Hi Dirk, Thank you - this is not an emergency but I definitely look forward to some new clues.
Murphy's Law: that demo server is offline for a while. Here is a second URL with the same issue: https://db.demos.href.com:8057/ Best, Ann On 3/14/2015 10:50 AM, dirk wrote: > Hi Ann, > > > Nice long write up :-) > I can't open the URL in IE and I get the error in Servers Alive as you > described. > I'm now checking with the developper of the HTTPS checking component what > can be the reason and what can be done about it. > I'll keep you (as always) updated on this. > > > > Dirk; > > > -----Original Message----- > From: Servers Alive Discussion List [mailto:salive@woodstone.nu] On Behalf > Of Ann Lynnworth > Sent: Saturday, March 14, 2015 9:51 AM > To: Servers Alive Discussion List > Subject: [SA-list] SSL handshake failed - custom https application > > I'm having a problem trying to make an SSL connection from Servers Alive to > my self-made https application using a self-made certificate generated by > openssl. The https url works fine from Google Chrome and Firefox as long as > I install the root certificate on the client machine (for chrome) or into > the browser (for firefox). No matter what I do, I > cannot get IE10 or IE11 to visit the site. (Note: Same https web > application installed on various machines and Windows versions all give the > same result.) > > I guess that SAlive uses the same Windows OS core components as Internet > Explorer, and therefore SAlive refuses to do the SSL handshake. Is that > basically accurate? > > I have reviewed http://support.microsoft.com/en-us/kb/2661254 in great > detail. My root cert and my web site cert both use 2048 bits. > > Many web sites indicate that IE and Chrome use the same crypto logic, but > that has not been my experience at all. Chrome responds immediately once > the root cert is trusted - no reboot required. IE never progresses. > > I have tested my cert from as many angles as possible, including using the > DigiCert inspector, from which it receives an A rating. > > And I have tried enabling all the old insecure SSL 2, 3, plus TLS 1, 1.1, > 1.2 options in Internet Explorer options under Advanced.... > Security, and none of that makes any difference. > > By now I hope you are curious enough to test a link and tell me whether you > can get it to open in IE10, IE11 and/or Servers Alive! > https://lite.demos.href.com:8453/ (( This link is active now and will > be for a little while; apologies to future readers, it probably will not > stay open once this conversation ends. )) > > I am quite willing to have the root certificate trusted on the machine that > runs Servers Alive (and it is, as evidenced by Chrome being able to open the > page). > > I have also tried the advice on > http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-window > s/ > about disabling the auto update of the root list; that did not help. > > Just in case I was misreading the '2048' in the public key details, I tried > the advice of logging details about < 1024bit certificates (from the answer > on > https://social.technet.microsoft.com/Forums/windows/en-US/2719388a-840a-492c > -a509-42804860ee9a/unable-to-open-https-site-with-not-trusted-certificate-on > -ie10?forum=w8itprogeneral > ) and nothing gets logged when I use the web page from Chrome or > Firefox or IE. > > Thank you for reading and especially for any solution. > > Ann > > To unsubscribe send a message with UNSUBSCRIBE in the subject line to > salive@woodstone.nu If you use auto-responders (like out-of-the-office > messages), make sure that they are not sent to the list nor to individual > members. Doing so will cause you to be automatically removed from the list. > > To unsubscribe send a message with UNSUBSCRIBE in the subject line to > salive@woodstone.nu > If you use auto-responders (like out-of-the-office messages), make sure that > they are not sent to the list nor to individual members. Doing so will cause > you to be automatically removed from the list. > To unsubscribe send a message with UNSUBSCRIBE in the subject line to salive@woodstone.nu If you use auto-responders (like out-of-the-office messages), make sure that they are not sent to the list nor to individual members. Doing so will cause you to be automatically removed from the list.
