|
|
08-26-2005, 06:07 AM
|
|
Senior Member
|
|
Join Date: Dec 2004
Posts: 59
|
|
https connection errors/chained certificates issue
Hi.
After several days of testing, I can surely say that there are some issues regarding SSL with the current lshttpd 2.1 RC2.
First of all, the most serious issue is that some users simply can't connect to the secured site. They are getting "page not found" error. Users from other computers can access the site sucesfully.
I noticed that if the users having problem are swtiching the from IE to Firefox, they are able to connect sucessfully as well. Lowering the encryption level didn't help.
The second issue is the ocassional "This certifticate is expired or not valid yet" which is popping 1 to 5-7 clicks. Checking the certifications chain in IE lock shows that Verisign CA certificate was expired in 2004. Reloading the page, or any other page for that matter, shows that the Verisign CA will expire at 2011.
I merged both the server, and the Verisign CA certificate to one file, and set "Chained Certificate" to ON at the SSL listener control panel. The notice still appears regulary.
|
08-26-2005, 08:39 AM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
|
We will investigate those issues, the problem should be inside openssl toolkit, maybe need some tweaks.
If you don't mind, please tell us the url of your web site. We'd like to give it a try. :-)
|
08-26-2005, 03:01 PM
|
|
Senior Member
|
|
Join Date: Dec 2004
Posts: 59
|
|
|
Hi.
Please see PM.
Update: BTW, I forgot to add that it seems that Firefox also encounters similar certificate problems, and thus display a warning message, saying that the certificate is possibly invalid, and suggests to temporary allow browsing to the site. Therefore, it seems as both browser having some trouble with the SSL, and the issue is specifically on the server side.
Thanks.
|
08-26-2005, 10:13 PM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
|
Got it. We will investigate the problem.
Can you tell me more information about browsers that cannot connect? version and platform.
I think ssl negotiation failed between the browser and server about encryption cipher to be used. please try change the ssl cihers setting for the ssl listener manually to
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP, which is Apache mod_ssl's default, then restart the server, see if it help.
The certificate problem probably has something to do with the SSL session cache. For some reason, some necessary certificate information has not been sent, maybe due to SSL session cache. We will find out. :-)
George Wang
|
08-29-2005, 03:49 AM
|
|
Senior Member
|
|
Join Date: Dec 2004
Posts: 59
|
|
|
Hi.
The mentioned change to the ciphers section didn't help - the users still have connection problems.
The version of IE is: 6.0.2900.2180.xpsp_sp2_gdr.050301-1519, Cipher Strength: 128-bit, and the platform is Windows XP SP2.
Thanks.
|
08-29-2005, 10:18 AM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
Quote:
|
Originally Posted by SyNeo
The mentioned change to the ciphers section didn't help - the users still have connection problems.
The version of IE is: 6.0.2900.2180.xpsp_sp2_gdr.050301-1519, Cipher Strength: 128-bit, and the platform is Windows XP SP2.
|
That's strange, I am using the same version, no problem at all, not even the expiration problem.
I do have untrusted certificate problem with firefox, will add a CA path configuration which matches Apache's, see if that help. |
08-30-2005, 12:09 PM
|
|
Senior Member
|
|
Join Date: Dec 2004
Posts: 59
|
|
Hi.
Quote:
|
That's strange, I am using the same version, no problem at all, not even the expiration problem.
|
It's exactly the problem - I have the same version and the site works great, with occasional SSL warnings. An another PC near me, with identical setup and the same version of browser and OS, can't connect to the site at all.
Thanks.
|
08-30-2005, 12:14 PM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
|
Please check the SSL setting of that IE, make sure at least one SSL check box has been checked under Tools->Internet options->"Advanced" Tab->Security. I can access the web site unless all SSL check boxes have been unchecked.
|
08-31-2005, 04:18 AM
|
|
Senior Member
|
|
Join Date: Dec 2004
Posts: 59
|
|
Hi.
I verified the settings, both the SSL2 and SSL3 are checked. I tried to check the TLS1 as well to see if it works, but it still didn't help.
I tried to check the communication between the browser and the server via HTTP Watch (http/s sniffer), and that's what I received - perhaps it will shed some light:
"HTTP Request Unconditional request sent for https://****************/ ERROR_HTTP_INVALID_SERVER_RESPONSE". No headers or data are returned.
The same browser connecting to an Apache server via SSL, will return the following:
"HTTP Request Unconditional request sent for https://***************/ completed", and will return the headers and the data.
|
08-31-2005, 07:36 AM
|
|
LiteSpeed Staff
|
|
Join Date: May 2003
Location: New Jersey
Posts: 7,590
|
|
|
Looks like the problem is definitely on the server side.
Does that machine have its own dedicate public IP address or behind NAT? Can you access the web site via firefox on that machine?
Maybe the server for some reason don't like that IP address and drop the connection. Is there any access rule configured?
Thanks,
George
|
| Thread Tools |
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -7. The time now is 06:10 AM.
|
|
