IE7 succeeded IE6 in 2006, but so many companies continued using it that in 2009 Microsoft created a "Friends don't let friends use IE6" campaign due to critical flaws affecting only IE6. But it spent many years before that imploring businesses to ditch IE6 because of its outdated security design. The company retired IE6 in 2014, 14 years after that browser shipped with Windows XP, with a final patch for IE6 in January 2016. ServerName Dont forget to look at in the nf file at "conf/extra/" directory (this path and file name depend of your Apache server instalation), where maybe you can found an entry for "ServerName" parameter at default virtual host section.That's because Microsoft is well aware of how long it can take to wean users off a major version of a browser. Look at your website virtualhost section at apache "config/" Be sure that in any section like "" you have the name of your domain at "ServerName" parameter and (Specially this last action, definitively solved my problem) In any case if you use SSL2.0 + TLS 1.2, access to your site will crash, because they are incompatible.Ģnd part to solve problem: The server config Try differents combinations o TLS enabled, but don't enable SSL to avoid problems.įinally I tried SS元.0 + TLS1.0 + TLS1.1 +TLS1.2 and that worked fine. Maybe in your case, you have to check only TLS 1.2. Over de the same Menu " Tools -> Internet options -> Content", click " Clear SSL state" buttom.Ĭlose Internet explorer, re-open it and try to access the web site. Menu " Tools -> Internet options -> Advanced", at " Security" section, uncheck SSL2.0 and SSL 3.0 and then be sure that TLS 1.0, 1.1 and 1.2 are checked, then click "Apply" button. with client authentication (port 843) and I have solved my problem modifying IE configuration and finally modifying apache ssl config at "" section.ġst part to solve problem: The client config I have experienced a similar problem using IE 11 and Apache 2.4. Swapping in a SHA-256 1 certificate should resolve the problem.ġ SHA-1 would also work, but it is no longer recommended Therefore, I have filed an issue to the bug tracker. While I understand the rationale, it would have been easier to troubleshoot if the error message had been more specific. Basically, according to RFC5246 The Transport Layer Security (TLS) Protocol Version 1.2, MD5 is no longer considered a secured hash function, so schannel.dll follows the RFC and reject MD5 certificate chain. Searching with the keyword md5 tls1.2 reveals this blog post TLS 1.2 handshake failure which describes the same problem in more details. If the server negotiates a TLS1.2 connection with a Windows 7 or 8 schannel.dll-using client application, and it provides a certificate chain which uses the (weak) MD5 hash algorithm, the client will abort the connection (TCP/IP FIN) upon receipt of the certificate. Then, seemingly for no reason, IE restarts and sends a new client hello, this time using TLS 1.0, which of course fails and makes IE think that it can't connect to the website.Ĭould there be a bug in IE which makes it try the wrong protocol after the right protocol already has been successfully established? A bug which possibly only occurs if the server ONLY provides TLS 1.2 (which is probably quite uncommon)?Ĭheck whether you are using an MD5 certificate or not, since Internet Explorer 9/10/11 and Edge abort the connection if the server provides a certificate chain which uses MD5 algorithm, as mentioned at the end of this blog: Wireshark captures show that the IE in its first client hello tries TLS 1.2, shows its ciphers to the server and so on, and that the server's answer is correct, including the cipher chosen. Firefox and Chrome in the newest versions (as per the time of this writing) perfectly connect to the websites on this server.īut Internet Explorer 11 (running under Windows 7 圆4) in standard configuration is not able to connect to any of these websites. I have configured Apache so that it only allows TLS 1.2 and only ciphers with DHE or ECDHE key exchange. Currently, I am trying to cut down the SSL configuration as far as possible to make it as secure as possible. I am running some small websites which are served by Apache / Linux.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |