ERR_BAD_SSL_CLIENT_AUTH_CERT - ssl

We've started encountering issues browsing to most https sites.
Examples include: https://technet.microsoft.com/, https://mail.google.com/, https://www.mozilla.org/en-US/firefox/new/, https://stackoverflow.com/
It appears that secure sites that we have visited previously work OK. Examples of these include:
https://banking.westpac.com.au/, https://www.tppwholesale.com.au/login/, https://au.ingrammicro.com/
The errors we receive are:
Chrome: ERR_BAD_SSL_CLIENT_AUTH_CERT
Firefox: SSL_ERROR_ACCESS_DENIED_ALERT
IE11/Edge: No helpful message, but Schannel 36887 errors are logged advising The TLS protocol defined fatal alert code is 49. (These are also logged for Chrome, but not Firefox as it uses the Mozilla NSS encryption library.)
We can prevent the problem by disabling TLS1.1 & TLS1.2 and enabling SSL2 & SSL3. As SSL2/3 have known vulnerabilities we want to resolve this issue properly.
Problem has been observed on Win7, Win8.1, Win10 WS2012R2 machines. It's affecting all our laptop computers except one that hasn't been in the office for over a month.
Extensive googling has failed to yield anything helpful - most SSL connection issues that are discussed seem to focus on the server certificate.
The above errors suggest it being an issue with the client certificate that our browsers are sending to the servers, so I have these questions:
Do SSL2/3 have different client certificate requirements to TLS1.x?
What client certificate do browsers use (we don't have any certificates listed in the user or computer Personal stores)?
I hope there's an SSL/TLS guru out there that can assist!

No need to uninstall ESET. Open ESET > Setup > Internet Protection > edit "Web Access Protection" > expand "Web Protocols" > disable "Enable HTTPS Checking".

It appears that ESET antivirus is the culprit here. Thanks to Nicolas Rey for flagging this on a Chrome forum (refer https://productforums.google.com/forum/#!msg/chrome/WHw6ow1kGUs/MW3gt1hZEQAJ)
The rollback option that Nicolas suggested didn't help, but uninstalling and reinstalling ESET resolved the issue.

In Eset go to advanced setup. Then click WEB AND EMAIL, Expand SSL/TLS. Click on edit in List of known certificates. Change access to allow or remove sites from here.

In Eset no need to Disable "Enable HTTPS Checking" . In Web access Protection click URL Management> Click Edit on address list then add on list of allowed addresses

Related

ASP.NET Core 3.0 security issue with Http2 on Chrome and Firefox

I have a few VS 2019 projects that some colleagues created and that I downloaded and attempted to run. Straight out of the box with no modification, Chrome and Firefox both complain (Edge does not.)
I am running this using Kestrel, by the way.
Chrome:
"This site can’t be reached
The webpage at https://localhost:5001/ might be temporarily down or it may have moved permanently to a new web address.
ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY"
Firefox
Your connection is not secure... blah blah...
NS_ERROR_NET_INADEQUATE_SECURITY
I have used the workaround in appsettings.json:
"Kestrel": {
"EndpointDefaults": {
"Protocols": "Http1"
}
However, simply regressing to Http1 isn't a solution, it's just a workaround. I'm also not sure why my colleagues are not experiencing this problem, and I am not. Any ideas would be greatly appreciated.
Check your TLS setup as HTTP/2 blacklists most older, more insecure ciphers as listed in the specification and may not allow the connection to use HTTP/2 if they are used. You should configure your web server to use more modern GCM ciphers like TLS_AES_256_GCM_SHA384.

