Just got a response from the developper.
IF they need to support TLS 1.2 they need to convert ALL of their components
from OpenSSL 0.9.8 to 1.0.2.  This is something they will do, but this is
clearly not something that will happen overnight.
Also the point he's making is that (and I'll quote him on this) "and yet
noone forces TLS 1.2 as only available protocol."
I suppose that if you enable other protocols then TLS 1.2 that it should
work fine.  Is that an option?  Can you try that?



Dirk. 

-----Original Message-----
From: Servers Alive Discussion List [mailto:salive@woodstone.nu] On Behalf
Of dirk
Sent: Sunday, March 15, 2015 7:16 PM
To: Servers Alive Discussion List
Subject: RE: [SA-list] SSL handshake failed - custom https application

Servers Alive is not using the same core components as IE.
For the HTTP(S) checks we're using a component that is based on OpenSSL
0.9.8.   
OpenSSL 0.9.8 does not support TLS 1.2 which is the version of your self
signed cert.
That's why the check in Servers Alive is failing.


I'm checking with the developper of the HTTP(S) checking component if/when
he will add support for TLS 1.2 (probably meaning that he will have to move
away from the usage of OpenSSL 0.9.8 to OpenSSL 1.x)  And this might be a
HUGE change in his code, so I don't expect this to be soon.  But for the
moment the answer I got was from one of the support people and not yet from
the developper, so who knows that he will give me better news :-)


Dirk.

-----Original Message-----
From: Servers Alive Discussion List [mailto:salive@woodstone.nu] On Behalf
Of Ann Lynnworth
Sent: Saturday, March 14, 2015 9:51 AM
To: Servers Alive Discussion List
Subject: [SA-list] SSL handshake failed - custom https application

I'm having a problem trying to make an SSL connection from Servers Alive to
my self-made https application using a self-made certificate generated by
openssl.  The https url works fine from Google Chrome and Firefox as long as
I install the root certificate on the client machine (for chrome) or into
the browser (for firefox).  No matter what I do, I 
cannot get IE10 or IE11 to visit the site.   (Note: Same https web 
application installed on various machines and Windows versions all give the
same result.)

I guess that SAlive uses the same Windows OS core components as Internet
Explorer, and therefore SAlive refuses to do the SSL handshake.  Is that
basically accurate?

I have reviewed http://support.microsoft.com/en-us/kb/2661254 in great
detail. My root cert and my web site cert both use 2048 bits.

Many web sites indicate that IE and Chrome use the same crypto logic, but
that has not been my experience at all.  Chrome responds immediately once
the root cert is trusted - no reboot required.  IE never progresses.

I have tested my cert from as many angles as possible, including using the
DigiCert inspector, from which it receives an A rating.

And I have tried enabling all the old insecure SSL 2, 3, plus TLS 1, 1.1,
1.2 options in Internet Explorer options under Advanced.... 
Security, and none of that makes any difference.

By now I hope you are curious enough to test a link and tell me whether you
can get it to open in IE10, IE11 and/or Servers Alive! 
https://lite.demos.href.com:8453/   (( This link is active now and will 
be for a little while; apologies to future readers, it probably will not 
stay open once this conversation ends.   ))

I am quite willing to have the root certificate trusted on the machine that
runs Servers Alive (and it is, as evidenced by Chrome being able to open the
page).

I have also tried the advice on
http://netsekure.org/2011/04/automatic-ca-root-certificate-updates-on-window
s/
about disabling the auto update of the root list; that did not help.

Just in case I was misreading the '2048' in the public key details, I tried
the advice of logging details about < 1024bit certificates (from the answer
on
https://social.technet.microsoft.com/Forums/windows/en-US/2719388a-840a-492c
-a509-42804860ee9a/unable-to-open-https-site-with-not-trusted-certificate-on
-ie10?forum=w8itprogeneral 
)   and nothing gets logged when I use the web page from Chrome or 
Firefox or IE.

Thank you for reading and especially for any solution.

Ann

To unsubscribe send a message with UNSUBSCRIBE in the subject line to
salive@woodstone.nu If you use auto-responders (like out-of-the-office
messages), make sure that they are not sent to the list nor to individual
members.  Doing so will cause you to be automatically removed from the list.

To unsubscribe send a message with UNSUBSCRIBE in the subject line to
salive@woodstone.nu If you use auto-responders (like out-of-the-office
messages), make sure that they are not sent to the list nor to individual
members.  Doing so will cause you to be automatically removed from the list.

To unsubscribe send a message with UNSUBSCRIBE in the subject line to 
salive@woodstone.nu
If you use auto-responders (like out-of-the-office messages), make sure that 
they are not sent to the list nor to individual members.  Doing so will cause 
you to be automatically removed from the list.

Reply via email to