forum.eset.com - This page cannot be displayed (IE11)

[bbahes 29]

Hi!

 

I am unable to access https://forum.eset.comfrom IE11 but I'm able to access it from Chrome.

 

In IE I get error message :

 

"Turn on TLS 1.0, TLS 1.1 and TLS 1.2 in Advanced settings and try connecting to https://forum.eset.comagain. If this error persists, contact your site administrator."

 

 

 

In Wireshark I get this:

 

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)

Content Type: Alert (21)

Version: TLS 1.2 (0x0303)

 

 

 

 

 

Doing check on site cert:

 

certutil -verify -urlfetch forum.eset.com.cer

 

Issuer:

    CN=thawte SHA256 SSL CA

    O=thawte, Inc.

    C=US

  Name Hash(sha1): 55b8cc328599c11969052a591ea0d7bdcdd95b4b

  Name Hash(md5): eaef5fa6aa2ec8c3f762b5fbbb58c15d

Subject:

    CN=forum.eset.com

    OU=IT Support

    O=ESET, spol. s r.o.

    L=Bratislava

    S=Slovakia

    C=SK

  Name Hash(sha1): 682342ed3fb6ec4ac575ba03de5f56def265a6a4

  Name Hash(md5): 5a9d80fdcd58c1859fe774f9b9dc80c0

Cert Serial Number: 4e5bee8faf9b1b2e951586ea0a95b845

 

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)

HCCE_LOCAL_MACHINE

CERT_CHAIN_POLICY_BASE

-------- CERT_CHAIN_CONTEXT --------

ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

ChainContext.dwRevocationFreshnessTime: 6 Days, 9 Hours, 59 Minutes, 21 Seconds

 

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwRevocationFreshnessTime: 6 Days, 9 Hours, 59 Minutes, 21 Seconds

 

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0

  Issuer: CN=thawte SHA256 SSL CA, O="thawte, Inc.", C=US

  NotBefore: 1.4.2015. 2:00

  NotAfter: 10.4.2017. 1:59

  Subject: CN=forum.eset.com, OU=IT Support, O="ESET, spol. s r.o.", L=Bratislava, S=Slovakia, C=SK

  Serial: 4e5bee8faf9b1b2e951586ea0a95b845

  SubjectAltName: DNS Name=forum.eset.com

  7a761f99d810d208cfb6a9c7a85afd8d63d8ac48

  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)

  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

  ----------------  Certificate AIA  ----------------

  Verified "Certificate (0)" Time: 0

    [0.0] hxxp://tg.symcb.com/tg.crt

 

  ----------------  Certificate CDP  ----------------

  Verified "Base CRL (0589)" Time: 0

    [0.0] hxxp://tg.symcb.com/tg.crl

 

  ----------------  Base CRL CDP  ----------------

  No URLs "None" Time: 0

  ----------------  Certificate OCSP  ----------------

  Verified "OCSP" Time: 0

    [0.0] hxxp://tg.symcd.com

 

  --------------------------------

    CRL (null):

    Issuer: CN=thawte SHA256 SSL OCSP Responder, O="thawte, Inc.", C=US

    ThisUpdate: 21.4.2015. 20:50

    NextUpdate: 28.4.2015. 20:50

    a95c6b2af9773fd0fa6454317b8538c78e2b096d

  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

 

CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0

  Issuer: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

  NotBefore: 23.5.2013. 2:00

  NotAfter: 23.5.2023. 1:59

  Subject: CN=thawte SHA256 SSL CA, O="thawte, Inc.", C=US

  Serial: 36349e18c99c2669b6562e6ce5ad7132

  SubjectAltName: Directory Address:CN=VeriSignMPKI-2-415

  f7b92774088f56a9b7a53c668df2b7dad547d167

  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)

  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

  ----------------  Certificate AIA  ----------------

  No URLs "None" Time: 0

  ----------------  Certificate CDP  ----------------

  Verified "Base CRL (13)" Time: 0

    [0.0] hxxp://crl.thawte.com/ThawtePCA-G3.crl

 

