SSL Server Not Found Issue with Internet Explorer 6.2x and Safari

Mindwatering Incorporated

Author: Tripp W Black

Created: 01/02/2009 at 09:09 PM

 

Category:
Domino Server Issues Troubleshooting
Web/HTTP

Issue:
Internet Explorer and Apple Safari cannot authenticate with Apache or Lotus Domino servers running 128 bit SSL keys. Firefox displays the SSL protected web page just fine.

More:
Internet Explorer can bring up pages in "regular" HTTP mode (port 80), but cannot via SSL (port 443). The error message is an erroneous Server Not Found / DNS error.
Safari also fails to bring up web page, but it's error is more specific and simply says it cannot authenticate with the server.

What is really the problem is that for a site to be VISA compliant it must be SSL v3 only. What the administrator did in Domino or Apache was set the server to SSL v3 only or SSLv3 w/handshake only. The good news is the site did pass the certification test. :-) The bad news is that you just lost users which use two pretty popular browsers: IE 6 and Safari. For our testing, it appears that Internet Explorer and Safari cannot do SSL 3 only or SSL 3 only with (SSL 3 only handshake). This is, of course, the exact settings which were needed for to pass a couple of the VISA "safe-site" tests.

Solutions:

1. Convince all your customers to use Firefox 2 or 3 instead (unfortunately, not usually a viable option). We tested with Firefox 2.00.20 and Firefox 3.

2. Change the web servers to allow SSL v3 with a SSL v2 handshake. This will fix your new problem, but basically reset you back to where you started -- you will have a VISA compliancy audit service unhappy with you. They will make you pull that cute little "safe" site logo and pronounce you "unsafe". The audit company is right, it is more secure to use SSL version 3 than start off with version 2 handshake. However, you can at least make a little money again - and yes, the little browser lock still works in the web browser to say that 128 bit encryption is being used.

More notes:
If you are not suffering from a SSL v3 / v2 scenario, you might want to check the browser version. IE 5 and IE 6 before SP1 (or without the "high encryption" package) could not do SSL v3. If this is an older computer, upgrade it to a later IE 6 or IE 7 (or better yet, Firefox or Safari). If you still cannot access, check your security settings (Menu --> Tools --> Internet Options --> Advanced (tab) and verify that you have SSL 3, SSL 2, and TLS 1 (assuming you want TLS 1 enabled) support enabled.

If that still doesn't fix your IE 6 web browser, you can reset it's libraries (DLLs) by "re-registering" them:
Softpub.dll
Wintrust.dll
Initpki.dll
Dssenh.dll
Rsaenh.dll
Gpkcsp.dll
Sccbase.dll
Slbcsp.dll
Cryptdlg.dll

To re-register these files, follow these steps:

1. Type each of the following commands, and then click OK
(copy and paste of each one into the run command field or as individual commands in a command prompt):

regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll

2. Click OK when you receive the message that says DllRegisterServer in FileName succeeded.

3. Repeat for each command line listed above

I also haven't tried this with IE7. Although this has worked in the past, I've seen more workstations where they only way to fix that "integrated browser" was a system restore -- reformat and reinstall of XP.

A few people have reported that even though the Windows Firewall or Norton Utilities were allowing Internet Explorer to use port 443 ("connect to the Internet"), the issue was fixed by turning off the firewall. If this is the case, I would advise most users to not run their Windows machines w/o their Firewall or NAV running. Instead work to fix the Windows Firewall or Norton Utilities instead.

In addition, Lotus Domino 8.x (at the time of this posting), has a bug where you may have only V3 enabled, but it will still ALLOW a V2 connection itself. Although something definitely did get turned off making the SSL version 3 change (as IE and Safari don't work), it won't pass the certification test since it still answers the V2 "phone call".

previous page