Home page logo
/

basics logo Security Basics mailing list archives

Re: How to tunnel https traffic in VPN based connecton?
From: s1nghul <s1nghulx () googlemail com>
Date: Thu, 3 Mar 2011 13:16:35 +0100

The third-party certificate (or your self signed one) has to be
deployed and registered on your companies workstations. There is no
communication with the root cert. authority during the ssl handshake,
between the workstation and the ssl-activated server. Most of the root
cert. authorities (e.g. Thawte, VeriSign etc.) are already registered
in the trusted certificate cache of your computers, so chances are
good you won't have to do anything after getting your certificate from
one of these authorities.

Regards
s1n

2011/3/3 asad ali <a.alii85 () gmail com>:
Thank you for your reply. As a follow up question i have this to ask you.

Does third-party SSL certificate works if the site is operating in a
intranet environment having no access to the internet (WWW).? As i believe
the browser needs to communicate to the root CA's server in order to process
and validate users request in case there is no connectivity to the outside
world all such processing would fail. Right?

On Wed, Mar 2, 2011 at 12:43 PM, s1nghul <s1nghulx () googlemail com> wrote:

If you want to use a self-signed certificate, you can create you own
root certificate, sign your self-signed certificate with it and deploy
the root cert. on every client via domain policies.

Regards
s1n

2011/3/1  <a.alii85 () gmail com>:
I have Site(s) Ani....i=1,..10 sites which communicate with site B to
access a website/application. That's simple enough.

However, the traffic is http well we primarily don't need https on ipsec
tunnel right?. But since attacks related to eavesdropping of traffic come a
real reality once it gets terminated by the ipsec device on both sides.

I have two options either to purchase a third-party ssl certificate to
encrypt the traffic between two nodes or use a custom made one.

I don't want to use a custom made one because this make the browser
prompt an ugly untrusted certificate message; its ugly not from security
perspective but for clients inconvenience and assuring users confidence in
our systems is a critical issue for us.

Based upon above discussion i have the following two queries:-

a) How its possible to remove ugly un-certifcate message from user
screen? Does the company need to register its certificate to some kind of CA
body? or what ...

b) Due to some tcp acceleration issues, ssl traffic slows down the
traffic between the nodes so we only require the encryption to stand just
during the initial handshake when the username and password are being
validated ; after that we
want to revert back to http? Could this be achieved? If yes how...?

Thanks for your help.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company and
how your customers can tell if a site is secure. You will find out how to
test, purchase, install and use a thawte Digital Certificate on your Apache
web server. Throughout, best practices for set-up are highlighted to help
you ensure efficient ongoing management of your encryption keys and digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault