|
Home > Archive > IIS Server Security > February 2005 > SSL blues
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Rory Clark 2005-02-10, 8:48 pm |
| I'm trying to set up SSL on my web site (http://www.stopped-motion.com) and
I can't seem to get it to work. The machine is running Win2k3 with IIS6 and
the site is authored in ASP.Net and C#. This is a web server with multiple
domains sitting on it as virtual servers through the use of host headers.
I got the certificate from my certificate authority and followed their
instructions for installing via the Certificate Wizard. No problems. I
fired up IE to verify that every thing worked and got the dreaded "Cannot
find server or DNS error" message. As a note, and this may be important or
not, I could hit the site through HTTP just fine. HTTPS was the only one
being problematic.
Originally, this domain used host header names for its bindings and I
remembered reading somewhere that host headers don't work with SSL because
the host header is part of the encrypted data. With that in hand, I went to
my ISP and got another IP address to bind to the NIC. Next stop on the way
was to update DNS records to point to the new IP.
In the meantime, I edited my HOSTS to force the resolution of the DNS name
to the new IP for testing. When I hit the page, I got the same error as
before. If I hit F5 a lot a lot, I confirmed that IE was pinging the right
address.
I then went through every other website on the box and set the IP bindings
to bind to the old IP. This website has 3 identities (new IP + p80, old IP
+ p80 + stopped-motion.com, and old IP + p80 + www.stopped-motion.com) and 1
SSL identity (new IP + p443). I still get the error.
When I run SSL Diag, this is the output for the server:
System time: Fri, 11 Feb 2005 00:29:47 GMT
ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
OS: Windows 2003
IIS6 - World Wide Web Publishing (W3SVC) service is installed
[ HKLM\System\CurrentControlSet\Services\H
TTPFilter ]
ImagePath = C:\WINNT\system32\inetsrv\inetinfo.exe
Parameters\CertChainCacheOnlyUrlRetrieva
l = True(default)
strmfilt.dll loaded into process 3228 (inetinfo.exe)
[ SChannel Info ]
ServerCacheEntries = 0
ServerActiveEntries = 0
ServerHandshakes = 16
ServerReconnects = 9
CacheSize = 10000
And for the site:
[ W3SVC/603546932 ]
ServerComment = stopped-motion.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = 30 76 f5 61 e5 c7 d6 ce 3a 5c 6a 59 3b fa 7a 70 10 e4 52 13
SSLStoreName = MY
#CertName = www.stopped-motion.com
#You have a private key that corresponds to this certificate
#ContainerName='663bb2512faa871f2869b67b
abfc8cdc_0c8010a7-032a-4341-a40f-0e16d51a9919'
#ProvName='Microsoft RSA SChannel Cryptographic Provider'
ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: C=US, O=www.stopped-motion.com,
OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
CN=www.stopped-motion.com
#Issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
#Validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 PM
SecureBindings = 66.114.146.8:443:
When I simulate the handshake in SSLDiag, I get this...
System time: Fri, 11 Feb 2005 02:04:15 GMT
Connecting to 66.114.146.8:443
Connected
Handshake: 78 bytes sent
Handshake: 1142 bytes received
Handshake: 182 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
Server certificate name: www.stopped-motion.com
Server certificate subject: C=US, O=www.stopped-motion.com,
OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
CN=www.stopped-motion.com
Server certificate issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST
Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
Server certificate validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56
PM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
Accept:*/*
HTTPS: 72 bytes of encrypted data sent
HTTPS: server disconnected
Final handshake: 23 bytes sent successfully
And everything looks like it worked well enough.
So I'm a little on the frustrated side of things with this and I'm looking
to see if anyone can provide insight as to what the problem is. If more
information is required about the box, feel free to ask and I'll go get it.
Thanks!
Rory
| |
| David Wang [Msft] 2005-02-11, 7:59 am |
| Usually, once SSLDiag says your server side configuration looks good and it
could communicate, "Cannot finds erver or DNS error" indicate DNS sort of
issues outside of IIS control.
