sslv3/internet explorer issue

Hello:
I have been trying to figure this off and on over the last year, and
having just spent several more evenings working on it, I am still
making no progress.
A year ago, I set up my own CA while learning to do IPSec, and since I
had the CA constructed, I decided to put my webmail subdomain behind a
secure connection. I did get it working, but only ever by disabling
ssl3 and making sure ssl2 was enabled in internet explorer and
firefox. Well, in the last year, both firefox and vista are now
causing me grief in that neither of them want to work with my ssl2
work around - and fair enough, I should have moved on already
anyway....
So last week, I decided to start all over. I set up a new CA and
created myself a certificate for my internal web server. I set up
apache to use the cert on one of my internal sites, apache starts
without errors. When I browse to the site with firefox from my linux
workstation or my windows laptop, I get a dialogue to accept the
certificate the cert, then I get the page. Exactly as expected,
everything works.. When I access the site with my windows laptop
using ie7, I get the warning page that allows me to continue (not
recommended), and then a page cannot be displayed error.
I have tried a slew of different CipherSuite arguments, but the only
time I can get it working is when I !SSLv3 and +SSLv2, and make sure
sslv2 is selected in the internet options. I have tried several
example CipherSuites found on the net and then taken one cipher away
at a time, I have done considerable searching trying to find the magic
cipher combination, or the magic setting that is not enabled, yet I am
just having no luck. I have been sifting through pages and pages of
examples and information, but have become mired.
When I use cURL I get the report about no trusted CA, and when I use
it with the --cacert argument, I get what I expect is legitimate
output (html code). When I ssldump, I see the traffic go through to
the application data part using firefox, but it stops just short of
there when I use ie7. I am not a good interpreter of ssldump yet, but
it appears that client and server finish a few rounds of negotiation,
then the client simply stops responding. When I use openssl s_client
to connect, providing the cacert.pem file, it connects and gives me
all sorts of information about the cert on the server, though it does
say "No client certificate CA names sent". From what I understand,
since I am not asking the client to authenticate, then this message is
expected and does not indicate an error.
Apache logs are also leading me nowhere, with firefox, I get no error,
yet with ie7 I get an "OpenSSL: I/O error", followed by "(70014)End
of file found: SSL input filter read failed.", and then followed by
"OpenSSL: Write: SSL negotiation finished successfully". So it is
failing successfully? Argh! Of course, Firefox does not experience
such an end of file or I/O error.
I have included things like the MSIE SetEnvIf directive, the
SSLSessionCache directive in my apache2.conf file, and several other
suggestions as found on google, but none of them have worked. I have
searched extensively on every clue I could find as to why the problem
persists. I know of examples where other sites have used self-signed
certs (though I am not sure if they are using self-signed CAs), and
internet explorer works with them using sslv3. Given that everything
seems to work with firefox, I am operating under the assumption that
my certificates are correct, that my apache configs are "correct", and
that it is internet explorer that is broken (a supposition, it seems,
that is widely supported by other sysadmins). However, given the
number of users of that product, I consider it important to be able to
make it work.
To avoid making this message overly long, I am not posting relevant
configs or log entries, though I can most certainly make them
available if anyone would be willing to help me decipher them
further. If anyone has any suggestions or further documentation I
could read regarding troubleshooting this issue, I would most
certainly appreciate it.

