10

I have a question that has come up somehow in different questions but I still can't find the solution, yet.

My problem is that I'm hosting a site on apache 2.4 on debian with SSL and Internet Explorer 7 on windows xp shows 

Internet Explorer cannot display the webpage

I have only ONE virtual host that uses ssl, but DIFFERENT virtual hosts that use http. Here is my config for the site with SSL enabled (etc/sites-avaible/default-ssl is NOT linked)

<Virtualhost xx.yyy.86.193:443>
  ServerName www.my-certified-domain.de
  ServerAlias my-certified-domain.de

  DocumentRoot "/var/local/www/my-certified-domain.de/current/www"
  Alias /files "/var/local/www/my-certified-domain.de/current/files"

  CustomLog /var/log/apache2/access.my-certified-domain.de.log combined

  <Directory "/var/local/www/my-certified-domain.de/current/www">
    AllowOverride All
  </Directory>

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/www.my-certified-domain.de.crt
  SSLCertificateKeyFile /etc/ssl/private/www.my-certified-domain.de.key
  SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

  SSLCertificateChainFile /etc/apache2/ssl.crt/www.my-certified-domain.de.ca

  BrowserMatch "MSIE [2-8]" nokeepalive downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:80>
  ServerName www.my-certified-domain.de
  ServerAlias my-certified-domain.de

  CustomLog /var/log/apache2/access.my-certified-domain.de.log combined

  Redirect permanent / https://www.my-certified-domain.de/
</VirtualHost>

my ports.conf looks like this:

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

the output from apache2ctl -S is like this:

xx.yyy.86.193:443      www.my-certified-domain.de (/etc/apache2/sites-enabled/020-my-certified-domain.de:1)
wildcard NameVirtualHosts and _default_ servers:
*:80                   is a NameVirtualHost
         default server phpmyadmin.my-certified-domain.de (/etc/apache2/conf.d/phpmyadmin.conf:3)
         port 80 namevhost phpmyadmin.my-certified-domain.de (/etc/apache2/conf.d/phpmyadmin.conf:3)
         port 80 namevhost staging.my-certified-domain.de (/etc/apache2/sites-enabled/010-staging.my-certified-domain.de:1)
         port 80 namevhost testing.my-certified-domain.de (/etc/apache2/sites-enabled/015-testing.my-certified-domain.de:1)
         port 80 namevhost www.my-certified-domain.de (/etc/apache2/sites-enabled/020-my-certified-domain.de:31)

I included the solution for this question: Internet explorer cannot display the page, other browsers can, possibly htaccess / server error

And I understand the answer from this question:

How to setup Apache NameVirtualHost on SSL?

In fakt: I only have one ssl certificate for the domain. And I only want to run ONE virtual host with ssl. So I just want to use the one ip for the ssl virtual host. But still (after rebooting / restarting / testing) internet explorer will still not show the page.

When I intepret the apachectl -S as well, I already have only one SSL host and this should response to the initial SSH handshake, shouldn't it?

What is wrong in this setup?

Thank you so much Philipp

Update: Works in all other browsers. I debugged with wireshark and the server sends an alert to notifiy that the connection is closed. But I can't see the problem in the logs

Community
  • 1
pscheit
  • 101
  • 1
  • 6
  • 2
    So what is logged in the server's logs? Also..ṡeriously? IE on XP is just going to keep failing, more and more badly as time passes. It is past its end of life and no longer supported. You probably shouldn't spend much time on this. – Michael Hampton Jun 14 '14 at 14:50
  • Does it work in any browser? I get `NXDOMAIN`, when I try to access it. – kasperd Jun 14 '14 at 16:47
  • it does work with all other browsers. The logs show NOTHING (i double checked every logfile and tried to increase verbose) – pscheit Jun 15 '14 at 17:58

1 Answers1

2

Does it work on other browsers, for example Firefox on WinXP, IE7 on Vista/7/8, IE8+, iOS, Android?

If yes, then suspecting that your cipher suite might be too restrictive/modern to allow IE7/XP. Either force your user base to upgrade their browser/OS or reconfigure your SSLCipherSuite:

See https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites

Also see this possible WinXP bug/KB hotfix: http://support.microsoft.com/kb/2541763/en-us

Maybe try:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

(found the above on https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html)

Joshua Huber
  • 807
  • 5
  • 7
  • changing the ciphersuite does not help. I'm investigating if installing a service pack will fix this problem. But my client has clients that are not able to upgrade ... – pscheit Jun 15 '14 at 18:26
  • Assuming your host is Internet reachable, try running Qualys SSL Labs - SSL Server Test against your server. https://www.ssllabs.com/ssltest/ Before you start the scan, be sure to check the box on that site that says "Do not show the results on the boards" if you don't want your scan published. The scan will take a minute or two, but will show the negotiation results of a wide variety of web clients. Interested to see what it says for IE7. – Joshua Huber Jun 15 '14 at 18:36
  • Result is: `IE 6 / XP No FS 1 No SNI 2 SSL 3 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) No FS 11` so NO SNI is of course true. FS seems to be not relevant as well (just a nice to have security feature, if i get it right). Anyway this is a very good test, thanks for the link – pscheit Jun 16 '14 at 19:59