Please verify:
1. If you do not see any success/error corresponding to your SSL requests in
W3SVC and HTTP Error Logs (subdirs under %SYSTEMROOT%\System32\LogFiles ),
then the request isn't getting to IIS.
2. Make sure that something is listening on port 443. netstat -ano should
tell you really fast
3. If you've configured IPListenList in the past, now is the time to revise
them since you said you're taking control...
4. Start looking at firewalls or your ISP blocking ports.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Rory Clark" <rory@online.stopped-motion.com> wrote in message
news:OiM$Q59DFHA.3888@TK2MSFTNGP09.phx.gbl...
I'm trying to set up SSL on my web site (http://www.stopped-motion.com) and
I can't seem to get it to work. The machine is running Win2k3 with IIS6 and
the site is authored in ASP.Net and C#. This is a web server with multiple
domains sitting on it as virtual servers through the use of host headers.
I got the certificate from my certificate authority and followed their
instructions for installing via the Certificate Wizard. No problems. I
fired up IE to verify that every thing worked and got the dreaded "Cannot
find server or DNS error" message. As a note, and this may be important or
not, I could hit the site through HTTP just fine. HTTPS was the only one
being problematic.
Originally, this domain used host header names for its bindings and I
remembered reading somewhere that host headers don't work with SSL because
the host header is part of the encrypted data. With that in hand, I went to
my ISP and got another IP address to bind to the NIC. Next stop on the way
was to update DNS records to point to the new IP.
In the meantime, I edited my HOSTS to force the resolution of the DNS name
to the new IP for testing. When I hit the page, I got the same error as
before. If I hit F5 a lot a lot, I confirmed that IE was pinging the right
address.
I then went through every other website on the box and set the IP bindings
to bind to the old IP. This website has 3 identities (new IP + p80, old IP
+ p80 + stopped-motion.com, and old IP + p80 + www.stopped-motion.com) and 1
SSL identity (new IP + p443). I still get the error.
When I run SSL Diag, this is the output for the server:
System time: Fri, 11 Feb 2005 00:29:47 GMT
ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
OS: Windows 2003
IIS6 - World Wide Web Publishing (W3SVC) service is installed
[ HKLM\System\CurrentControlSet\Services\H
TTPFilter ]
ImagePath = C:\WINNT\system32\inetsrv\inetinfo.exe
Parameters\CertChainCacheOnlyUrlRetrieva
l = True(default)
strmfilt.dll loaded into process 3228 (inetinfo.exe)
[ SChannel Info ]
ServerCacheEntries = 0
ServerActiveEntries = 0
ServerHandshakes = 16
ServerReconnects = 9
CacheSize = 10000
And for the site:
[ W3SVC/603546932 ]
ServerComment = stopped-motion.com
ServerAutoStart = True
ServerState = Server started
#Impersonated server account
SSLCertHash = 30 76 f5 61 e5 c7 d6 ce 3a 5c 6a 59 3b fa 7a 70 10 e4 52 13
SSLStoreName = MY
#CertName = www.stopped-motion.com
#You have a private key that corresponds to this certificate
#ContainerName='663bb2512faa871f2869b67b
abfc8cdc_0c8010a7-032a-4341-a40f-0e1
6d51a9919'
#ProvName='Microsoft RSA SChannel Cryptographic Provider'
ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
#Subject: C=US, O=www.stopped-motion.com,
OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
CN=www.stopped-motion.com
#Issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network,
OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
#Validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 PM
SecureBindings = 66.114.146.8:443:
When I simulate the handshake in SSLDiag, I get this...
System time: Fri, 11 Feb 2005 02:04:15 GMT
Connecting to 66.114.146.8:443
Connected
Handshake: 78 bytes sent
Handshake: 1142 bytes received
Handshake: 182 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
Server certificate name: www.stopped-motion.com
Server certificate subject: C=US, O=www.stopped-motion.com,
OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
CN=www.stopped-motion.com
Server certificate issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST
Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
Server certificate validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56
PM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
Accept:*/*
HTTPS: 72 bytes of encrypted data sent
HTTPS: server disconnected
Final handshake: 23 bytes sent successfully
And everything looks like it worked well enough.