bobloblian wrote:
> Hello:
> I have been trying to figure this off and on over the last year, and
> having just spent several more evenings working on it, I am still
> making no progress.
> A year ago, I set up my own CA while learning to do IPSec, and since I
> had the CA constructed, I decided to put my webmail subdomain behind a
> secure connection. I did get it working, but only ever by disabling
> ssl3 and making sure ssl2 was enabled in internet explorer and
> firefox. Well, in the last year, both firefox and vista are now
> causing me grief in that neither of them want to work with my ssl2
> work around - and fair enough, I should have moved on already
> anyway....
> So last week, I decided to start all over. I set up a new CA and
> created myself a certificate for my internal web server. I set up
> apache to use the cert on one of my internal sites, apache starts
> without errors. When I browse to the site with firefox from my linux
> workstation or my windows laptop, I get a dialogue to accept the
> certificate the cert, then I get the page. Exactly as expected,
> everything works.. When I access the site with my windows laptop
> using ie7, I get the warning page that allows me to continue (not
> recommended), and then a page cannot be displayed error.
> I have tried a slew of different CipherSuite arguments, but the only
> time I can get it working is when I !SSLv3 and +SSLv2, and make sure
> sslv2 is selected in the internet options. I have tried several
> example CipherSuites found on the net and then taken one cipher away
> at a time, I have done considerable searching trying to find the magic
> cipher combination, or the magic setting that is not enabled, yet I am
> just having no luck. I have been sifting through pages and pages of
> examples and information, but have become mired.
> When I use cURL I get the report about no trusted CA, and when I use
> it with the --cacert argument, I get what I expect is legitimate
> output (html code). When I ssldump, I see the traffic go through to
> the application data part using firefox, but it stops just short of
> there when I use ie7. I am not a good interpreter of ssldump yet, but
> it appears that client and server finish a few rounds of negotiation,
> then the client simply stops responding. When I use openssl s_client
> to connect, providing the cacert.pem file, it connects and gives me
> all sorts of information about the cert on the server, though it does
> say "No client certificate CA names sent". From what I understand,
> since I am not asking the client to authenticate, then this message is
> expected and does not indicate an error.
> Apache logs are also leading me nowhere, with firefox, I get no error,
> yet with ie7 I get an "OpenSSL: I/O error", followed by "(70014)End
> of file found: SSL input filter read failed.", and then followed by
> "OpenSSL: Write: SSL negotiation finished successfully". So it is
> failing successfully? Argh! Of course, Firefox does not experience
> such an end of file or I/O error.
> I have included things like the MSIE SetEnvIf directive, the
> SSLSessionCache directive in my apache2.conf file, and several other
> suggestions as found on google, but none of them have worked. I have
> searched extensively on every clue I could find as to why the problem
> persists. I know of examples where other sites have used self-signed
> certs (though I am not sure if they are using self-signed CAs), and
> internet explorer works with them using sslv3. Given that everything
> seems to work with firefox, I am operating under the assumption that
> my certificates are correct, that my apache configs are "correct", and
> that it is internet explorer that is broken (a supposition, it seems,
> that is widely supported by other sysadmins). However, given the
> number of users of that product, I consider it important to be able to
> make it work.
> To avoid making this message overly long, I am not posting relevant
> configs or log entries, though I can most certainly make them
> available if anyone would be willing to help me decipher them
> further. If anyone has any suggestions or further documentation I
> could read regarding troubleshooting this issue, I would most
> certainly appreciate it.
>
I've had users before where IE7 simply refuses to accept any SSL
certificate that's not signed by a trusted authority, this could be it.

Have you tried with IE6?

--
DM davidm@cia.com.au

The funny .sig is in the wash, I am your replacement.

On Jul 25, 10:22 pm, David McKenzie <dav...@cia.com.au> wrote:
> bobloblian wrote:
> > Hello:
> > I have been trying to figure this off and on over the last year, and
> > having just spent several more evenings working on it, I am still
> > making no progress.
> > A year ago, I set up my own CA while learning to do IPSec, and since I
> > had the CA constructed, I decided to put my webmail subdomain behind a
> > secure connection. I did get it working, but only ever by disabling
> > ssl3 and making sure ssl2 was enabled in internet explorer and
> > firefox. Well, in the last year, both firefox and vista are now
> > causing me grief in that neither of them want to work with my ssl2
> > work around - and fair enough, I should have moved on already
> > anyway....
> > So last week, I decided to start all over. I set up a new CA and
> > created myself a certificate for my internal web server. I set up
> > apache to use the cert on one of my internal sites, apache starts
> > without errors. When I browse to the site with firefox from my linux
> > workstation or my windows laptop, I get a dialogue to accept the
> > certificate the cert, then I get the page. Exactly as expected,
> > everything works.. When I access the site with my windows laptop
> > using ie7, I get the warning page that allows me to continue (not
> > recommended), and then a page cannot be displayed error.
> > I have tried a slew of different CipherSuite arguments, but the only
> > time I can get it working is when I !SSLv3 and +SSLv2, and make sure
> > sslv2 is selected in the internet options. I have tried several
> > example CipherSuites found on the net and then taken one cipher away
> > at a time, I have done considerable searching trying to find the magic
> > cipher combination, or the magic setting that is not enabled, yet I am
> > just having no luck. I have been sifting through pages and pages of
> > examples and information, but have become mired.
> > When I use cURL I get the report about no trusted CA, and when I use
> > it with the --cacert argument, I get what I expect is legitimate
> > output (html code). When I ssldump, I see the traffic go through to
> > the application data part using firefox, but it stops just short of
> > there when I use ie7. I am not a good interpreter of ssldump yet, but
> > it appears that client and server finish a few rounds of negotiation,
> > then the client simply stops responding. When I use openssl s_client
> > to connect, providing the cacert.pem file, it connects and gives me
> > all sorts of information about the cert on the server, though it does
> > say "No client certificate CA names sent". From what I understand,
> > since I am not asking the client to authenticate, then this message is
> > expected and does not indicate an error.
> > Apache logs are also leading me nowhere, with firefox, I get no error,
> > yet with ie7 I get an "OpenSSL: I/O error", followed by "(70014)End
> > of file found: SSL input filter read failed.", and then followed by
> > "OpenSSL: Write: SSL negotiation finished successfully". So it is
> > failing successfully? Argh! Of course, Firefox does not experience
> > such an end of file or I/O error.
> > I have included things like the MSIE SetEnvIf directive, the
> > SSLSessionCache directive in my apache2.conf file, and several other
> > suggestions as found on google, but none of them have worked. I have
> > searched extensively on every clue I could find as to why the problem
> > persists. I know of examples where other sites have used self-signed
> > certs (though I am not sure if they are using self-signed CAs), and
> > internet explorer works with them using sslv3. Given that everything
> > seems to work with firefox, I am operating under the assumption that
> > my certificates are correct, that my apache configs are "correct", and
> > that it is internet explorer that is broken (a supposition, it seems,
> > that is widely supported by other sysadmins). However, given the
> > number of users of that product, I consider it important to be able to
> > make it work.
> > To avoid making this message overly long, I am not posting relevant
> > configs or log entries, though I can most certainly make them
> > available if anyone would be willing to help me decipher them
> > further. If anyone has any suggestions or further documentation I
> > could read regarding troubleshooting this issue, I would most
> > certainly appreciate it.
>
> I've had users before where IE7 simply refuses to accept any SSL
> certificate that's not signed by a trusted authority, this could be it.
>
> Have you tried with IE6?
>
> --
> DM dav...@cia.com.au
>
> The funny .sig is in the wash, I am your replacement.
Hi David:
Thanks for your reply.
IE6 also only works with sslv2 and not sslv3.