Apache Tomcat 8.5 : SSL ENABLED IN IE BUT NOT IN CHROME

I have enabled SSL for a site using jdk 1.8 and Tomcat 8.5.23.
When I hit the site in IE, first time it shows:
"Can't connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening,try contacting website's owner."
When I hit the site second time, the page loads and the application functionality works fine with SSL enabled.
When I hit the site in chrome no matter how many times, it shows:
"This site can't provide a secure connection
Abcd.xyz.com didn't accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT"
In server.xml I have added below in the connector tag:
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
I also could not find any error in the log files.
Please help me. :(

Weblogic Administration Console being blocked by browser - SSL server probably obsolete

We are usng Weblogic 8.1 and administration console suddenly stopped and inaccessible today.
For more than a year we use to access it until today as it is being blocked by these browsers:
Internet Explorer -
There is a problem with this website's security certificate. When i click continue, it's not redirecting to the admin console.
Google Chrome - SSL server probably obsolete.
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION
Firefox - Secure Connection Failed
An error occurred during a connection to 192.168.0.18:17050. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
You are running a very old version of JRocket Java equivalent to 1.4.
There is a SSL protocol mismatch between your modern browsers and Weblogic's JRocket.
My best guess is to install the JRocket Java Cryptography Extension (JCE) Unlimited Strength files into your JRocket to boost the cipher list.
nmap has a ssl-enum-ciphers that will be able to print out the list of ciphers avialable before and after you install the Unlimited Strength files. See answer.
As an alternative and very ugly solution in Firefox.
Try this.
Enable support for 40-bit RSA encryption in the Firefox Browser:
enter 'about:config' in Browser Address bar
find/select
"security.ssl3.rsa_rc4_40_md5" set boolean to TRUE
Or this.
Open a new tab in Firefox and type “about:config” in the URL bar
You would get a warning dialog box, click Promise to be careful and move on
In the search bar, enter the following security.tls.version
First, right-click on the setting “security.tls.version.fallback-limit” and select modify. You’re going to change the “1” to “0”. Then do the same thing with “security.tls.version.min”, changing the “1” to “0”.

Issue loading my site in https

recently, I ordered a SSL certificate for my website. Prior to that, everything worked fine for me, the website was fast and I had no issue. Since the certificate has been installed by OVH... Well... Things changed... The issue is that not everybody has the same behaviour as me. When I go on "https://www.areaprog.com/" with different browsers, here is what I get:
Chrome:
"Your connection is not private
Attackers might be trying to steal your information from
www.areaprog.com (for example, passwords, messages or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID"
Firefox:
"This connection is untrusted
You have asked Firefox to connect securely to www.areaprog.com, but we
can't confirm that your connection is secure.
Technical details:
www.areaprog.com uses an invalid security certificate.
The certificate is only valid for ssl2.ovh.net
(Error code: ssl_error_bad_cert_domain)"
Internet explorer:
"The security certificate presented by this website was issued for a
different website's address.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server."
I asked to OVH and everything is fine for them and apparently, it is also the case for other people out there (I asked around to see if I was the only one), but other people also experiences the same issue...
Moreover, Firebug keeps on saying:
"This site makes use of a SHA-1 Certificate; it's recommended you use
certificates with signature algorithms that use hash functions
stronger than SHA-1"
Besides, for people who are experiencing this issue, well, the site is extremely slow. For me, a simple page takes more than 20 seconds to load...
Does some of you have the same issue than me and does someone have an idea of what to say to OVH who keeps telling me that everything is OK?
Thanks a lot

Local site testing with BrowserStack and self-signed certificates

I have started looking into testing our site with BrowserStack.
However, I'm having issues with live-testing (as opposed to automated testing with Selenium, which mostly works fine) a site we're developing as we're serving it with a self-signed certificate.
Manually approving the certificate doesn't bother me as much as the fact that some Ajax request are failing (at least on IE10) due to security issues and this makes it impossible to actually manually test the site.
An acceptable solution would be to somehow add our self-signed cert. into the list of trusted root CAs. However, I haven't found out how to upload files into the BrowserStack test environment (not sure if that's even possible, really).
Any ideas ?
I contacted BrowserStack about this issue, and their formal response is:
"We currently do not support installing client certificates on the remote machines. However, this is on our list, and we’ll keep you posted."
Hopefully this issues will be resolved soon and I'll post a different answer here.
April 2021 update:
BrowserStack has shipped a toggle to trust self-signed certs.
It is available on iOS and Android devices for now.
When it happens, open the "Network" tab, and open in a new tab the request which is failing. If it is "just" a certificate issue, you would then be able to bypass the warning. Then, your request should work correctly.
When the "Cannot Verify Server Identity" dialogue pops up, click details, then 'Trust'. This will work if all calls are to the same domain as the website.