So I'm a little on the frustrated side of things with this and I'm looking
to see if anyone can provide insight as to what the problem is. If more
information is required about the box, feel free to ask and I'll go get it.
Thanks!
Rory
| |
| Rory Clark 2005-02-11, 6:00 pm |
| Thanks for getting back to me, here are the verification results:
1) Saw an entry in the log file:
2005-02-11 21:25:54 W3SVC603546932 ZOOWEB2 66.114.146.8 GET / - 443 -
206.191.145.22 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
WEBTRENDS_ID=66.114.146.26-2824828656.29656464;+ASP.NET_SessionId=vk5a2jexs05b3h455ijiejja
- www.stopped-motion.com 200 2 0 490 15
2) The only entry I found for port 443 was this one. I've never seen an IP
address of 0.0.0.0 except when a NIC had nothing bound to it. Is this
normal? TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 3548
3) I'm not familar with IPListenList, so that would be a "No, I haven't
configured it in the past."
4) The web server isn't behind a fire wall and the log file shows a status
200 was returned for the request on port 443.
And, just for grins and giggles, I tried hitting the page from the local box
and it too returned the "Cannot find server or DNS error". Just tryin out
all posibilities, if I go to https://66.114.146.8, I get prompted with a
certificate warning (telling me of a mismatched name) and click "Yes" to it,
I get the "Cannot find server or DNS error" as well.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:O%23jCZWCEFHA.3824@TK2MSFTNGP10.phx.gbl...
> Usually, once SSLDiag says your server side configuration looks good and
> it
> could communicate, "Cannot finds erver or DNS error" indicate DNS sort of
> issues outside of IIS control.
>
> Please verify:
> 1. If you do not see any success/error corresponding to your SSL requests
> in
> W3SVC and HTTP Error Logs (subdirs under %SYSTEMROOT%\System32\LogFiles ),
> then the request isn't getting to IIS.
> 2. Make sure that something is listening on port 443. netstat -ano
> should
> tell you really fast
> 3. If you've configured IPListenList in the past, now is the time to
> revise
> them since you said you're taking control...
> 4. Start looking at firewalls or your ISP blocking ports.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Rory Clark" <rory@online.stopped-motion.com> wrote in message
> news:OiM$Q59DFHA.3888@TK2MSFTNGP09.phx.gbl...
> I'm trying to set up SSL on my web site (http://www.stopped-motion.com)
> and
> I can't seem to get it to work. The machine is running Win2k3 with IIS6
> and
> the site is authored in ASP.Net and C#. This is a web server with
> multiple
> domains sitting on it as virtual servers through the use of host headers.
>
> I got the certificate from my certificate authority and followed their
> instructions for installing via the Certificate Wizard. No problems. I
> fired up IE to verify that every thing worked and got the dreaded "Cannot
> find server or DNS error" message. As a note, and this may be important
> or
> not, I could hit the site through HTTP just fine. HTTPS was the only one
> being problematic.
>
> Originally, this domain used host header names for its bindings and I
> remembered reading somewhere that host headers don't work with SSL because
> the host header is part of the encrypted data. With that in hand, I went
> to
> my ISP and got another IP address to bind to the NIC. Next stop on the
> way
> was to update DNS records to point to the new IP.
>
> In the meantime, I edited my HOSTS to force the resolution of the DNS name
> to the new IP for testing. When I hit the page, I got the same error as
> before. If I hit F5 a lot a lot, I confirmed that IE was pinging the
> right
> address.
>
> I then went through every other website on the box and set the IP bindings
> to bind to the old IP. This website has 3 identities (new IP + p80, old
> IP
> + p80 + stopped-motion.com, and old IP + p80 + www.stopped-motion.com) and
> 1
> SSL identity (new IP + p443). I still get the error.