On Jul 25, 10:22 pm, David McKenzie <dav...@cia.com.au> wrote:
> bobloblian wrote:
> > Hello:
> > I have been trying to figure this off and on over the last year, and
> > having just spent several more evenings working on it, I am still
> > making no progress.
> > A year ago, I set up my own CA while learning to do IPSec, and since I
> > had the CA constructed, I decided to put my webmail subdomain behind a
> > secure connection. I did get it working, but only ever by disabling
> > ssl3 and making sure ssl2 was enabled in internet explorer and
> > firefox. Well, in the last year, both firefox and vista are now
> > causing me grief in that neither of them want to work with my ssl2
> > work around - and fair enough, I should have moved on already
> > anyway....
> > So last week, I decided to start all over. I set up a new CA and
> > created myself a certificate for my internal web server. I set up
> > apache to use the cert on one of my internal sites, apache starts
> > without errors. When I browse to the site with firefox from my linux
> > workstation or my windows laptop, I get a dialogue to accept the
> > certificate the cert, then I get the page. Exactly as expected,
> > everything works.. When I access the site with my windows laptop
> > using ie7, I get the warning page that allows me to continue (not
> > recommended), and then a page cannot be displayed error.
> > I have tried a slew of different CipherSuite arguments, but the only
> > time I can get it working is when I !SSLv3 and +SSLv2, and make sure
> > sslv2 is selected in the internet options. I have tried several
> > example CipherSuites found on the net and then taken one cipher away
> > at a time, I have done considerable searching trying to find the magic
> > cipher combination, or the magic setting that is not enabled, yet I am
> > just having no luck. I have been sifting through pages and pages of
> > examples and information, but have become mired.
> > When I use cURL I get the report about no trusted CA, and when I use
> > it with the --cacert argument, I get what I expect is legitimate
> > output (html code). When I ssldump, I see the traffic go through to
> > the application data part using firefox, but it stops just short of
> > there when I use ie7. I am not a good interpreter of ssldump yet, but
> > it appears that client and server finish a few rounds of negotiation,
> > then the client simply stops responding. When I use openssl s_client
> > to connect, providing the cacert.pem file, it connects and gives me
> > all sorts of information about the cert on the server, though it does
> > say "No client certificate CA names sent". From what I understand,
> > since I am not asking the client to authenticate, then this message is
> > expected and does not indicate an error.
> > Apache logs are also leading me nowhere, with firefox, I get no error,
> > yet with ie7 I get an "OpenSSL: I/O error", followed by "(70014)End
> > of file found: SSL input filter read failed.", and then followed by
> > "OpenSSL: Write: SSL negotiation finished successfully". So it is
> > failing successfully? Argh! Of course, Firefox does not experience
> > such an end of file or I/O error.
> > I have included things like the MSIE SetEnvIf directive, the
> > SSLSessionCache directive in my apache2.conf file, and several other
> > suggestions as found on google, but none of them have worked. I have
> > searched extensively on every clue I could find as to why the problem
> > persists. I know of examples where other sites have used self-signed
> > certs (though I am not sure if they are using self-signed CAs), and
> > internet explorer works with them using sslv3. Given that everything
> > seems to work with firefox, I am operating under the assumption that
> > my certificates are correct, that my apache configs are "correct", and
> > that it is internet explorer that is broken (a supposition, it seems,
> > that is widely supported by other sysadmins). However, given the
> > number of users of that product, I consider it important to be able to
> > make it work.
> > To avoid making this message overly long, I am not posting relevant
> > configs or log entries, though I can most certainly make them
> > available if anyone would be willing to help me decipher them
> > further. If anyone has any suggestions or further documentation I
> > could read regarding troubleshooting this issue, I would most
> > certainly appreciate it.
>
> I've had users before where IE7 simply refuses to accept any SSL
> certificate that's not signed by a trusted authority, this could be it.
>
> Have you tried with IE6?
>
> --
> DM dav...@cia.com.au
>
> The funny .sig is in the wash, I am your replacement.

