@Oksana Note that TPM can be bypassed for the installation.

https://www.pcmag.com/news/microsoft-offers-tpm-20-bypass-to-install-windows-11-on-unsupported-pcs

@flaxking said in SSL/TLS client certificates questions:

Domain name doesn't matter, unless you're signing with a public CA. I'd think self-signed vs internal CA vs public CA would depend on what the authentication mechanism supports and how you have to manage the certificates. (i.e. if there are going to be a ton of them it might be easier for the authentication mechanism just to trust certificates signed by a certain internal CA rather than having to make each certificate trusted.

From what I've seen so far, I've come to the same conclusion.

Date/Time issue?

I have a laptop that isn't kicking back that TLS error in that Office tool. I have tried moving another system that does get the TLS error into the same OU as the laptop and ran gpupdate /force and rebooted, also brought Windows fully current and uninstalled Webroot. Can't figure out the difference

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@jaredbusch said in CentOS7 Server Apache Disable old TLS for higher versions:

@coliver said in CentOS7 Server Apache Disable old TLS for higher versions:

@DustinB3403 I really like this site for information on securing various web servers.

https://cipherli.st/

I just implemented their Nginx setting but getting back that TLSv1 was accepted?

https://www.ssllabs.com/ssltest/analyze.html?d=naggaroth.daerma.com

First line should read TLS1.2 if you don't have a version of Nginx that supports 1.3.

Correct. That is the only change I made to their config. I even reran dhparam

@stuartjordan said in Yealink T19PE2 FreePBX:

I personally like freepbx and will continue using it, the interface is a bit dated I must admit, but that doesn't bother me.

FreePBX interface is definitely dated. But also .... why would the interface ever matter that much? But even if it did, I've used 3CX and their interface was far worse.

I had some confusion because of the age of the old CSR. It doesn't line up with the correct dates. I'll edit my original post when I know more.

Had this error after installing a new commercial certificate. The error seems valid as my server hostname and certificate name do not match, but it is my understanding this name mismatch is allowed and should still work.

To resolve this I just ran these two commands as Zimbra user.
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0

I am slightly concerned as to the security implications of disabling these settings. I am still on ldap not ldaps and this is on CentOS 7.

@aaronstuder said in How to setup Nginx TLS certificate based Authentication (VPN alternative):

@emad-r 3650 🙂

One of the main reasons that normal certs cannot be bought with forever expiration is because then people would be less apt to update them as ciphers are broken.

Look at how many people still use(d) SSLv1 SHA1, etc., long after they were proven broken.

@zachary715 said in Certbot Apache plugin broken in Fedora 26:

@scottalanmiller said in Certbot Apache plugin broken in Fedora 26:

I ran into this issue, forgot about this thread, went through LetsEncrypt's threads and their solution for this problem led me... here! Very nice.

Just did the exact same thing. Let'sEncrypt forum had the link which led me here right about the time @JaredBusch was responding in my other thread.

It has been posted on here more than one time. I should probably find one of those posts and make @scottalanmiller tag it appropriately.

Edit: Or too slow..

@JaredBusch said in OpenSSL CSR with Subject Alternative Name:

@EddieJennings said in OpenSSL CSR with Subject Alternative Name:

@JaredBusch Correct. The "ye olde way" is how I've typically made a CSR and private key. The link I included talks about making a configuration file, which allows you to include SAN in your CSR.

Ah, did not read the link. Yes, using a config file is the only method to get any SAN on a cert with OpenSSL.

And after re-reading my post, I realized how terrible it was :(. I was hoping to find a one liner kind of thing, but alas. That particular article made it clear how to do it.

This way you can share the config(s) under conf.d between multiple machines using the same roles (or whatever Salt calls them) and have different main NGINX server settings.

@JaredBusch Awesome. Tks Jared. Tested and works beautifully!

@Mike-Davis said in Troubleshooting Postfix Authentication to Relay:

@jt1001001 said in Troubleshooting Postfix Authentication to Relay:

is there some sort of anti-spoofing settings with Intermedia?

That's probably what is going on. I was working with their support last night and they said they couldn't transfer me to a level 2 tech because I wasn't listed on the account. This tech also told me that they allow anonymous emails on port 25, so I knew I was working with the wrong guy.

Yes, bottom line here is that Intermedia is incompetent. Which has been a question for a long time - why would anyone use Intermedia when Office 365 does the same stuff for lower cost but has Microsoft themselves backing it?

eJwqC0f.png

This picture doesn't really say much, and now that they've fixed their inbound TLS issue, perhaps the unencrypted number will be a lot smaller from now on... just thought I'd share what they shared.

@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

I think what he meant was encrypted from the e-mail client (Outlook, Webmail) to the MD server.

That's confusing because it isn't email at that point but is just an internal application API. If it is Outlook, for example, it talks directly with Exchange as a client manipulating stuff on Exchange. If it is OWA, it's Exchange that you are looking at directly (the "email" is still on Exchange.)

SSLv2 shouldn't be running in the first place anymore. Ref: SSL Labs Documentation