>
> When I run SSL Diag, this is the output for the server:
> System time: Fri, 11 Feb 2005 00:29:47 GMT
> ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
> OS: Windows 2003
> IIS6 - World Wide Web Publishing (W3SVC) service is installed
>
> [ HKLM\System\CurrentControlSet\Services\H
TTPFilter ]
> ImagePath = C:\WINNT\system32\inetsrv\inetinfo.exe
> Parameters\CertChainCacheOnlyUrlRetrieva
l = True(default)
> strmfilt.dll loaded into process 3228 (inetinfo.exe)
>
> [ SChannel Info ]
> ServerCacheEntries = 0
> ServerActiveEntries = 0
> ServerHandshakes = 16
> ServerReconnects = 9
> CacheSize = 10000
>
> And for the site:
> [ W3SVC/603546932 ]
> ServerComment = stopped-motion.com
> ServerAutoStart = True
> ServerState = Server started
> #Impersonated server account
> SSLCertHash = 30 76 f5 61 e5 c7 d6 ce 3a 5c 6a 59 3b fa 7a 70 10 e4 52 13
> SSLStoreName = MY
> #CertName = www.stopped-motion.com
> #You have a private key that corresponds to this certificate
> #ContainerName='663bb2512faa871f2869b67b
abfc8cdc_0c8010a7-032a-4341-a40f-0e1
> 6d51a9919'
> #ProvName='Microsoft RSA SChannel Cryptographic Provider'
> ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
> #Subject: C=US, O=www.stopped-motion.com,
> OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
> www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
> CN=www.stopped-motion.com
> #Issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network,
> OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
> #Validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 PM
> SecureBindings = 66.114.146.8:443:
>
> When I simulate the handshake in SSLDiag, I get this...
> System time: Fri, 11 Feb 2005 02:04:15 GMT
> Connecting to 66.114.146.8:443
> Connected
> Handshake: 78 bytes sent
> Handshake: 1142 bytes received
> Handshake: 182 bytes sent
> Handshake: 43 bytes received
> Handshake succeeded
> Verifying server certificate, it might take a while...
> Server certificate name: www.stopped-motion.com
> Server certificate subject: C=US, O=www.stopped-motion.com,
> OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
> www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
> CN=www.stopped-motion.com
> Server certificate issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST
> Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network
> Applications
> Server certificate validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56
> PM
> HTTPS request:
> GET / HTTP/1.0
> User-Agent: SSLDiag
> Accept:*/*
> HTTPS: 72 bytes of encrypted data sent
> HTTPS: server disconnected
> Final handshake: 23 bytes sent successfully
>
> And everything looks like it worked well enough.
>
> So I'm a little on the frustrated side of things with this and I'm looking
> to see if anyone can provide insight as to what the problem is. If more
> information is required about the box, feel free to ask and I'll go get
> it.
>
> Thanks!
> Rory
>
>
>
| |
| David Wang [Msft] 2005-02-12, 2:47 am |
| 1. Are you running in IIS5 Compatibility Mode
2. Are you running any custom ISAPI Filters (I notice WebTrends)
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Rory Clark" <rory@online.stopped-motion.com> wrote in message
news:%23z7XOJIEFHA.3416@TK2MSFTNGP09.phx.gbl...
Thanks for getting back to me, here are the verification results:
1) Saw an entry in the log file:
2005-02-11 21:25:54 W3SVC603546932 ZOOWEB2 66.114.146.8 GET / - 443 -
206.191.145.22 HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
WEBTRENDS_ID=66.114.146.26-2824828656.29656464;+ASP.NET_SessionId=vk5a2jexs0
5b3h455ijiejja
- www.stopped-motion.com 200 2 0 490 15
2) The only entry I found for port 443 was this one. I've never seen an IP
address of 0.0.0.0 except when a NIC had nothing bound to it. Is this
normal? TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 3548
3) I'm not familar with IPListenList, so that would be a "No, I haven't
configured it in the past."
4) The web server isn't behind a fire wall and the log file shows a status
200 was returned for the request on port 443.