A friend of mine uses Plesk, and his admin panel gives me a
certificate error: "This CA Root certificate is not trusted. To
enable trust, install this certificate in the Trusted Root
Certification Authorities store"
Does this error not imply that the certificate is in the same state of
distrust as mine? or is that a difference of using an apache-self-
signed cert as opposed to a cert from an untrusted CA?

On Jul 26, 12:19 am, bobloblian <b...@computerisms.ca> wrote:
>... I have
> searched extensively on every clue I could find as to why the problem
> persists. I know of examples where other sites have used self-signed
> certs (though I am not sure if they are using self-signed CAs), and
> internet explorer works with them using sslv3. Given that everything
> seems to work with firefox, I am operating under the assumption that
> my certificates are correct, that my apache configs are "correct", and
> that it is internet explorer that is broken (a supposition, it seems,
> that is widely supported by other sysadmins). However, given the
> number of users of that product, I consider it important to be able to
> make it work.

This afternoon I've had a similar experience, and I have additional
clues, a possible explanation and a sort of workaround.

I have been using a self-signed certificate with Apache and all has
been well with IE 7 and other browsers. However, the certificate is
almost a year old and will expire in a few weeks.

Today I created a new CA and certificate from scratch. All seems well
with Firefox. However, IE 7 and IE 6 complain about the certificate,
and when I try to proceed, they fail.

The old CA/cert were created with whatever Apache & openssl were in
the Fedora I was running then, probably FC5. Today I am using Fedora
7, fully updated.

When I switched back to the old certificate, then things work with IE
7 again (for a few weeks). So it appears that some incompatibility has
crept into openssl such that it now creates certs that IE doesn't
like.

Pursuing that hypothesis, I booted a Fedora 1 machine I have and
created new CA and cert there. Transferring those to my Fedora 7
machine, everything seems to work, specifically IE 7 works the way I
expected.

The Fedora 1 machine reports
# openssl version
OpenSSL 0.9.7a Feb 19 2003
The Fedora 7 machine reports
# openssl version
OpenSSL 0.9.8b 04 May 2006

So it appears that between those two version something crept in that
is incompatible with IE.

Charlie

Sorry for not getting back to this earlier, Charlie:
What I found is that I can make ie7 work with sslv3 if I use a self-
signed certificate, but not if I use a certificate signed by a self-
signed CA.
I have done several upgrades since I created my original CA, so I
don't know what version of openssl I was using (using 0.9.8e now), and
using debian, but doubt that makes any difference. So I cant' confirm
your observations on my system, but I have been doing some thinking
and checking based on what you said, though; I went through the
changelog of openssl to see if I could find anything relevant. Since
I don't know what most of the things in that list actually are or what
they do, I can't say which, if any, are relevant. I have followed a
few things up that looked interesting, but none of them have yielded
me anything meaningful.
I would much prefer to play with my own CA, and I would think that
there should be a way to configure/fix ie to work properly, or as a
last resort be a way to configure openssl to work with ie as it did.

