Blog: SSL

Download and run the Cygwin installer from their web site: www.cygwin.com.  OpenSSL is not one of that packages that gets installed by default with Cygwin.  The important part of install is choosing OpenSSL as one of the packages you install, because that package is not selected by default.  You do this by searching for "openssl" on the "Select Packages" step, expanding "Net" option, clicking on the "Skip" image so that a version shows, and clicking the "Next" button.  Use the image below as a reference. [more] 


 

I had a problem using selfssl.exe (part of the IIS 6 resource kit) to generate more than one self-signed certificate on a specific server. The issue came up after I created a second self-signed certificate with a different CN. The certificate was installed on a separate site (same IP different port) than the first one I generated. The behavior was very strange. As soon as I generated the second certificate, the site with the first certificate would not load at all. If the certificate was removed, it worked fine. So, I regenerated the first certificate with selfssl.exe and the second stopped working. After some searching, I found that some others have had this problem as well: http://blogs.msdn.com/david.wang/archive/2005/04/20/SelfSSL-Bug-with-websites.aspx. These certs have always worked fine, but I think it may be best to limit use to one self-signed certificate per server. [more]Oh, and the blogs post mentions a new version…it doesn’t work either. The only way to get it to work is with ssldiag, but it is not a trivial process.


 

Use caution when installing and SSL certificate for OWA or OMA on a clustered Exchange server. When you configure Microsoft Outlook Web Access to use a Secure Sockets Layer (SSL) connection to a Microsoft Exchange Server 2003 computer, you may notice a dramatic increase in CPU usage by the Lsass.exe process and by the Resrcmon.exe process. The only way to get the process back in check is to reboot the server. This problem occurs on an Exchange 2003 computer that is running in a Microsoft Windows Server 2003-based cluster. [more]
 
Additionally, an Error event that is similar to the following is logged in the Application log:
Event Type: Error
Event Source: MSExchangeCluster
Event Category: Services 
Event ID: 1014
Date: Date
Time: Time
User: N/A
Computer: Computer Name
Description: Exchange HTTP Virtual Server Instance - (GENESIS): IsAlive checking for this resource failed due to timeout

The solution is to install Exchange 2003 SP2 or you can call MS for the hotfix. I actually like the SSL termination on the ISA server approach a little better. If the SSL tunnel is terminated on the ISA server, you can reinitiate another SSL tunnel with another internal certificate OR you can redirect the traffic to port 80 on the inside interface. Terminating the SSL connection on the ISA server offloads processing from the Exchange server, which is usually a good idea.