RichardTheKiwi's questions

I have a site that has been bound to a new SSL certificate with SAN (4 additional names). The certificate has a 2048-bit key.

The problem is that it works on some browser/OS combinations but not on others.

• IE7 / Win XP - fail
• IE6 / Win 2003 - fail
• IE8 / Win XP / Corporate proxy - OK
• IE8 / Win 7 / OTHER Corporate proxy - fail
• IE9/10 / Win 7 - OK
• Chrome / Win 7 - OK
• Firefox / Win 7 - OK
• Chrome / Android - OK

Note: The two corporate proxies are very different organisations, in two separate countries.

I have installed Fiddler on the IE6 / Win 2003 (2nd on the list) and have captured this from the Inspectors\Raw tab:

IE6:

CONNECT sorry.site.not.disclosed:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; FDM; .NET4.0C; .NET4.0E)
Host: sorry.site.not.disclosed
Content-Length: 0
Connection: Keep-Alive
Pragma: no-cache

A SSLv2-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Major Version: 2
Minor Version: 0
Random: EA AE EB C5 20 0C 46 90 7F C1 E0 EE 47 BE 05 63
SessionID: empty
Ciphers: 
    [10080] SSL2_RC4_128_WITH_MD5
    [700C0] SSL2_DES_192_EDE3_WITH_MD5
    [30080] SSL2_RC2_128_WITH_MD5
    [60040] SSL2_DES_64_WITH_MD5
    [20080] SSL2_RC4_128_EXPORT40_WITH_MD5
    [40080] SSL2_RC2_128_EXPORT40_WITH_MD5
    [00FF]  TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Compression: 
(not specified)
Extensions: 
    none

Chrome:

CONNECT sorry.site.not.disclosed:443 HTTP/1.1
Host: sorry.site.not.disclosed
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 5.2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Major Version: 3
Minor Version: 2
Random: 51 4A 0D 68 FE C4 50 A9 26 43 9E 1A C2 E9 05 5C FE 5F CF 37 4D 20 96 FF 0E 2F 5E EB 16 C1 F2 20
SessionID: empty
Ciphers: 
    [C014]  TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
    [0088]  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
    [0087]  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
    [0039]  TLS_DHE_RSA_WITH_AES_256_SHA
    [0038]  TLS_DHE_DSS_WITH_AES_256_SHA
    [C00F]  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    [0084]  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
    [0035]  TLS_RSA_AES_256_SHA
    [C011]  TLS_ECDHE_RSA_WITH_RC4_128_SHA
    [C013]  TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
    [0045]  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
    [0044]  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
    [0066]  TLS_DHE_DSS_WITH_RC4_128_SHA
    [0033]  TLS_DHE_RSA_WITH_AES_128_SHA
    [0032]  TLS_DHE_DSS_WITH_AES_128_SHA
    [C00C]  TLS_ECDH_RSA_WITH_RC4_128_SHA
    [C00E]  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    [0096]  TLS_RSA_WITH_SEED_CBC_SHA
    [0041]  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
    [0005]  SSL_RSA_WITH_RC4_128_SHA
    [0004]  SSL_RSA_WITH_RC4_128_MD5
    [002F]  TLS_RSA_AES_128_SHA
    [C012]  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    [0016]  SSL_DHE_RSA_WITH_3DES_EDE_SHA
    [0013]  SSL_DHE_DSS_WITH_3DES_EDE_SHA
    [C00D]  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    [FEFF]  SSL_RSA_FIPS_WITH_3DES_EDE_SHA
    [000A]  SSL_RSA_WITH_3DES_EDE_SHA

Compression: 
    [00]    NO_COMPRESSION

Extensions: 
    server_name sorry.site.not.disclosed
    renegotiation_info  00
    elliptic_curves 00 06 00 17 00 18 00 19
    ec_point_formats    01 00
    SessionTicket TLS   empty
    NextProtocolNegotiation empty
    channel_id(GoogleDraft) empty
    status_request  01 00 00 00 00

When testing using SSLLabs, e.g. https://www.ssllabs.com/ssltest/analyze.html?d=mail.google.com

The site shows ONLY two options under cipher suites, and supports only TLS 1.0:

Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3.0 No          
SSL 2.0 No

Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)                                128         
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)                                

I have contacted Verisign (Australia) and the chap claims that all Verisign certificates support SSLv1, v2, v3, TLS.

So why does the IIS server not present it? Using a SELF-SIGNED wildcard certificate, I was able to get the same IIS server to report on SSLLabs:

Protocols
TLS 1.2  No 
TLS 1.1  No 
TLS 1.0  Yes 
SSL 3.0  Yes
SSL 2.0   INSECURE           Yes

Cipher Suites (SSLv3+ suites in server-preferred order, then SSLv2 suites where used)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)          128         
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)          256         
TLS_RSA_WITH_RC4_128_SHA (0x5)      128         
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)         168         
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)                128         
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)                256         
TLS_RSA_WITH_RC4_128_MD5 (0x4)     128         
SSL_DES_192_EDE3_CBC_WITH_MD5 (0x700c0)                168         
SSL_RC4_128_WITH_MD5 (0x10080)       128         

Where to look next?

Similar questions have been asked about 2008, but there appears to be a dearth of information on SQL Server 2012.

1. Does it require a reinstall?
2. Will it go through an upgrade process (and what does that entail) or is it just a magic SKU switch?
3. Is the process exactly the same going from any edition of Trial to any licensed edition?

What is the correct way to set up sshwindows for SSH key authentication? Does the user need to be created in Windows first or can a login be inserted into passwd without a Windows equivalent?

I've searched on Google and have tried the tutorials and quick start guides. So far, exactly 0 have worked.

None pointed out that to work in Windows 2008 R2, you need to change the properties of cygrunsrv.exe to "Windows XP SP3" compability mode to even get past the service startup "error 1067". Although it is running, no amount of configuration allowed me to log on to the SFTP server, even though I tried (from another machine):

• same user account added using "mkpasswd" + windows password
• same user account added using "mkpasswd" + public ssh key (added to /home/theuser/.ssh)

On Windows 2003 R2 (a different attempt), the service would crash every time it started up.

Some links I went through

• http://pigtail.net/LRP/printsrv/cygwin-sshd.html
• http://forevergeeks.com/how-to-setup-a-secure-ftp-sftp-site-with-openssh-on-windows/
• http://support.moonpoint.com/os/windows/server2003/openssh-service-not-starting.html

BOOTMGR IS MISSING
PRESS CTRL+ALT+DEL TO RESTART

Note: This is a VM on VMWare ESX server, but that should not matter

I put in the 2008 R2 x64 install dvd and can get to recovery, but it lists no Operating Systems. Clicking on Next brings me to

+===========================
System Recovery Options
+===========================
Choose a recovery tool
Operating system: Unknown or (Unknown) Local Disk
.....

Command Prompt

I start the command prompt, go to C:\ and perform a dir /a

Apart from files I put there myself, these are showing

$Recycle.Bin
Documents and Settings [C:\Users]
Program Files
Program Files (x86)
ProgramData
Recovery
System Volume Information
Temp
Users
Windows

Where to go next? Is it like the NTLDR problem with Windows 2003 where I can just drop a file in there and it will be hunky dory again?