Hi Ann,
Nice long write up :-) I can't open the URL in IE and I get the error in Servers Alive as you described. I'm now checking with the developper of the HTTPS checking component what can be the reason and what can be done about it. I'll keep you (as always) updated on this. Dirk; -----Original Message----- From: Servers Alive Discussion List [mailto:salive@woodstone.nu] On Behalf Of Ann Lynnworth Sent: Saturday, March 14, 2015 9:51 AM To: Servers Alive Discussion List Subject: [SA-list] SSL handshake failed - custom https application I'm having a problem trying to make an SSL connection from Servers Alive to my self-made https application using a self-made certificate generated by openssl. The https url works fine from Google Chrome and Firefox as long as I install the root certificate on the client machine (for chrome) or into the browser (for firefox). No matter what I do, I cannot get IE10 or IE11 to visit the site. (Note: Same https web application installed on various machines and Windows versions all give the same result.) I guess that SAlive uses the same Windows OS core components as Internet Explorer, and therefore SAlive refuses to do the SSL handshake. Is that basically accurate? I have reviewed http://support.microsoft.com/en-us/kb/2661254 in great detail. My root cert and my web site cert both use 2048 bits. Many web sites indicate that IE and Chrome use the same crypto logic, but that has not been my experience at all. Chrome responds immediately once the root cert is trusted - no reboot required. IE never progresses. I have tested my cert from as many angles as possible, including using the DigiCert inspector, from which it receives an A rating. And I have tried enabling all the old insecure SSL 2, 3, plus TLS 1, 1.1, 1.2 options in Internet Explorer options under Advanced.... Security, and none of that makes any difference. By now I hope you are curious enough to test a link and tell me whether you can get it to open in IE10, IE11 and/or Servers Alive! https://lite.demos.href.com:8453/ (( This link is active now and will be for a little while; apologies to future readers, it probably will not stay open once this conversation ends. )) I am quite willing to have the root certificate trusted on the machine that runs Servers Alive (and it is, as evidenced by Chrome being able to open the page). I have also tried the advice on http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-window s/ about disabling the auto update of the root list; that did not help. Just in case I was misreading the '2048' in the public key details, I tried the advice of logging details about < 1024bit certificates (from the answer on https://social.technet.microsoft.com/Forums/windows/en-US/2719388a-840a-492c -a509-42804860ee9a/unable-to-open-https-site-with-not-trusted-certificate-on -ie10?forum=w8itprogeneral ) and nothing gets logged when I use the web page from Chrome or Firefox or IE. Thank you for reading and especially for any solution. Ann To unsubscribe send a message with UNSUBSCRIBE in the subject line to salive@woodstone.nu If you use auto-responders (like out-of-the-office messages), make sure that they are not sent to the list nor to individual members. Doing so will cause you to be automatically removed from the list. To unsubscribe send a message with UNSUBSCRIBE in the subject line to salive@woodstone.nu If you use auto-responders (like out-of-the-office messages), make sure that they are not sent to the list nor to individual members. Doing so will cause you to be automatically removed from the list.
