Re: SSL blues
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/12/05
- Next message: David Wang [Msft]: "Re: Ftp-should we encrypt?"
- Previous message: David Wang [Msft]: "Re: IIS6 Network Service Identity - when needed?"
- In reply to: Rory Clark: "Re: SSL blues"
- Next in thread: Rory Clark: "Re: SSL blues"
- Reply: Rory Clark: "Re: SSL blues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Feb 2005 23:26:11 -0800
1. Are you running in IIS5 Compatibility Mode
2. Are you running any custom ISAPI Filters (I notice WebTrends)
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Rory Clark" <rory@online.stopped-motion.com> wrote in message news:%23z7XOJIEFHA.3416@TK2MSFTNGP09.phx.gbl... Thanks for getting back to me, here are the verification results: 1) Saw an entry in the log file: 2005-02-11 21:25:54 W3SVC603546932 ZOOWEB2 66.114.146.8 GET / - 443 - 206.191.145.22 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) WEBTRENDS_ID=66.114.146.26-2824828656.29656464;+ASP.NET_SessionId=vk5a2jexs0 5b3h455ijiejja - www.stopped-motion.com 200 2 0 490 15 2) The only entry I found for port 443 was this one. I've never seen an IP address of 0.0.0.0 except when a NIC had nothing bound to it. Is this normal? TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 3548 3) I'm not familar with IPListenList, so that would be a "No, I haven't configured it in the past." 4) The web server isn't behind a fire wall and the log file shows a status 200 was returned for the request on port 443. And, just for grins and giggles, I tried hitting the page from the local box and it too returned the "Cannot find server or DNS error". Just tryin out all posibilities, if I go to https://66.114.146.8, I get prompted with a certificate warning (telling me of a mismatched name) and click "Yes" to it, I get the "Cannot find server or DNS error" as well. "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:O%23jCZWCEFHA.3824@TK2MSFTNGP10.phx.gbl... > Usually, once SSLDiag says your server side configuration looks good and > it > could communicate, "Cannot finds erver or DNS error" indicate DNS sort of > issues outside of IIS control. > > Please verify: > 1. If you do not see any success/error corresponding to your SSL requests > in > W3SVC and HTTP Error Logs (subdirs under %SYSTEMROOT%\System32\LogFiles ), > then the request isn't getting to IIS. > 2. Make sure that something is listening on port 443. netstat -ano > should > tell you really fast > 3. If you've configured IPListenList in the past, now is the time to > revise > them since you said you're taking control... > 4. Start looking at firewalls or your ISP blocking ports. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Rory Clark" <rory@online.stopped-motion.com> wrote in message > news:OiM$Q59DFHA.3888@TK2MSFTNGP09.phx.gbl... > I'm trying to set up SSL on my web site (http://www.stopped-motion.com) > and > I can't seem to get it to work. The machine is running Win2k3 with IIS6 > and > the site is authored in ASP.Net and C#. This is a web server with > multiple > domains sitting on it as virtual servers through the use of host headers. > > I got the certificate from my certificate authority and followed their > instructions for installing via the Certificate Wizard. No problems. I > fired up IE to verify that every thing worked and got the dreaded "Cannot > find server or DNS error" message. As a note, and this may be important > or > not, I could hit the site through HTTP just fine. HTTPS was the only one > being problematic. > > Originally, this domain used host header names for its bindings and I > remembered reading somewhere that host headers don't work with SSL because > the host header is part of the encrypted data. With that in hand, I went > to > my ISP and got another IP address to bind to the NIC. Next stop on the > way > was to update DNS records to point to the new IP. > > In the meantime, I edited my HOSTS to force the resolution of the DNS name > to the new IP for testing. When I hit the page, I got the same error as > before. If I hit F5 a lot a lot, I confirmed that IE was pinging the > right > address. > > I then went through every other website on the box and set the IP bindings > to bind to the old IP. This website has 3 identities (new IP + p80, old > IP > + p80 + stopped-motion.com, and old IP + p80 + www.stopped-motion.com) and > 1 > SSL identity (new IP + p443). I still get the error. > > When I run SSL Diag, this is the output for the server: > System time: Fri, 11 Feb 2005 00:29:47 GMT > ModuleFileName: C:\Program Files\IIS Resources\SSLDiag\SSLDiag.exe > OS: Windows 2003 > IIS6 - World Wide Web Publishing (W3SVC) service is installed > > [ HKLM\System\CurrentControlSet\Services\HTTPFilter ] > ImagePath = C:\WINNT\system32\inetsrv\inetinfo.exe > Parameters\CertChainCacheOnlyUrlRetrieval = True(default) > strmfilt.dll loaded into process 3228 (inetinfo.exe) > > [ SChannel Info ] > ServerCacheEntries = 0 > ServerActiveEntries = 0 > ServerHandshakes = 16 > ServerReconnects = 9 > CacheSize = 10000 > > And for the site: > [ W3SVC/603546932 ] > ServerComment = stopped-motion.com > ServerAutoStart = True > ServerState = Server started > #Impersonated server account > SSLCertHash = 30 76 f5 61 e5 c7 d6 ce 3a 5c 6a 59 3b fa 7a 70 10 e4 52 13 > SSLStoreName = MY > #CertName = www.stopped-motion.com > #You have a private key that corresponds to this certificate > #ContainerName='663bb2512faa871f2869b67babfc8cdc_0c8010a7-032a-4341-a40f-0e1 > 6d51a9919' > #ProvName='Microsoft RSA SChannel Cryptographic Provider' > ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE > #Subject: C=US, O=www.stopped-motion.com, > OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See > www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM), > CN=www.stopped-motion.com > #Issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST Network, > OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications > #Validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 PM > SecureBindings = 66.114.146.8:443: > > When I simulate the handshake in SSLDiag, I get this... > System time: Fri, 11 Feb 2005 02:04:15 GMT > Connecting to 66.114.146.8:443 > Connected > Handshake: 78 bytes sent > Handshake: 1142 bytes received > Handshake: 182 bytes sent > Handshake: 43 bytes received > Handshake succeeded > Verifying server certificate, it might take a while... > Server certificate name: www.stopped-motion.com > Server certificate subject: C=US, O=www.stopped-motion.com, > OU=https://services.choicepoint.net/get.jsp?GT83597166, OU=See > www.freessl.com/cps (c)04, OU=Domain Control Validated - StarterSSL(TM), > CN=www.stopped-motion.com > Server certificate issuer: C=US, S=UT, L=Salt Lake City, O=The USERTRUST > Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network > Applications > Server certificate validity: From 2/9/2005 6:06:56 PM To 2/10/2007 6:06:56 > PM > HTTPS request: > GET / HTTP/1.0 > User-Agent: SSLDiag > Accept:*/* > HTTPS: 72 bytes of encrypted data sent > HTTPS: server disconnected > Final handshake: 23 bytes sent successfully > > And everything looks like it worked well enough. > > So I'm a little on the frustrated side of things with this and I'm looking > to see if anyone can provide insight as to what the problem is. If more > information is required about the box, feel free to ask and I'll go get > it. > > Thanks! > Rory > > >
- Next message: David Wang [Msft]: "Re: Ftp-should we encrypt?"
- Previous message: David Wang [Msft]: "Re: IIS6 Network Service Identity - when needed?"
- In reply to: Rory Clark: "Re: SSL blues"
- Next in thread: Rory Clark: "Re: SSL blues"
- Reply: Rory Clark: "Re: SSL blues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
