• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3440
  • Last Modified:

Problem with IE and apache/openssl: ssl connection hangs upon initial load

Hi,
Hope someone can help me out.  Having a problem with an environment we are putting up

Using Apache 2.22
OpenSSL 0.9.8s 4 Jan 2012
(also tried 1.0.1)

Browser types IE 9 and IE 8

For some reason upon the initial load of the website, there is a "hang", seemingly during the handshake or something.

I tried this from my personal laptop and it did work no problem which is
IE 8 8.0.7601 (Windows 7)

Did not work from
IE 9 9.0.8112 (Windows 7)
and
IE 8 8.0.7601 (Windows 2008)

I couldn't find any differences in browser settings from my own to the IE on the actual client machines (sslv3 is checked, tls 1 is checked)

Doing a lot of google and most people seem to find success with the Browser Match like so:

BrowserMatch ".*MSIE [2-5].*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

BrowserMatch ".*MSIE [6-9].*" ssl-unclean-shutdown

Didn't work for me.

I also found some playing with the SSLCipherSuite changing
#       SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5  (default)
to
        SSLCipherSuite ALL:!ADH:!NULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2


Which also didn't work.

Unfortunately we cannot test with any other browser besides IE because the application is programmed to turn away any browsers that are not IE :(


Here is the apache error log on debug:


[Thu Jan 31 11:14:32 2013] [debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: SSLv3 read finished A
[Thu Jan 31 11:14:32 2013] [debug] ssl_engine_kernel.c(1870): OpenSSL: Handshake: done
[Thu Jan 31 11:14:32 2013] [info] Connection: Client IP: 192.168.1.241, Protocol: TLSv1, Cipher: AES128-SHA (128/128 bits)



===========THIS IS WHERE THE DELAY IS ===========================
[Thu Jan 31 11:14:47 2013] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#8f1f60 [mem: d1f5f3]
[Thu Jan 31 11:14:47 2013] [info] [client 192.168.1.241] (70014)End of file found: SSL input filter read failed.
[Thu Jan 31 11:14:47 2013] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully
[Thu Jan 31 11:14:47 2013] [info] [client 192.168.1.241] Connection closed to child 4 with standard shutdown (server webid.refugee.gov.tr:443)

Any ideas?

Thank you!
0
chanreayu
Asked:
chanreayu
  • 2
3 Solutions
 
ArneLoviusCommented:
Is the certificate self signed, from a public CA, or from a private CA ?
If from a public CA, have the intermediate certificates been included ?
If from  a private CA is the CRL available to the client ?

Have you tested with Chrome and Firefox ?
0
 
grahamnonweilerCommented:
We faced a similar problem and eventually (through trial and error) came to the below combination:


SSLProtocol -all +SSLv3
SSLHonorCipherOrder On

SSLCipherSuite RC4-SHA:HIGH:!ADH

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0


This was on Apache 2.2.22 with OpenSSL 0.98
0
 
chanreayuAuthor Commented:
Hi,

ArneLovius: Cert is self signed.   Getting the cert worked fine in Firefox.

Grahamnonweiler: Thanks for the suggestions.  I will need to keep that documented for next time.

Our solution: In the end through a lot of trial and error we found that for the specific IE we were using we did this in the browser

Tools -> Internet Options -> Advanced

Uncheck "Check for server certificate revocation"

Thanks!
0
 
chanreayuAuthor Commented:
We came up with the fix of changing IE settings after many hours of trial and error.
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now