|
Home > Archive > IIS Server Security > January 2007 > SSL service terminates connection after Client Hello
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SSL service terminates connection after Client Hello
|
|
|
| I'm installing a trusted certificate on one of our sister companies' IIS
Server for Outlook Web Access. The certificate is installed fine, but the
website over SSL will not come up. After doing a packets sniff, I saw that
the client successfully connects to the server over 443, but when it tries to
set up the SSL connection, the IIS server terminates the connection.
I ran a netstat and verified IIS was indeed the service listening on port
443. All of the certificate chains are trusted on the server. The HTTP SSL
service is running. Most importantly, NOTHING is begin logged! I can't find
anything in either the IIS logs or the event logs.
Any thoughts?
| |
| David Wang 2007-01-21, 1:25 am |
| Are you sure your https:// requests are actually arriving at your IIS
server?
Rest assured, errors involving are all logged, assuming they arrive at
this server.
Connection-related errors (like failing to connect, dropped
connections, timeout, etc) as well as request-related errors like "file
not found", "access denied", "forbidden" will never show up in the
Event Log. What shows up in the Event Log are "failed to start
website", "failed to start application pool". And incorrect
configuration? Could show up anywhere -- depends on where the
misconfigured value is subsequently used and fails.
http://blogs.msdn.com/david.wang/ar...leshooting.aspx
First step to troubleshooting SSL issues on IIS is to run SSLDiag,
which can be found in IIS Diagnostics Toolkit (tools generally
recommended for all IIS servers):
http://www.microsoft.com/downloads/...&DisplayLang=en
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
mac9 wrote:
> I'm installing a trusted certificate on one of our sister companies' IIS
> Server for Outlook Web Access. The certificate is installed fine, but the
> website over SSL will not come up. After doing a packets sniff, I saw that
> the client successfully connects to the server over 443, but when it tries to
> set up the SSL connection, the IIS server terminates the connection.
>
> I ran a netstat and verified IIS was indeed the service listening on port
> 443. All of the certificate chains are trusted on the server. The HTTP SSL
> service is running. Most importantly, NOTHING is begin logged! I can't find
> anything in either the IIS logs or the event logs.
>
> Any thoughts?
| |
|
| Thank you, the SSLDiag found the issue. The administrator originally
imported the web certificate into their user store and then tried to move the
certificate to the local computer store. Of course, the private key did not
make the transition so the website could not respond. However, IIS should
probably make some report of the error. In IIS the certificate was displayed
as valid but the server just didn't respond to an SSL Hello.
Anyway, I gave them another certificate, and we're all happy campers.
"David Wang" wrote:
> Are you sure your https:// requests are actually arriving at your IIS
> server?
>
> Rest assured, errors involving are all logged, assuming they arrive at
> this server.
>
> Connection-related errors (like failing to connect, dropped
> connections, timeout, etc) as well as request-related errors like "file
> not found", "access denied", "forbidden" will never show up in the
> Event Log. What shows up in the Event Log are "failed to start
> website", "failed to start application pool". And incorrect
> configuration? Could show up anywhere -- depends on where the
> misconfigured value is subsequently used and fails.
>
> http://blogs.msdn.com/david.wang/ar...leshooting.aspx
>
>
> First step to troubleshooting SSL issues on IIS is to run SSLDiag,
> which can be found in IIS Diagnostics Toolkit (tools generally
> recommended for all IIS servers):
> http://www.microsoft.com/downloads/...&DisplayLang=en
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
> mac9 wrote:
>
>
|
|
|
|
|