sound reason for this, over https all traffic is encrypted with SSL/TLS and cannot be seen by someone analysing network traffic, if you are sending password or credit card data you might not want to do this.
1. Click Start and in the search/run box type inetcpl.cpl {enter}.
2. Select the Security tab > Internet > Custom Level.
3. Locate the “Display mixed content” section and enable it > OK.
4. Select Yes to confirm, and restart Internet Explorer.
Related Articles, References, Credits, or External Links
1. Connect to the Exchange admin center > Mail flow > receive connectors > Add.
2. Give the connector a name (take note of it, you will need it in a minute) > Select ‘Frontend Transport’ > Custom > Next.
3. Accept the default of TCP Port 25 (SMTP) > Next.
4. REMOVE the 0.0.0.0-255.255.255.255 range. (WARNING: If you do not do this you will become an open relay).
5. Add in the IP address of the host (from which you want to allow relaying) > Save.
6. Open the properties of the connector you just created > Security > Under Authentication select ‘Externally Secured (for example with IPSEC) > Under Permission groups, select ‘Exchange servers’ and ‘Anonymous users’ > Save.
7. At this point, you may find that when you test from the host you get the following error;
421 4.4.1 Connection timed out
I would suggest you change some parameters of the receive connector. Execute the following PowerShell command;
8. Restart the Microsoft Exchange Transport Service on the Exchange server.
[box]Restart-Service MSExchangeTransport[/box]
Exchange 2013 – Test Email Relaying from your ‘Allowed IP’
1. Go to the machine you have allowed relaying from, and attempt to ‘relay’ mail. In the example below I’m attempting to send an email to test@relay.com. In the first example we cannot relay, so something has been misconfigured.
2. However this time we CAN relay so our connector is configured properly.
Related Articles, References, Credits, or External Links