krelek1000 Posted May 9, 2016 Report Share Posted May 9, 2016 Hi All, We are attempting to configure PlasticSCM Server utilizing a signed CA Certificate. We create our Certificates in house and then sign then against a inhouse CA authority instead of creating certificates through the documentation methods. We have imported our signed CA certificate and then using the MMC of windows and certificates have exported the certificate into a .pfx file. We included the private key with the .pfx file. \ However, any attempt to log into using SSL (even local) ends up with the error: The server stopped the handshake. We are attempting to use Active Directory authentication. We can connect using the nonsecured port but are having issues with the SSL. I cannot figure out why the server is refusing connections on the port. It is listening on it... But when we attempt to connect, the Debug log shows the following errors: conn #: A call to SSPI failed, see inner exception. Is there any other configuration or log file I can look into to figure out why the server keeps smacking our hands away? Thanks! Krelek1000 Link to comment Share on other sites More sharing options...
manu Posted May 16, 2016 Report Share Posted May 16, 2016 Hi! is "conn #: A call to SSPI failed, see inner exception." the only error you get? What happens from the client side? What error do you get? Did you change the server "remoting.conf" in order to have your new certificate info? Is the default self-signed Plastic SCM certificate working? Link to comment Share on other sites More sharing options...
krelek1000 Posted May 19, 2016 Author Report Share Posted May 19, 2016 Hi Manu, Apologies about the delay in this response. Been working on other projects but finally had some time to devote to this one. On the client side, we cannot connect to the server. It errors stating: The server stopped the handshake. We did change everything to the new certificate information as well. Even the default one was not working. Now, I installed Plastic SCM on an unmodified server (windows 2012R2) and it did work... However, when I went about Hardening the SSL configuration on windows OS's S-channel, that is when the error started occurring again. I enabled FIPS 140-2 level encryption using a freeware tool called IISCrypto (easier than modifying the registry manually) however, this tool is a bit old and could be disabling certain ciphers that Plastic SCM requires. Do you know which or where in Plastic SCM I can set which ciphers to use for encrypted traffic or is it all based upon the S-Channel settings in the server/desktop? We are attempting to use SCM v5.4.16.651... Thanks! Krelek1000 Link to comment Share on other sites More sharing options...
manu Posted May 20, 2016 Report Share Posted May 20, 2016 Aha! FIPS.... From the "5.4.16.700" release notes: [New] FIPS support From now on, Plastic can be configured to be FIPS compliant, so all the implementation will be part of the Windows Platform FIPS validated cryptographic algorithms. To configure it, add the following line to your server.conf and client.conf files: <FIPSCompliant>true</FIPSCompliant> Consider the following restrictions: At this point, the server doesn't start in a FIPS machine until it is configured in FIPS mode. The server log will say "LicenseReader - There was an error reading the license: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." Once the server is configured in FIPS mode, it will start normally. The server doesn't start in a FIPS machine with an SSL channel unless there is the PFX certificate file 'ssl-certificate.pfx' to use SSL. The server log will say "WARN Channel - Failed to autocreate sha256 self-signed certificate (file:C:Program FilesPlasticSCM5serverssl-certificate.pfx)." To use UP authentication mode in a FIPS machine it is necessary to configure the server in FIPS mode before adding users. Otherwise when clicking OK in the "Enter username and password for new user", an error message box will appear saying that "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." NO compatible with other clients/servers that are not FIPS compliant NO compatible with the cloud Encrypted replication not available Can you give it a try? Link to comment Share on other sites More sharing options...
krelek1000 Posted May 23, 2016 Author Report Share Posted May 23, 2016 Manu, This answers all the issues then. It will take some time but we will need to get our hands on the latest version then and then proceed with the configuration per your message above. I will open another forum post if there are any issues but I believe it should work thanks to the support notes you mentioned above! Thanks! Krelek1000 Link to comment Share on other sites More sharing options...
krelek1000 Posted May 24, 2016 Author Report Share Posted May 24, 2016 Manu, The newer version of PlasticSCM worked! Thank you for all your help on this! Krelek1000 Link to comment Share on other sites More sharing options...
manu Posted May 25, 2016 Report Share Posted May 25, 2016 Great!! You're very welcome. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.