https connection errors/chained certificates issue

[SyNeo]

Hi.

After several days of testing, I can surely say that there are some issues regarding SSL with the current lshttpd 2.1 RC2.

First of all, the most serious issue is that some users simply can't connect to the secured site. They are getting "page not found" error. Users from other computers can access the site sucesfully.

I noticed that if the users having problem are swtiching the from IE to Firefox, they are able to connect sucessfully as well. Lowering the encryption level didn't help.


The second issue is the ocassional "This certifticate is expired or not valid yet" which is popping 1 to 5-7 clicks. Checking the certifications chain in IE lock shows that Verisign CA certificate was expired in 2004. Reloading the page, or any other page for that matter, shows that the Verisign CA will expire at 2011.

I merged both the server, and the Verisign CA certificate to one file, and set "Chained Certificate" to ON at the SSL listener control panel. The notice still appears regulary.

 

[mistwang]

We will investigate those issues, the problem should be inside openssl toolkit, maybe need some tweaks.

If you don't mind, please tell us the url of your web site. We'd like to give it a try.

 

[SyNeo]

Hi.

Please see PM.

Update: BTW, I forgot to add that it seems that Firefox also encounters similar certificate problems, and thus display a warning message, saying that the certificate is possibly invalid, and suggests to temporary allow browsing to the site. Therefore, it seems as both browser having some trouble with the SSL, and the issue is specifically on the server side.

Thanks.

 

[mistwang]

Got it. We will investigate the problem.

Can you tell me more information about browsers that cannot connect? version and platform.

I think ssl negotiation failed between the browser and server about encryption cipher to be used. please try change the ssl cihers setting for the ssl listener manually to
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP, which is Apache mod_ssl's default, then restart the server, see if it help.

The certificate problem probably has something to do with the SSL session cache. For some reason, some necessary certificate information has not been sent, maybe due to SSL session cache. We will find out.

George Wang

 

[SyNeo]

Hi.

The mentioned change to the ciphers section didn't help - the users still have connection problems.

The version of IE is: 6.0.2900.2180.xpsp_sp2_gdr.050301-1519, Cipher Strength: 128-bit, and the platform is Windows XP SP2.

Thanks.

 

[mistwang]

The mentioned change to the ciphers section didn't help - the users still have connection problems.

The version of IE is: 6.0.2900.2180.xpsp_sp2_gdr.050301-1519, Cipher Strength: 128-bit, and the platform is Windows XP SP2.

That's strange, I am using the same version, no problem at all, not even the expiration problem.

I do have untrusted certificate problem with firefox, will add a CA path configuration which matches Apache's, see if that help.

 

[SyNeo]

Hi.

That's strange, I am using the same version, no problem at all, not even the expiration problem.

It's exactly the problem - I have the same version and the site works great, with occasional SSL warnings. An another PC near me, with identical setup and the same version of browser and OS, can't connect to the site at all.

Thanks.

 

[mistwang]

Please check the SSL setting of that IE, make sure at least one SSL check box has been checked under Tools->Internet options->"Advanced" Tab->Security. I can access the web site unless all SSL check boxes have been unchecked.

 

[SyNeo]

Hi.

I verified the settings, both the SSL2 and SSL3 are checked. I tried to check the TLS1 as well to see if it works, but it still didn't help.

I tried to check the communication between the browser and the server via HTTP Watch (http/s sniffer), and that's what I received - perhaps it will shed some light:

"HTTP Request Unconditional request sent for https://****************/ ERROR_HTTP_INVALID_SERVER_RESPONSE". No headers or data are returned.

The same browser connecting to an Apache server via SSL, will return the following:
"HTTP Request Unconditional request sent for https://***************/ completed", and will return the headers and the data.

 

[mistwang]

Looks like the problem is definitely on the server side.

Does that machine have its own dedicate public IP address or behind NAT? Can you access the web site via firefox on that machine?
Maybe the server for some reason don't like that IP address and drop the connection. Is there any access rule configured?

Thanks,
George

 

[SyNeo]

Hi.

Both my PC, and this machine are in the same LAN, behind a NAT. We both share the same IP address. There is no access rule configured to prevent an access from this IP.

Firefox can access the site without any problems from this machine, but occasionally presents the "certificate expired message".

 

[mistwang]

Please try 2.1RC3, CA certificate configuration has been added, see if it help with the certificate expiring problem.

Occiationally, I can get connection problem from another laptop behind a NAT, a refresh usually fix it, but it takes pretty long time for the SSL handshake, and the certificate always shows as expired.

 

[mistwang]

Looks like the IE waits for the CA certificate, but the server did not send one, please double check that the chained certificate is being used, and chained certificate is set to "Yes".

If it is, then switch to the standalone server certificate and configure the CA Certifcate File just like what you will do with Apache after upgrading to RC3. The chained certificate should have the same effect though.

 

[mistwang]

Find the problem.

The chained certificates has been loaded as a non-chained certificate, only the first certificate in the file has been loaded, so it will not be trusted by browsers.

With the updated RC3 release, chained certificates should have the same effect as server certificate + CA certificate.

I hope it is the cause of the connection problem as well.

 

[SyNeo]

It works great now, and I haven't encountered any expiration warnings so far.

Thanks for the quick response!