Saturday, May 30, 2015

Windows 2003 Server can't connect to any SSL sites.

Unfortunately we have some programs that require Windows Server 2003. While I hate having old deprecated servers n my environment, sometimes thats the way it has to be.

This particular server is only used for one program and I don't usually have a need to log in or "fiddle" with it. A month ago I have to refresh the server and reinstall the program.

During the install I noticed that I wasn't able to go to any SSL sites. After some research this is because Windows 2003 has no support for SHA2 certs. I eventually found a hotfix.

The hotfix is 315139_ENU_i386_zip.exe.

Unfortunately I can't find the KB article that let's you download this file. I found it from a forum post and I cant find that post anywhere.

The closest site i can find is this: https://support.microsoft.com/en-us/kb/968730.

Unfortunately it only gives the 64 bit version of the fix. The one i went to gave me a choice. Since i have Windows 2003 32 bit I was able to select i386 version.

If i find it i will update this post.

TLS POODLE vulnerability when using SSL LABS to check SSL security

I used a script to secure my SSL connection to remove the old SSL V2 and V3 as well as moving the stronger ciphers to the told and removing the old weak ciphers.

However, SSL LABS kept telling me I was vulnerable to PODDLE. I didn't know why since i removed SSL V3 (which essentially should remove any PODDLE attacks).

After further inspection it was saying that my TLS was vulnerable to POODLE. After much research I found out i needed, Windows6.1-KB2655992-x64. I am running Windows 2008 R2 but this patch fixes some TLS vulnerbilities and it fixed my TLS POODLE issue. I don't think thats what the patch is for, but it does fix it.

The patch also has versions for Windows 7, 32 bit versions of Windows 2008, etc.


Microsoft Bulletin

Saturday, May 2, 2015

ProtonMail

If you go to protonmail.ch they have a service where all your emails are encrypted. If you sign up and get accepted, you will have a password to login and then another password to decrypt your emails.

They are located in Switzerland with their own set of privacy rules.

The thing is, of course if you send to a gmail, bellsouth, yahoo, etc account, its not encrypted on their end. But you do have a choice of sending them an email with encryption and a time limit of the email.

I've been using it for a few weeks and I do enjoy it.

User unable to login to RDP Farm after you re-enable them?

We had a strange issue. We had a user leave and since we knew when she was leaving i set the account to expire at a certain date. A couple d...