And, just for grins and giggles, I tried hitting the page from the local box
and it too returned the "Cannot find server or DNS error". Just tryin out
all posibilities, if I go to https://66.114.146.8, I get prompted with a
certificate warning (telling me of a mismatched name) and click "Yes" to it,
I get the "Cannot find server or DNS error" as well.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:O%23jCZWCEFHA.3824@TK2MSFTNGP10.phx.gbl...
> Usually, once SSLDiag says your server side configuration looks good and
> it
> could communicate, "Cannot finds erver or DNS error" indicate DNS sort of
> issues outside of IIS control.
>
> Please verify:
> 1. If you do not see any success/error corresponding to your SSL requests
> in
> W3SVC and HTTP Error Logs (subdirs under %SYSTEMROOT%\System32\LogFiles ),
> then the request isn't getting to IIS.
> 2. Make sure that something is listening on port 443. netstat -ano
> should
> tell you really fast
> 3. If you've configured IPListenList in the past, now is the time to
> revise
> them since you said you're taking control...
> 4. Start looking at firewalls or your ISP blocking ports.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Rory Clark" <rory@online.stopped-motion.com> wrote in message
> news:OiM$Q59DFHA.3888@TK2MSFTNGP09.phx.gbl...
> I'm trying to set up SSL on my web site (http://www.stopped-motion.com)
> and
> I can't seem to get it to work. The machine is running Win2k3 with IIS6
> and
> the site is authored in ASP.Net and C#. This is a web server with
> multiple
> domains sitting on it as virtual servers through the use of host headers.
>
> I got the certificate from my certificate authority and followed their
> instructions for installing via the Certificate Wizard. No problems. I
> fired up IE to verify that every thing worked and got the dreaded "Cannot
> find server or DNS error" message. As a note, and this may be important
> or
> not, I could hit the site through HTTP just fine. HTTPS was the only one
> being problematic.
>
> Originally, this domain used host header names for its bindings and I
> remembered reading somewhere that host headers don't work with SSL because
> the host header is part of the encrypted data. With that in hand, I went
> to
> my ISP and got another IP address to bind to the NIC. Next stop on the
> way
> was to update DNS records to point to the new IP.
>
> In the meantime, I edited my HOSTS to force the resolution of the DNS name
> to the new IP for testing. When I hit the page, I got the same error as
> before. If I hit F5 a lot a lot, I confirmed that IE was pinging the
> right
> address.
>
> I then went through every other website on the box and set the IP bindings
> to bind to the old IP. This website has 3 identities (new IP + p80, old
> IP
> + p80 + stopped-motion.com, and old IP + p80 + www.stopped-motion.com) and
> 1
> SSL identity (new IP + p443). I still get the error.
>
> When I run SSL Diag, this is the output for the server:
> System time: Fri, 11 Feb 2005 00:29:47 GMT
> ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe
> OS: Windows 2003
> IIS6 - World Wide Web Publishing (W3SVC) service is installed
>
> [ HKLM\System\CurrentControlSet\Services\H
TTPFilter ]
> ImagePath = C:\WINNT\system32\inetsrv\inetinfo.exe
> Parameters\CertChainCacheOnlyUrlRetrieva
l = True(default)
> strmfilt.dll loaded into process 3228 (inetinfo.exe)
>
> [ SChannel Info ]
> ServerCacheEntries = 0
> ServerActiveEntries = 0
> ServerHandshakes = 16
> ServerReconnects = 9
> CacheSize = 10000
>
> And for the site:
> [ W3SVC/603546932 ]
> ServerComment = stopped-motion.com
> ServerAutoStart = True
> ServerState = Server started
> #Impersonated server account
> SSLCertHash = 30 76 f5 61 e5 c7 d6 ce 3a 5c 6a 59 3b fa 7a 70 10 e4 52 13
> SSLStoreName = MY
> #CertName = www.stopped-motion.com
> #You have a private key that corresponds to this certificate
>
#ContainerName='663bb2512faa871f2869b67b
abfc8cdc_0c8010a7-032a-4341-a40f-0e1
> 6d51a9919'
> #ProvName='Microsoft RSA SChannel Cryptographic Provider'
> ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE
> #Subject: C=US, O=www.stopped-motion.com,
> OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
> www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
> CN=www.stopped-motion.com
> #Issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network,
> OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications
> #Validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 PM
> SecureBindings = 66.114.146.8:443:
>
> When I simulate the handshake in SSLDiag, I get this...