  ----------------  Base CRL CDP  ----------------

  No URLs "None" Time: 0

  ----------------  Certificate OCSP  ----------------

  Verified "OCSP" Time: 0

    [0.0] hxxp://ocsp.thawte.com

 

  --------------------------------

    CRL (null):

    Issuer: CN=thawte Primary Root  CA - G3 OCSP Responder, OU=Certification Services Division, O="thawte, Inc.", C=US

    ThisUpdate: 16.4.2015. 21:14

    NextUpdate: 23.4.2015. 21:14

    c09a7b699b9476bfebf95883ea9fc51117bdcd4d

  Issuance[0] = 2.16.840.1.113733.1.7.54 

  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email

  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

  Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping

 

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0

  Issuer: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

  NotBefore: 2.4.2008. 2:00

  NotAfter: 2.12.2037. 1:59

  Subject: CN=thawte Primary Root CA - G3, OU="© 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

  Serial: 600197b746a7eab4b49ad64b2ff790fb

  f26bf3ca8915175b4356f0a6b603e91b8d538bf1

  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)

  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)

  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

  ----------------  Certificate AIA  ----------------

  No URLs "None" Time: 0

  ----------------  Certificate CDP  ----------------

  No URLs "None" Time: 0

  ----------------  Certificate OCSP  ----------------

  No URLs "None" Time: 0

  --------------------------------

  Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication

  Application[1] = 1.3.6.1.5.5.7.3.2 Client Authentication

  Application[2] = 1.3.6.1.5.5.7.3.4 Secure Email

  Application[3] = 1.3.6.1.5.5.7.3.3 Code Signing

  Application[4] = 1.3.6.1.5.5.7.3.8 Time Stamping

 

Exclude leaf cert:

  b1ca9eb1f926d7a7ff789f711324523806c177ae

Full chain:

  6b9e537b8a6706c7832810012f92d3fc8685b93e

------------------------------------

Verified Issuance Policies: None

Verified Application Policies:

    1.3.6.1.5.5.7.3.1 Server Authentication

    1.3.6.1.5.5.7.3.2 Client Authentication

Cert is an End Entity certificate

 

ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)

CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

 

CertUtil: -verify command completed successfully.

 

Edited April 23, 2015 by bbahes

[bbahes 29]

It must be IE related. I will check and report back result.

[shocked 60]

i also cant connect using IE today. chrome is ok

[shocked 60]

it seems ok now

[bbahes 29]

Working today ok in IE. Must have been something with server certificate CRL...

 

[siljaline 57]

I was unable to reach the site for an extended period of time under IE 11 earlier on April 24.
It seems to have now cleared up. It was a site outage issue that I observed and not a certificate issue.

For those that are socially inclined, you may always fire off a Tweet to ESET in the event you cannot view the Forum.
https://twitter.com/esetna 







 

[bbahes 29]

I was unable to reach the site for an extended period of time under IE 11 earlier on April 24.

It seems to have now cleared up. It was a site outage issue that I observed and not a certificate issue.

For those that are socially inclined, you may always fire off a Tweet to ESET in the event you cannot view the Forum.

https://twitter.com/esetna

 

Not that it's important now, but if SSL handshake fails, how is it "site outage issue" ?

I'm asking purely because I was in doubt that my IE configuration, or SSL registry settings got corrupt.

 

My guess was that it was CRL issue not certificate itself and that IE was behaving correctly, whereas Chrome did not, so we could access https forum site via Chrome.

 

"Of the major browsers, only Internet Explorer and Opera behave correctly in a wide variety of revocation scenarios, including where end-entity and intermediate certificates had been revoked only via a CRL or only via OCSP. The remaining browsers — Google Chrome, Safari, and Firefox — all have less consistent behaviour when checking the revocation status of SSL certificates." - hxxp://news.netcraft.com/archives/2014/04/24/certificate-revocation-why-browsers-remain-affected-by-heartbleed.HTML

Edited April 24, 2015 by bbahes