EV SSL Certificates and IE8

[Rob Mikkelsen]

I am installing an EV SSL certificate on one of my sites.  All looks good (green bar included) with NetTalk 6.38 for Opera, Firefox, Safari and Chrome, but Internet Explorer 8 does not get far enough into the handshaking process to receive its first page (using the auto-redirect to SSL).  I have tried not auto-directing to SSL but all SSL pages create the same condition.

I have checked my internet settings and find that everything appears correct.  I have also tried using IE8 on a couple different computers with the same result.

One thing:  I am overriding the DNS of the site by entering the URL into my Hosts file.  I have tried using a URL that is assigned to my development computer but, while I am expected a certificate error, I get nothing.

What could it be (except that it is Internet Explorer 8!) that could be preventing the certificate exchange in IE* that does not affect any other browsers?

Thanks!

Rob

[Bruce]

does IE 8 give you any clues as to what might be wrong? Any kind of error message maybe?

Are you testing IE8 on the same machine as the other browsers?

Cheers
Bruce

[Rob Mikkelsen]

Bruce,

I turned on error reporting in the webserver and tried it again.  Nothing.  No error thrown by the server.  The only error that I see is when IE8 eventually times out - I get a "DNS Error - Server cannot be found" error.  I have tried connecting via the local IP address and the result is the same.

I am using the same machine for all five browsers.  Only IE8 is being stubborn.  I have connected using other browsers from other computers (using the URL below) but IE8 just isn't playing nice there, either.

I will try to leave the program up for a few days.  If you (or anyone) would like to give it a try, point your Internet Explorer browser to the following URL:

https://www.neinonline.com

Feel free to try it with other browsers as well.

The certificate is registered to trailerlocators.com so it should complain.  If you get a certificate error using the URL above, you will have achieved a better success than I have.

As I mentioned before, all other browsers I have tried have had no problem connecting to the server.

My IE8 connects to other EV SSL sites such as E*Trade just fine.

The server is built with Clarion 8.0.8973 and NetTalk 6.38, running on Windows 7 Professional on an old Pentium 4 XPS computer (I think it's about time for an upgrade) with 4G RAM.

Thanks!

Rob

[Rob Mikkelsen]

I found that both IE8 on my secondary computer and IE9 on the host computer are unable to connect.  I checked the security settings on IE9 and enabled all protocols.  Still no joy.

[kevin plummer]

I get the attached image error using Firefox. If you have accepted the security warning I don't think you will get it again. So maybe IE is the only one really working?

[attachment deleted by admin]

[Bruce]

>> The certificate is registered to trailerlocators.com so it should complain.  If you get a certificate error using the URL above, you will have achieved a better success than I have.

running in IE - (I've got IE9, but put it into IE8 mode, although I don't know if that will help).
I got the attached error. Then I ran it from an XP machine, with IE8, and got the same error. Clicked on "Continue". At which point I connected to your site fine (in both IE 8 and 9).

which got me to thinking. Perhaps your IE8 is not able to connect because it can't find a cipher in common with the server. This thread is worth reading;

http://www.nettalkcentral.com/index.php?option=com_smf&Itemid=36&topic=1023.0

I'm thinking what you can do is turn on a really low cipher, then try again and see if it connects. If it does then I guess the next step is to find the highest security cipher that your IE8 supports.

Cheers
Bruce



[attachment deleted by admin]

[Johan de Klerk]

Hi Rob,

Tried it on XP machine with IE8 and got the same certificate error screen as Bruce.
Clicked on "Continue" and it took me to your site.

Regards

Johan de Klerk

[Rob Mikkelsen]

Good point regarding the cipher, Bruce.  We had to reduce it to work with our government computers that are running IE8.  I thought that unrestricted computers were not encumbered by those problems.  I will try "dumbing it down" to see if I can make it work.  You have been saying for years how lame Internet Explorer is - I am starting to believe you.

Johan, I do find it interesting that you were able to connect with IE8 on an XP machine.  I have a similar configuration on one computer and had zero luck connecting.  I will have to check the accepted ciphers on that.

Thanks, all!  I will post my results here.

Rob

[Rob Mikkelsen]

I don't know why I didn't think of the trauma the last time I did this for my day job!  Rather than systematically step down through the levels of security, I too the easy way out and copied the cipher that finally worked for the restricted FAA computers:

    Self.SSLMethod = NET:SSLMethodSSLv23
    Self.SSLCertificateOptions.CiphersAllowed = 'RC4:!COMPLEMENTOFDEFAULT'

Now, I get a good TLS1 connection using IE8 or IE9 which may not be the most secure cipher on the planet, it answers the mail so I can continue forward.

Thanks, all!  Maybe one day Microsoft will bring Internet Explorer into the 21st century.

Rob

[Bruce]

>> Maybe one day Microsoft will bring Internet Explorer into the 21st century.

they did - it's called IE9, and indeed IE10. I might not be an IE fan but you can't blame MS for users using old versions of the browser.

Cheers
Bruce

[Rob Mikkelsen]

Actually, IE9 had the same problem.  Perhaps IE10 finally got it right...