My IIS server won't serve SSL sites to some browsers
- by sbleon
(Update: This is now cross-posted at http://stackoverflow.com/questions/3355000. This is the more appropriate forum, but StackOverflow gets a lot more traffic.)
I've got an IIS 6.0 server that won't serve pages over SSL to some browsers. In Webkit-based browsers on OS X 10.6, I can't load pages at all. In MSIE 8 on Windows XP SP3, I can load pages, but it will sometimes hang downloading images or sending POSTs.
Working:
Firefox 3.6 (OS X + Windows)
Chrome (Windows)
Partially Working:
MSIE 8 (works sometimes, but hangs up, especially on POSTs)
Not Working:
Chrome 5 (OS X)
Safari 5 (OS X)
Mobile Safari (iOS 4)
On OS X (the easiest platform for me to test on), Chrome and Firefox both negotiate the same TLS Cipher, but Chrome hangs on or after the post-negotiation handshake.
Chrome packet capture (via ssldump):
1 1 0.0485 (0.0485) C>S Handshake
ClientHello
Version 3.1
cipher suites
Unknown value 0xc00a
Unknown value 0xc009
Unknown value 0xc007
Unknown value 0xc008
Unknown value 0xc013
Unknown value 0xc014
Unknown value 0xc011
Unknown value 0xc012
Unknown value 0xc004
Unknown value 0xc005
Unknown value 0xc002
Unknown value 0xc003
Unknown value 0xc00e
Unknown value 0xc00f
Unknown value 0xc00c
Unknown value 0xc00d
Unknown value 0x2f
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
Unknown value 0x35
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0x32
Unknown value 0x33
Unknown value 0x38
Unknown value 0x39
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
1 2 0.3106 (0.2620) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
bb 0e 00 00 7a 7e 07 50 5e 78 48 cf 43 5a f7 4d
d2 ed 72 8f ff 1d 9e 74 66 74 03 b3 bb 92 8d eb
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
Certificate
ServerHelloDone
1 3 0.3196 (0.0090) C>S Handshake
ClientKeyExchange
1 4 0.3197 (0.0000) C>S ChangeCipherSpec
1 5 0.3197 (0.0000) C>S Handshake
[hang, no more data transmitted]
Firefox packet capture:
1 1 0.0485 (0.0485) C>S Handshake
ClientHello
Version 3.1
resume [32]=
14 03 00 00 4e 28 de aa da 7a 25 87 25 32 f3 a7
ae 4c 2d a0 e4 57 cc dd d7 0e d7 82 19 f7 8f b9
cipher suites
Unknown value 0xff
Unknown value 0xc00a
Unknown value 0xc014
Unknown value 0x88
Unknown value 0x87
Unknown value 0x39
Unknown value 0x38
Unknown value 0xc00f
Unknown value 0xc005
Unknown value 0x84
Unknown value 0x35
Unknown value 0xc007
Unknown value 0xc009
Unknown value 0xc011
Unknown value 0xc013
Unknown value 0x45
Unknown value 0x44
Unknown value 0x33
Unknown value 0x32
Unknown value 0xc00c
Unknown value 0xc00e
Unknown value 0xc002
Unknown value 0xc004
Unknown value 0x96
Unknown value 0x41
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
Unknown value 0x2f
Unknown value 0xc008
Unknown value 0xc012
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0xc00d
Unknown value 0xc003
Unknown value 0xfeff
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
NULL
1 2 0.0983 (0.0497) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
14 03 00 00 4e 28 de aa da 7a 25 87 25 32 f3 a7
ae 4c 2d a0 e4 57 cc dd d7 0e d7 82 19 f7 8f b9
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod NULL
1 3 0.0983 (0.0000) S>C ChangeCipherSpec
1 4 0.0983 (0.0000) S>C Handshake
1 5 0.1019 (0.0035) C>S ChangeCipherSpec
1 6 0.1019 (0.0000) C>S Handshake
1 7 0.1019 (0.0000) C>S application_data
1 8 0.2460 (0.1440) S>C application_data
1 9 0.3108 (0.0648) S>C application_data
1 10 0.3650 (0.0542) S>C application_data
1 11 0.4188 (0.0537) S>C application_data
1 12 0.4580 (0.0392) S>C application_data
1 13 0.4831 (0.0251) S>C application_data
[etc]
Update: Here's a Wireshark capture from the server end. What's going on with those two much-delayed RST packets? Is that just IIS terminating what it perceives as a non-responsive connection?
19 10.129450 67.249.xxx.xxx 10.100.xxx.xx TCP 50653 > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=3 TSV=699250189 TSER=0
20 10.129517 10.100.xxx.xx 67.249.xxx.xxx TCP https > 50653 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
21 10.168596 67.249.xxx.xxx 10.100.xxx.xx TCP 50653 > https [ACK] Seq=1 Ack=1 Win=524280 Len=0 TSV=699250189 TSER=0
22 10.172950 67.249.xxx.xxx 10.100.xxx.xx TLSv1 Client Hello
23 10.173267 10.100.xxx.xx 67.249.xxx.xxx TCP [TCP segment of a reassembled PDU]
24 10.173297 10.100.xxx.xx 67.249.xxx.xxx TCP [TCP segment of a reassembled PDU]
25 10.385180 67.249.xxx.xxx 10.100.xxx.xx TCP 50653 > https [ACK] Seq=148 Ack=2897 Win=524280 Len=0 TSV=699250191 TSER=163006
26 10.385235 10.100.xxx.xx 67.249.xxx.xxx TLSv1 Server Hello, Certificate, Server Hello Done
27 10.424682 67.249.xxx.xxx 10.100.xxx.xx TCP 50653 > https [ACK] Seq=148 Ack=4215 Win=524280 Len=0 TSV=699250192 TSER=163008
28 10.435245 67.249.xxx.xxx 10.100.xxx.xx TLSv1 Client Key Exchange
29 10.438522 67.249.xxx.xxx 10.100.xxx.xx TLSv1 Change Cipher Spec
30 10.438553 10.100.xxx.xx 67.249.xxx.xxx TCP https > 50653 [ACK] Seq=4215 Ack=421 Win=65115 Len=0 TSV=163008 TSER=699250192
31 10.449036 67.249.xxx.xxx 10.100.xxx.xx TLSv1 Encrypted Handshake Message
32 10.580652 10.100.xxx.xx 67.249.xxx.xxx TCP https > 50653 [ACK] Seq=4215 Ack=458 Win=65078 Len=0 TSV=163010 TSER=699250192
7312 57.315338 10.100.xxx.xx 67.249.xxx.xxx TCP https > 50644 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
19531 142.316425 10.100.xxx.xx 67.249.xxx.xxx TCP https > 50653 [RST, ACK] Seq=4215 Ack=458 Win=0 Len=0
