bbahes 29 Posted April 23, 2015 Share Posted April 23, 2015 (edited) Hi! I am unable to access https://forum.eset.comfrom IE11 but I'm able to access it from Chrome. In IE I get error message : "Turn on TLS 1.0, TLS 1.1 and TLS 1.2 in Advanced settings and try connecting to https://forum.eset.comagain. If this error persists, contact your site administrator." In Wireshark I get this: TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.2 (0x0303) Doing check on site cert: certutil -verify -urlfetch forum.eset.com.cer Issuer: CN=thawte SHA256 SSL CA O=thawte, Inc. C=US Name Hash(sha1): 55b8cc328599c11969052a591ea0d7bdcdd95b4b Name Hash(md5): eaef5fa6aa2ec8c3f762b5fbbb58c15d Subject: CN=forum.eset.com OU=IT Support O=ESET, spol. s r.o. L=Bratislava S=Slovakia C=SK Name Hash(sha1): 682342ed3fb6ec4ac575ba03de5f56def265a6a4 Name Hash(md5): 5a9d80fdcd58c1859fe774f9b9dc80c0 Cert Serial Number: 4e5bee8faf9b1b2e951586ea0a95b845 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 6 Days, 9 Hours, 59 Minutes, 21 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 6 Days, 9 Hours, 59 Minutes, 21 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=thawte SHA256 SSL CA, O="thawte, Inc.", C=US NotBefore: 1.4.2015. 2:00 NotAfter: 10.4.2017. 1:59 Subject: CN=forum.eset.com, OU=IT Support, O="ESET, spol. s r.o.", L=Bratislava, S=Slovakia, C=SK Serial: 4e5bee8faf9b1b2e951586ea0a95b845 SubjectAltName: DNS Name=forum.eset.com 7a761f99d810d208cfb6a9c7a85afd8d63d8ac48 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- Verified "Certificate (0)" Time: 0 [0.0] hxxp://tg.symcb.com/tg.crt ---------------- Certificate CDP ---------------- Verified "Base CRL (0589)" Time: 0 [0.0] hxxp://tg.symcb.com/tg.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- Verified "OCSP" Time: 0 [0.0] hxxp://tg.symcd.com -------------------------------- CRL (null): Issuer: CN=thawte SHA256 SSL OCSP Responder, O="thawte, Inc.", C=US ThisUpdate: 21.4.2015. 20:50 NextUpdate: 28.4.2015. 20:50 a95c6b2af9773fd0fa6454317b8538c78e2b096d Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US NotBefore: 23.5.2013. 2:00 NotAfter: 23.5.2023. 1:59 Subject: CN=thawte SHA256 SSL CA, O="thawte, Inc.", C=US Serial: 36349e18c99c2669b6562e6ce5ad7132 SubjectAltName: Directory Address:CN=VeriSignMPKI-2-415 f7b92774088f56a9b7a53c668df2b7dad547d167 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- Verified "Base CRL (13)" Time: 0 [0.0] hxxp://crl.thawte.com/ThawtePCA-G3.crl ---------------- Base CRL CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- Verified "OCSP" Time: 0 [0.0] hxxp://ocsp.thawte.com -------------------------------- CRL (null): Issuer: CN=thawte Primary Root CA - G3 OCSP Responder, OU=Certification Services Division, O="thawte, Inc.", C=US ThisUpdate: 16.4.2015. 21:14 NextUpdate: 23.4.2015. 21:14 c09a7b699b9476bfebf95883ea9fc51117bdcd4d Issuance[0] = 2.16.840.1.113733.1.7.54 Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US NotBefore: 2.4.2008. 2:00 NotAfter: 2.12.2037. 1:59 Subject: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US Serial: 600197b746a7eab4b49ad64b2ff790fb f26bf3ca8915175b4356f0a6b603e91b8d538bf1 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping Exclude leaf cert: b1ca9eb1f926d7a7ff789f711324523806c177ae Full chain: 6b9e537b8a6706c7832810012f92d3fc8685b93e ------------------------------------ Verified Issuance Policies: None Verified Application Policies: 1.3.6.1.5.5.7.3.1 Server Authentication 1.3.6.1.5.5.7.3.2 Client Authentication Cert is an End Entity certificate ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE) CertUtil: The revocation function was unable to check revocation because the revocation server was offline. CertUtil: -verify command completed successfully. Edited April 23, 2015 by bbahes Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 23, 2015 Author Share Posted April 23, 2015 It must be IE related. I will check and report back result. Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted April 23, 2015 Most Valued Members Share Posted April 23, 2015 i also cant connect using IE today. chrome is ok Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted April 23, 2015 Most Valued Members Share Posted April 23, 2015 it seems ok now Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 24, 2015 Author Share Posted April 24, 2015 Working today ok in IE. Must have been something with server certificate CRL... Link to comment Share on other sites More sharing options...
siljaline 57 Posted April 24, 2015 Share Posted April 24, 2015 I was unable to reach the site for an extended period of time under IE 11 earlier on April 24.It seems to have now cleared up. It was a site outage issue that I observed and not a certificate issue. For those that are socially inclined, you may always fire off a Tweet to ESET in the event you cannot view the Forum.https://twitter.com/esetna Link to comment Share on other sites More sharing options...
bbahes 29 Posted April 24, 2015 Author Share Posted April 24, 2015 (edited) I was unable to reach the site for an extended period of time under IE 11 earlier on April 24. It seems to have now cleared up. It was a site outage issue that I observed and not a certificate issue. For those that are socially inclined, you may always fire off a Tweet to ESET in the event you cannot view the Forum. https://twitter.com/esetna Not that it's important now, but if SSL handshake fails, how is it "site outage issue" ? I'm asking purely because I was in doubt that my IE configuration, or SSL registry settings got corrupt. My guess was that it was CRL issue not certificate itself and that IE was behaving correctly, whereas Chrome did not, so we could access https forum site via Chrome. "Of the major browsers, only Internet Explorer and Opera behave correctly in a wide variety of revocation scenarios, including where end-entity and intermediate certificates had been revoked only via a CRL or only via OCSP. The remaining browsers — Google Chrome, Safari, and Firefox — all have less consistent behaviour when checking the revocation status of SSL certificates." - hxxp://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.HTML Edited April 24, 2015 by bbahes Link to comment Share on other sites More sharing options...
Recommended Posts