Apache Tomcat 8.5 : SSL ENABLED IN IE BUT NOT IN CHROME - ssl

I have enabled SSL for a site using jdk 1.8 and Tomcat 8.5.23.
When I hit the site in IE, first time it shows:
"Can't connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening,try contacting website's owner."
When I hit the site second time, the page loads and the application functionality works fine with SSL enabled.
When I hit the site in chrome no matter how many times, it shows:
"This site can't provide a secure connection
Abcd.xyz.com didn't accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT"
In server.xml I have added below in the connector tag:
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
I also could not find any error in the log files.
Please help me. :(

Related

Website fails to load in Safari Mobile and Desktop

When opening some web pages in Safari (iOS - CMS website hosted in a Apache server) it shows the following message.
Tried to remove all scripts from the page and it doesn't worked
Checked Apache access log and none on the requests were logged in access log
Checked Apache error log and no errors are logged
Tried lot of methods to figure it out (technically and logically). Anyone experienced the same issue?
If none of your requests are being logged, then your client isn't getting through and you have a problem outside of your application scope (like a network connectivity or firewall issue)

ERR_BAD_SSL_CLIENT_AUTH_CERT

We've started encountering issues browsing to most https sites.
Examples include: https://technet.microsoft.com/, https://mail.google.com/, https://www.mozilla.org/en-US/firefox/new/, https://stackoverflow.com/
It appears that secure sites that we have visited previously work OK. Examples of these include:
https://banking.westpac.com.au/, https://www.tppwholesale.com.au/login/, https://au.ingrammicro.com/
The errors we receive are:
Chrome: ERR_BAD_SSL_CLIENT_AUTH_CERT
Firefox: SSL_ERROR_ACCESS_DENIED_ALERT
IE11/Edge: No helpful message, but Schannel 36887 errors are logged advising The TLS protocol defined fatal alert code is 49. (These are also logged for Chrome, but not Firefox as it uses the Mozilla NSS encryption library.)
We can prevent the problem by disabling TLS1.1 & TLS1.2 and enabling SSL2 & SSL3. As SSL2/3 have known vulnerabilities we want to resolve this issue properly.
Problem has been observed on Win7, Win8.1, Win10 WS2012R2 machines. It's affecting all our laptop computers except one that hasn't been in the office for over a month.
Extensive googling has failed to yield anything helpful - most SSL connection issues that are discussed seem to focus on the server certificate.
The above errors suggest it being an issue with the client certificate that our browsers are sending to the servers, so I have these questions:
Do SSL2/3 have different client certificate requirements to TLS1.x?
What client certificate do browsers use (we don't have any certificates listed in the user or computer Personal stores)?
I hope there's an SSL/TLS guru out there that can assist!
No need to uninstall ESET. Open ESET > Setup > Internet Protection > edit "Web Access Protection" > expand "Web Protocols" > disable "Enable HTTPS Checking".
It appears that ESET antivirus is the culprit here. Thanks to Nicolas Rey for flagging this on a Chrome forum (refer https://productforums.google.com/forum/#!msg/chrome/WHw6ow1kGUs/MW3gt1hZEQAJ)
The rollback option that Nicolas suggested didn't help, but uninstalling and reinstalling ESET resolved the issue.
In Eset go to advanced setup. Then click WEB AND EMAIL, Expand SSL/TLS. Click on edit in List of known certificates. Change access to allow or remove sites from here.
In Eset no need to Disable "Enable HTTPS Checking" . In Web access Protection click URL Management> Click Edit on address list then add on list of allowed addresses

Weblogic Administration Console being blocked by browser - SSL server probably obsolete

We are usng Weblogic 8.1 and administration console suddenly stopped and inaccessible today.
For more than a year we use to access it until today as it is being blocked by these browsers:
Internet Explorer -
There is a problem with this website's security certificate. When i click continue, it's not redirecting to the admin console.
Google Chrome - SSL server probably obsolete.
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION
Firefox - Secure Connection Failed
An error occurred during a connection to 192.168.0.18:17050. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
You are running a very old version of JRocket Java equivalent to 1.4.
There is a SSL protocol mismatch between your modern browsers and Weblogic's JRocket.
My best guess is to install the JRocket Java Cryptography Extension (JCE) Unlimited Strength files into your JRocket to boost the cipher list.
nmap has a ssl-enum-ciphers that will be able to print out the list of ciphers avialable before and after you install the Unlimited Strength files. See answer.
As an alternative and very ugly solution in Firefox.
Try this.
Enable support for 40-bit RSA encryption in the Firefox Browser:
enter 'about:config' in Browser Address bar
find/select
"security.ssl3.rsa_rc4_40_md5" set boolean to TRUE
Or this.
Open a new tab in Firefox and type “about:config” in the URL bar
You would get a warning dialog box, click Promise to be careful and move on
In the search bar, enter the following security.tls.version
First, right-click on the setting “security.tls.version.fallback-limit” and select modify. You’re going to change the “1” to “0”. Then do the same thing with “security.tls.version.min”, changing the “1” to “0”.

IE silently switches from https to http

IE 11 suddenly started having problems with my website's SSL certificate. At least I assume that's what it is, because it just silently switches from https to http without giving any error messages. Other browsers don't have any problems with the certificate, and the certificate didn't change, so I assume this is some IE update that broke it. I've tried adding the site to the trusted sites list, clearing SSL cache, nothing helps. Windows logs don't show any errors. There might be some insecure content on the page but this comes from ads and I can't change it; anyway, the worst this can do should be not showing insecure content? What else could this be? You can see the example at https://www.windows2universe.org/php/registration/reg_login_und.php
I'm guessing it could be a permanent redirection issue. try to open your website using Private Mode and see what happens.
UPDATE
Actually I checked your website, when I try to open it with HTTPS it returns a 301 (Permanent Redirection) to the HTTP version. check ur server configurations.

Selenium RC and Internet Explorer 7 with rspec for HTTPS and HTTP connections

We test our rails web application with rspec and use the selenium-client (gem version 1.2.18) API in our rspec tests to let selenium RC server (version 2.21.0) steer internet explorer 7 under AP to test our application.
This worked very well until we introduced HTTPS for our login and registration process. Now the user is redirected to the secure version of the login and registration form and afterwards redirected back to the unsecure HTTP site.
For our selenium tests to work with HTTPS and internet explorer 7 we are setting up the selenium driver with "*iexploreproxy" instead of "*iexplore" and use port 4444. We also installed the CyberVillans SSL Certificate as describe here http://blog.mogotest.com/2010/04/13/how-to-accept-self-signed-ssl-certificates-in-selenium/. We run selenium rc server with -trustALLSSLCertificates. This solved the self signed SSL Certificate issues (be aware that selenium RC > 2.21 does not work because of a bug which sets a wrong valid from date).
After that we received "Permission Denied" errors, when running our tests. We found out that this is because of the same origin problem described at http://wiki.openqa.org/display/SEL/Selenium+Core+FAQ under "Why do I get a Permission Denied error when accessing my website via HTTPS?". This problem can be solved by adjusting internet explorers 7 proxy settings and using localhost:4444 to route everything through the selenium RC server. It works, but the problem is that after every test run the proxy settings are reset.
My first question is: How is it possible to make those settings persistent in the internet explorer 7? I read about custom profiles for IE but I haven't found out how to set this up for rspec tests. I also read about a proxy.pac file, but googling for solution without success.
The next problem is that when running our tests we also run into "Access denied" errors by selenium. I have no idea how to solve these and why they occur. So my second question is: How do I get rid of those under the setup described.