> System time: Fri, 11 Feb 2005 02:04:15 GMT
> Connecting to 66.114.146.8:443
> Connected
> Handshake: 78 bytes sent
> Handshake: 1142 bytes received
> Handshake: 182 bytes sent
> Handshake: 43 bytes received
> Handshake succeeded
> Verifying server certificate, it might take a while...
> Server certificate name: www.stopped-motion.com
> Server certificate subject: C=US, O=www.stopped-motion.com,
> OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See
> www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM),
> CN=www.stopped-motion.com
> Server certificate issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST
> Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network
> Applications
> Server certificate validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56
> PM
> HTTPS request:
> GET / HTTP/1.0
> User-Agent: SSLDiag
> Accept:*/*
> HTTPS: 72 bytes of encrypted data sent
> HTTPS: server disconnected
> Final handshake: 23 bytes sent successfully
>
> And everything looks like it worked well enough.
>
> So I'm a little on the frustrated side of things with this and I'm looking
> to see if anyone can provide insight as to what the problem is. If more
> information is required about the box, feel free to ask and I'll go get
> it.
>
> Thanks!
> Rory
>
>
>
| |
| Rory Clark 2005-02-13, 5:50 pm |
| I didn't see an IIS5 compatibility mode, but I did find "Isolation mode: Run
WWW service in IIS 5.0 isolation mode" and it is checked.
I have the ASP.NET_1.1.4322.573, fpexe.dll.
I have removed the Web Trends filter as I'm not using Web Trends anymore.
For grins and giggles, after removing the filter, I tried hitting the secure
site again, and again, no dice. Not one to give up easily, I bounced IIS
and tied again. This time it worked.
Though I curious as what about that filter was giving my the problems.
Thanks for the ideas and leading me through this.
Rory
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%23PRFdaNEFHA.960@TK2MSFTNGP09.phx.gbl...
> 1. Are you running in IIS5 Compatibility Mode
> 2. Are you running any custom ISAPI Filters (I notice WebTrends)
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Rory Clark" <rory@online.stopped-motion.com> wrote in message
> news:%23z7XOJIEFHA.3416@TK2MSFTNGP09.phx.gbl...
> Thanks for getting back to me, here are the verification results:
> 1) Saw an entry in the log file:
> 2005-02-11 21:25:54 W3SVC603546932 ZOOWEB2 66.114.146.8 GET / - 443 -
> 206.191.145.22 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
> WEBTRENDS_ID=66.114.146.26-2824828656.29656464;+ASP.NET_SessionId=vk5a2jexs0
> 5b3h455ijiejja
> - www.stopped-motion.com 200 2 0 490 15
>
> 2) The only entry I found for port 443 was this one. I've never seen an
> IP
> address of 0.0.0.0 except when a NIC had nothing bound to it. Is this
> normal? TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 3548
>
> 3) I'm not familar with IPListenList, so that would be a "No, I haven't
> configured it in the past."
>
> 4) The web server isn't behind a fire wall and the log file shows a status
> 200 was returned for the request on port 443.
>
> And, just for grins and giggles, I tried hitting the page from the local
> box
> and it too returned the "Cannot find server or DNS error". Just tryin out
> all posibilities, if I go to https://66.114.146.8, I get prompted with a
> certificate warning (telling me of a mismatched name) and click "Yes" to
> it,
> I get the "Cannot find server or DNS error" as well.
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:O%23jCZWCEFHA.3824@TK2MSFTNGP10.phx.gbl...
> #ContainerName='663bb2512faa871f2869b67b
abfc8cdc_0c8010a7-032a-4341-a40f-0e1
>
>
>
| |
| David Wang [Msft] 2005-02-13, 8:47 pm |
| Ok, so you were running in IIS5 Compatability Mode, and you had a global
ISAPI Filter for Web Trends enabled.
