Why would my ISP have SSLv3 enabled and support insecure suites? SSLLAB rates them an F

A few days ago I tried to log in and pay my bill and their HTTPS was disabled. I questioned it and they enabled it and said they were doing upgrades. Curious, I tested the site with SSL LAB and they received an F because they also support insecure suites.

I asked them about disabling SSLv3 to mitigate POODLE and was told I needed to do that on my end.

I am confused because every other ISP and site with SSL I test receives a B or A score, why would my ISP rest at an F and no one seems to care except me.

SharePoint 2010 – disable SSLv3 and TLS 1.0

I’m tasked to figure out how to disable SSLv3 and TLS 1.0 on SharePoint 2010 farm.

After some reading, I came to the following conclusions:

  • It is safe to disable SSLv3 on SharePoint servers,
  • It is not possible to disable TLS 1.0, because communicatin between SharePoint servers would fail as other TLS version are not supported.

So it looks like we can’t disable TLS 1.0 due to possible failure of communication between servers. I’m however thinking about scenario where we:

  • don’t disable TLS 1.0
  • we enable TLS 1.1 and 1.2
  • we configure IIS SharePoint sites to require TLS 1.1 or 1.2 on the endpoints that are publicly available

My thinking is that if we could enforce TLS 1.1 and 1.2 on the public-facing endpoints, servers between themselves could still communicate with TLS 1.0, and client could connect only with higher TLS versions.

Please let me know if what I came up with makes sense, and point me in the right direction how to configure it. In case it’s not possible, please let me know what other options I have.

sslv3 handshake failure (0x14077410) connecting from MarkLogic Server

I’m using MarkLogic 8 and trying to do a POST request to a server. I’m able to connect via curl or using POSTMan, however, its failing with Markloigc. A similar post suggested that its an issue with SNI as Markloigc uses OpenSSL. I have tried to put the option in the post request, however, I’m still getting the same error. Any insights to resolving this issue? See code snippet below:

xdmp:http-post($  post_url,                         <options xmlns="xdmp:http">                          <data>{xdmp:quote($  custom_json)}</data>                                                        <headers>                            <content-type>application/json</content-type>                            <Host>{$  host}</Host>                          </headers>                          <allow-sslv3>false</allow-sslv3>                          <allow-sslv3>false</allow-sslv3>                        </options>                         ) 

Logstash isn’t accepting the self signed certificates and throws a sslv3 alert handshake failure

I have set up an elsatic stack in my laptop and I have configured full stack (filebeat, logstash, elasticsearch and kibana) in it. But now I need to connect filebeat and logstash in a secure manner using SSL. But after using the self signed certificates taht I have created on my own it throws the following error when I try to verify the certificate with following curl request

curl -v –cacert ca.crt https://localhost:5044

The error –>

  • error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
  • stopped the pause stream!
  • Closing connection 0 curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

It gives the above sslv3 handshake failure.

I have followed the following guideline to create the self signed certificate that can be configured with logstash https://benjaminknofe.com/blog/2018/07/08/logstash-authentication-with-ssl-certificates/ I have followed those steps that suitable to my implementation.

Here is the full handshake output that i have received from the curl request

* Rebuilt URL to: https://localhost:5044/ *   Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 5044 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: *   CAfile: ca.crt   CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Request CERT (13): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS alert, Server hello (2): * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake        failure * stopped the pause stream! * Closing connection 0 curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure 

Here is my logstash.config file tha used in openssl key creation. I have given common name as localhost because that’s how I mapped in /etc/hosts 127.0.0.1 localhost

[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no  [req_distinguished_name] countryName                     = XX stateOrProvinceName             = XXXXXX localityName                    = XXXXXX postalCode                      = XXXXXX organizationName                = XXXXXX organizationalUnitName          = XXXXXX commonName                      = localhost emailAddress                    = XXXXXX  [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names  [alt_names] DNS.1 = localhost 

logstash input plugin

input { beats { port => 5044 ssl => true ssl_certificate_authorities => ["/home/ssl/ca.crt"] ssl_certificate => "/home/ssl/logstash.crt" ssl_key => "/home/ssl/logstash.key" #ssl_verify_mode => "force_peer" client_inactivity_timeout => 1000 } }

I expected to have configured ssl certificates that are accepted by logstash. But they are not accepted when I try to verify them with the curl reuqests