Jump to content

forum.eset.com - This page cannot be displayed (IE11)


bbahes

Recommended Posts

Hi!

 

I am unable to access https://forum.eset.comfrom IE11 but I'm able to access it from Chrome.

 

In IE I get error message :

 

"Turn on TLS 1.0, TLS 1.1 and TLS 1.2 in Advanced settings and try connecting to https://forum.eset.comagain. If this error persists, contact your site administrator."

 

 

 

In Wireshark I get this:

 

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)

Content Type: Alert (21)

Version: TLS 1.2 (0x0303)

 

 

 

 

 

Doing check on site cert:

 

certutil -verify -urlfetch forum.eset.com.cer

 

Issuer:
    CN=thawte SHA256 SSL CA
    O=thawte, Inc.
    C=US
  Name Hash(sha1): 55b8cc328599c11969052a591ea0d7bdcdd95b4b
  Name Hash(md5): eaef5fa6aa2ec8c3f762b5fbbb58c15d
Subject:
    CN=forum.eset.com
    OU=IT Support
    O=ESET, spol. s r.o.
    L=Bratislava
    S=Slovakia
    C=SK
  Name Hash(sha1): 682342ed3fb6ec4ac575ba03de5f56def265a6a4
  Name Hash(md5): 5a9d80fdcd58c1859fe774f9b9dc80c0
Cert Serial Number: 4e5bee8faf9b1b2e951586ea0a95b845
 
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 6 Days, 9 Hours, 59 Minutes, 21 Seconds
 
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 6 Days, 9 Hours, 59 Minutes, 21 Seconds
 
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=thawte SHA256 SSL CA, O="thawte, Inc.", C=US
  NotBefore: 1.4.2015. 2:00
  NotAfter: 10.4.2017. 1:59
  Subject: CN=forum.eset.com, OU=IT Support, O="ESET, spol. s r.o.", L=Bratislava, S=Slovakia, C=SK
  Serial: 4e5bee8faf9b1b2e951586ea0a95b845
  SubjectAltName: DNS Name=forum.eset.com
  7a761f99d810d208cfb6a9c7a85afd8d63d8ac48
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
 
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (0589)" Time: 0
 
  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
    [0.0] hxxp://tg.symcd.com
 
  --------------------------------
    CRL (null):
    Issuer: CN=thawte SHA256 SSL OCSP Responder, O="thawte, Inc.", C=US
    ThisUpdate: 21.4.2015. 20:50
    NextUpdate: 28.4.2015. 20:50
    a95c6b2af9773fd0fa6454317b8538c78e2b096d
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
 
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  NotBefore: 23.5.2013. 2:00
  NotAfter: 23.5.2023. 1:59
  Subject: CN=thawte SHA256 SSL CA, O="thawte, Inc.", C=US
  Serial: 36349e18c99c2669b6562e6ce5ad7132
  SubjectAltName: Directory Address:CN=VeriSignMPKI-2-415
  f7b92774088f56a9b7a53c668df2b7dad547d167
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  Verified "Base CRL (13)" Time: 0
 
  ----------------  Base CRL CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  Verified "OCSP" Time: 0
 
  --------------------------------
    CRL (null):
    Issuer: CN=thawte Primary Root  CA - G3 OCSP Responder, OU=Certification Services Division, O="thawte, Inc.", C=US
    ThisUpdate: 16.4.2015. 21:14
    NextUpdate: 23.4.2015. 21:14
    c09a7b699b9476bfebf95883ea9fc51117bdcd4d
  Issuance[0] = 2.16.840.1.113733.1.7.54 
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
 
CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  NotBefore: 2.4.2008. 2:00
  NotAfter: 2.12.2037. 1:59
  Subject: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
  Serial: 600197b746a7eab4b49ad64b2ff790fb
  f26bf3ca8915175b4356f0a6b603e91b8d538bf1
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication
  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication
  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email
  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing
  Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping
 
Exclude leaf cert:
  b1ca9eb1f926d7a7ff789f711324523806c177ae
Full chain:
  6b9e537b8a6706c7832810012f92d3fc8685b93e
------------------------------------
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication
    1.3.6.1.5.5.7.3.2 Client Authentication
Cert is an End Entity certificate
 
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
 
CertUtil: -verify command completed successfully.
 

post-5358-0-65727400-1429764921_thumb.png

post-5358-0-52610700-1429764922_thumb.png

Edited by bbahes
Link to comment
Share on other sites

I was unable to reach the site for an extended period of time under IE 11 earlier on April 24.
It seems to have now cleared up. It was a site outage issue that I observed and not a certificate issue.

For those that are socially inclined, you may always fire off a Tweet to ESET in the event you cannot view the Forum.
https://twitter.com/esetna 







 

Link to comment
Share on other sites

I was unable to reach the site for an extended period of time under IE 11 earlier on April 24.

It seems to have now cleared up. It was a site outage issue that I observed and not a certificate issue.

For those that are socially inclined, you may always fire off a Tweet to ESET in the event you cannot view the Forum.

https://twitter.com/esetna

 

Not that it's important now, but if SSL handshake fails, how is it "site outage issue" ?

I'm asking purely because I was in doubt that my IE configuration, or SSL registry settings got corrupt.

 

My guess was that it was CRL issue not certificate itself and that IE was behaving correctly, whereas Chrome did not, so we could access https forum site via Chrome.

 

"Of the major browsers, only Internet Explorer and Opera behave correctly in a wide variety of revocation scenarios, including where end-entity and intermediate certificates had been revoked only via a CRL or only via OCSP. The remaining browsers — Google Chrome, Safari, and Firefox — all have less consistent behaviour when checking the revocation status of SSL certificates." - hxxp://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.HTML

Edited by bbahes
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...