This is a known issue in IIS6 where you are running in IIS5 Compatibility
Mode, is making a request over SSL, and you have an ISAPI Filter that
listened on SF_NOTIFY_SEND_RAW_DATA but not SF_NOTIFY_READ_RAW_DATA -- such
as Web Trends, which was using that event to parse every one of your
outbound requests, attaching its cookie onto them, and draining your
response rate.
Resolutions include:
1. Contacting Microsoft PSS for a QFE that fixes this issue (if you wanted
to use this filter and stay in IIS5 mode)
2. Stop using the ISAPI Filter (you chose this)
3. Switching to IIS6 native worker process isolation mode (i.e. Under the
Service tab, make sure the IIS5 checkbox is unchecked)
I personally do not see you running anything that *requires* IIS5
Compatibility Mode, so I would suggest you upgrade to IIS6 native worker
process isolation mode. You get better SSL performance and reliability, and
ASP.Net continues to work (though its configuration is slightly different
now due to it using IIS6 process model instead of its own).
The reason that removing Web Trends filter worked *after* you restarted IIS
is because global ISAPI Filters are unloaded only by restarting IIS (site
ISAPI Filters stop functioning immediately after you remove them in UI) --
several (not all) global properties tend to have this sort of behavior where
they need IIS restart to take effect -- ISAPI Filter changes is one of them.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Rory Clark" <rory@online.stopped-motion.com> wrote in message
news:uEzDvBiEFHA.2756@TK2MSFTNGP15.phx.gbl...
I didn't see an IIS5 compatibility mode, but I did find "Isolation mode: Run
WWW service in IIS 5.0 isolation mode" and it is checked.
I have the ASP.NET_1.1.4322.573, fpexe.dll.
I have removed the Web Trends filter as I'm not using Web Trends anymore.
For grins and giggles, after removing the filter, I tried hitting the secure
site again, and again, no dice. Not one to give up easily, I bounced IIS
and tied again. This time it worked.
Though I curious as what about that filter was giving my the problems.
Thanks for the ideas and leading me through this.
Rory
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%23PRFdaNEFHA.960@TK2MSFTNGP09.phx.gbl...
> 1. Are you running in IIS5 Compatibility Mode
> 2. Are you running any custom ISAPI Filters (I notice WebTrends)
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Rory Clark" <rory@online.stopped-motion.com> wrote in message
> news:%23z7XOJIEFHA.3416@TK2MSFTNGP09.phx.gbl...
> Thanks for getting back to me, here are the verification results:
> 1) Saw an entry in the log file:
> 2005-02-11 21:25:54 W3SVC603546932 ZOOWEB2 66.114.146.8 GET / - 443 -
> 206.191.145.22 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
>
WEBTRENDS_ID=66.114.146.26-2824828656.29656464;+ASP. NET_SessionId=vk5a2jexs0
> 5b3h455ijiejja
> - www.stopped-motion.com 200 2 0 490 15
>
> 2) The only entry I found for port 443 was this one. I've never seen an
> IP
> address of 0.0.0.0 except when a NIC had nothing bound to it. Is this
> normal? TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 3548
>
> 3) I'm not familar with IPListenList, so that would be a "No, I haven't
> configured it in the past."
>
> 4) The web server isn't behind a fire wall and the log file shows a status
> 200 was returned for the request on port 443.
>
> And, just for grins and giggles, I tried hitting the page from the local
> box
> and it too returned the "Cannot find server or DNS error". Just tryin out
> all posibilities, if I go to https://66.114.146.8, I get prompted with a
> certificate warning (telling me of a mismatched name) and click "Yes" to
> it,
> I get the "Cannot find server or DNS error" as well.
>
>
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:O%23jCZWCEFHA.3824@TK2MSFTNGP10.phx.gbl...
>
#ContainerName='663bb2512faa871f2869b67b
abfc8cdc_0c8010a7-032a-4341-a40f-0e1
>
>
>
|
|
|
|
|