My IIS server won't serve SSL sites to some browsers

Posted by sbleon on Server Fault See other posts from Server Fault or by sbleon
Published on 2010-07-27T21:27:00Z Indexed on 2011/01/11 16:55 UTC
Read the original article Hit count: 424

Filed under:
|
|

(Update: This is now cross-posted at http://stackoverflow.com/questions/3355000. This is the more appropriate forum, but StackOverflow gets a lot more traffic.)

I've got an IIS 6.0 server that won't serve pages over SSL to some browsers. In Webkit-based browsers on OS X 10.6, I can't load pages at all. In MSIE 8 on Windows XP SP3, I can load pages, but it will sometimes hang downloading images or sending POSTs.

Working: Firefox 3.6 (OS X + Windows) Chrome (Windows)

Partially Working: MSIE 8 (works sometimes, but hangs up, especially on POSTs)

Not Working: Chrome 5 (OS X) Safari 5 (OS X) Mobile Safari (iOS 4)

On OS X (the easiest platform for me to test on), Chrome and Firefox both negotiate the same TLS Cipher, but Chrome hangs on or after the post-negotiation handshake.

Chrome packet capture (via ssldump):

1 1  0.0485 (0.0485)  C>S  Handshake
      ClientHello
        Version 3.1 
        cipher suites
        Unknown value 0xc00a
        Unknown value 0xc009
        Unknown value 0xc007
        Unknown value 0xc008
        Unknown value 0xc013
        Unknown value 0xc014
        Unknown value 0xc011
        Unknown value 0xc012
        Unknown value 0xc004
        Unknown value 0xc005
        Unknown value 0xc002
        Unknown value 0xc003
        Unknown value 0xc00e
        Unknown value 0xc00f
        Unknown value 0xc00c
        Unknown value 0xc00d
        Unknown value 0x2f
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        Unknown value 0x35
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0x32
        Unknown value 0x33
        Unknown value 0x38
        Unknown value 0x39
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
1 2  0.3106 (0.2620)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          bb 0e 00 00 7a 7e 07 50 5e 78 48 cf 43 5a f7 4d 
          d2 ed 72 8f ff 1d 9e 74 66 74 03 b3 bb 92 8d eb 
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
      Certificate
      ServerHelloDone
1 3  0.3196 (0.0090)  C>S  Handshake
      ClientKeyExchange
1 4  0.3197 (0.0000)  C>S  ChangeCipherSpec
1 5  0.3197 (0.0000)  C>S  Handshake
[hang, no more data transmitted]

Firefox packet capture:

1 1  0.0485 (0.0485)  C>S  Handshake
      ClientHello
        Version 3.1 
        resume [32]=
          14 03 00 00 4e 28 de aa da 7a 25 87 25 32 f3 a7 
          ae 4c 2d a0 e4 57 cc dd d7 0e d7 82 19 f7 8f b9 
        cipher suites
        Unknown value 0xff
        Unknown value 0xc00a
        Unknown value 0xc014
        Unknown value 0x88
        Unknown value 0x87
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0xc00f
        Unknown value 0xc005
        Unknown value 0x84
        Unknown value 0x35
        Unknown value 0xc007
        Unknown value 0xc009
        Unknown value 0xc011
        Unknown value 0xc013
        Unknown value 0x45
        Unknown value 0x44
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0xc00c
        Unknown value 0xc00e
        Unknown value 0xc002
        Unknown value 0xc004
        Unknown value 0x96
        Unknown value 0x41
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        Unknown value 0x2f
        Unknown value 0xc008
        Unknown value 0xc012
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0xc00d
        Unknown value 0xc003
        Unknown value 0xfeff
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compression methods
                  NULL
1 2  0.0983 (0.0497)  S>C  Handshake
      ServerHello
        Version 3.1 
        session_id[32]=
          14 03 00 00 4e 28 de aa da 7a 25 87 25 32 f3 a7 
          ae 4c 2d a0 e4 57 cc dd d7 0e d7 82 19 f7 8f b9 
        cipherSuite         TLS_RSA_WITH_RC4_128_MD5
        compressionMethod                   NULL
1 3  0.0983 (0.0000)  S>C  ChangeCipherSpec
1 4  0.0983 (0.0000)  S>C  Handshake
1 5  0.1019 (0.0035)  C>S  ChangeCipherSpec
1 6  0.1019 (0.0000)  C>S  Handshake
1 7  0.1019 (0.0000)  C>S  application_data
1 8  0.2460 (0.1440)  S>C  application_data
1 9  0.3108 (0.0648)  S>C  application_data
1 10 0.3650 (0.0542)  S>C  application_data
1 11 0.4188 (0.0537)  S>C  application_data
1 12 0.4580 (0.0392)  S>C  application_data
1 13 0.4831 (0.0251)  S>C  application_data
[etc]

Update: Here's a Wireshark capture from the server end. What's going on with those two much-delayed RST packets? Is that just IIS terminating what it perceives as a non-responsive connection?

     19 10.129450   67.249.xxx.xxx        10.100.xxx.xx         TCP      50653 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=699250189 TSER=0
     20 10.129517   10.100.xxx.xx         67.249.xxx.xxx        TCP      https > 50653 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
     21 10.168596   67.249.xxx.xxx        10.100.xxx.xx         TCP      50653 > https [ACK] Seq=1 Ack=1 Win=524280 Len=0 TSV=699250189 TSER=0
     22 10.172950   67.249.xxx.xxx        10.100.xxx.xx         TLSv1    Client Hello
     23 10.173267   10.100.xxx.xx         67.249.xxx.xxx        TCP      [TCP segment of a reassembled PDU]
     24 10.173297   10.100.xxx.xx         67.249.xxx.xxx        TCP      [TCP segment of a reassembled PDU]
     25 10.385180   67.249.xxx.xxx        10.100.xxx.xx         TCP      50653 > https [ACK] Seq=148 Ack=2897 Win=524280 Len=0 TSV=699250191 TSER=163006
     26 10.385235   10.100.xxx.xx         67.249.xxx.xxx        TLSv1    Server Hello, Certificate, Server Hello Done
     27 10.424682   67.249.xxx.xxx        10.100.xxx.xx         TCP      50653 > https [ACK] Seq=148 Ack=4215 Win=524280 Len=0 TSV=699250192 TSER=163008
     28 10.435245   67.249.xxx.xxx        10.100.xxx.xx         TLSv1    Client Key Exchange
     29 10.438522   67.249.xxx.xxx        10.100.xxx.xx         TLSv1    Change Cipher Spec
     30 10.438553   10.100.xxx.xx         67.249.xxx.xxx        TCP      https > 50653 [ACK] Seq=4215 Ack=421 Win=65115 Len=0 TSV=163008 TSER=699250192
     31 10.449036   67.249.xxx.xxx        10.100.xxx.xx         TLSv1    Encrypted Handshake Message
     32 10.580652   10.100.xxx.xx         67.249.xxx.xxx        TCP      https > 50653 [ACK] Seq=4215 Ack=458 Win=65078 Len=0 TSV=163010 TSER=699250192
   7312 57.315338   10.100.xxx.xx         67.249.xxx.xxx        TCP      https > 50644 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  19531 142.316425  10.100.xxx.xx         67.249.xxx.xxx        TCP      https > 50653 [RST, ACK] Seq=4215 Ack=458 Win=0 Len=0

© Server Fault or respective owner

Related posts about iis

Related posts about ssl