On Jul 29, 4:58 pm, C-cubed <CharlesHSa...@gmail.com> wrote:
> On Jul 26, 12:19 am, bobloblian <b...@computerisms.ca> wrote:
>
> >... I have
> > searched extensively on every clue I could find as to why the problem
> > persists. I know of examples where other sites have used self-signed
> > certs (though I am not sure if they are using self-signed CAs), and
> >internetexplorerworks with them using sslv3. Given that everything
> > seems to work with firefox, I am operating under the assumption that
> > my certificates are correct, that my apache configs are "correct", and
> > that it isinternetexplorerthat is broken (a supposition, it seems,
> > that is widely supported by other sysadmins). However, given the
> > number of users of that product, I consider it important to be able to
> > make it work.
>
> This afternoon I've had a similar experience, and I have additional
> clues, a possible explanation and a sort of workaround.
>
> I have been using a self-signed certificate with Apache and all has
> been well with IE 7 and other browsers. However, the certificate is
> almost a year old and will expire in a few weeks.
>
> Today I created a new CA and certificate from scratch. All seems well
> with Firefox. However, IE 7 and IE 6 complain about the certificate,
> and when I try to proceed, they fail.
>
> The old CA/cert were created with whatever Apache & openssl were in
> the Fedora I was running then, probably FC5. Today I am using Fedora
> 7, fully updated.
>
> When I switched back to the old certificate, then things work with IE
> 7 again (for a few weeks). So it appears that some incompatibility has
> crept into openssl such that it now creates certs that IE doesn't
> like.
>
> Pursuing that hypothesis, I booted a Fedora 1 machine I have and
> created new CA and cert there. Transferring those to my Fedora 7
> machine, everything seems to work, specifically IE 7 works the way I
> expected.
>
> The Fedora 1 machine reports
> # openssl version
> OpenSSL 0.9.7a Feb 19 2003
> The Fedora 7 machine reports
> # openssl version
> OpenSSL 0.9.8b 04 May 2006
>
> So it appears that between those two version something crept in that
> is incompatible with IE.
>
> Charlie

On Sat, 04 Aug 2007 07:50:41 -0000, bobloblian <bob@computerisms.ca>
wrote:

>Sorry for not getting back to this earlier, Charlie:
>What I found is that I can make ie7 work with sslv3 if I use a self-
>signed certificate, but not if I use a certificate signed by a self-
>signed CA.

I know another month has passed since this post, but I'd like to add a
couple of our own experiences on this subject, if i may.

Firstly, I don't think it matters what cert you are using, we have a
legit cert, with two years left to run, and we get this same issue.

We have slightly different symptoms tho' (and that maybe due to the
fact that we do have a legit cert) as we find IE7 is fine, as is
firefox. With IE6 tho', it's a real PITA, tho' seemingly just for one
part of our site. It's also more bizarre in that it only fails when
the IE6 client is behind a Squid Proxy. Take the Squid out of the
equation and our failing page works everytime! Does Squid feature in
your setup at all?

>I have done several upgrades since I created my original CA, so I
>don't know what version of openssl I was using (using 0.9.8e now), and
>using debian, but doubt that makes any difference. So I cant' confirm
>your observations on my system, but I have been doing some thinking
>and checking based on what you said, though; I went through the
>changelog of openssl to see if I could find anything relevant. Since
>I don't know what most of the things in that list actually are or what
>they do, I can't say which, if any, are relevant. I have followed a
>few things up that looked interesting, but none of them have yielded
>me anything meaningful.

Until about two months ago everything was working fine, but we
upgraded to RH ES 5 which installs Apache 2.2.3 and OpenSSL 0.9.8b and
it seems our problems started then. Like you, we see the issue as an
SSLv2 vs. SSLv3 problem as the upgrade to OpenSSL seems to have
changed the behaviour of the SSL handshake, causing IE6 to give the
'page cannot be displayed' error.

The really weird thing here is that if we then return the browser to
the previous page, then try accessing the page that failed, it works
fine with no error. If we then go back, try the failing page again, it
fails. We can repeat this ad nauseum.

Looking at some ethereal traces of this behaviour, we can see that the
browser is getting RST packets, which is causing the SSL connection to
fail. Our own googling on this has hinted at some SSL closure alerts
replies but we haven't found any way of changing the behaviour of
these. Or indeed, what they actually are? They may be what is causing
the RST we see on ethereal.

>I would much prefer to play with my own CA, and I would think that
>there should be a way to configure/fix ie to work properly, or as a
>last resort be a way to configure openssl to work with ie as it did.

We have messed about with OpenSSL but still can't a solution to this.
I think that the only possibilty we have is to try and downgrade it.

Suffice to say, I would be interested if you ever found/find the
answer to your troubles.

Cheers,

Nig