|
Author | Problems with Edge and Explorer 11 |
Dany Marmur 2017-05-08 15:05:52 Registered user |
Hi,
I'm using ST_2.3.1.273 together with RTC. My problem might have to do with with my certificate. When these two browsers (see above) connect i get "OUTgoing fatal alert:illegal_parameter: A field in the handshake was out of range or inconsistent with other fields. This is always fatal. Extended information: Problem parsing the client hello message." in the log set up in the RTC test unit. Edge displays a page saying the site can not be reached (Hmmm...) and IE 11 complains about local TLS settings and RC4. All other browser (that i can test) can access the site. This only happens over HTTPS. Googling does not seem to help. Any help is greatly appreciated. Regards, /Dany |
Henrick Wibell Hellström 2017-05-09 00:03:58 Registered user |
Check the TLSOptions. BulkCipherAC4 should be set to prNotAllowed, unless you specifically intend to configure your server to be compatible only with old operating systems and obsolete browser versions.
Confer the RTC libplugins unit rtcSSecTest.pas for hints regarding which options to enable when. |
Dany Marmur 2017-05-09 12:26:36 Registered user |
The only way of currently doing that without modifying the rtcSSecTest (AFAIK) is to have ExpectOldBrowsers set to false. This has been the case always in my projects. I have also traced along and i am positively certain that Options.BulkCipherARC4 is set to prNotAllowed.
I think i have to go ahead and install fiddler again :( /D |
Dany Marmur 2017-05-09 13:40:10 Registered user |
Hello again,
This forum has a timeout and does not check if the textarea is used. This is a re-write :( I downloaded fiddler and can see that Edge and Chrome sends similar stuff to my RTC/ST server. A notable difference is the order of the ciphers. This is Chrome: [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA and Edge has it the other way around. Edge does not accept the response and starts to downgrade until RTC/ST does not accept it anymore and then comes the "Hmm... cannot...". So i edited the rtcSSecTest.pas file (v8.00 Q2, lines 488, 489) like so: Options.BulkCipherAES192 := prNotAllowed; //prAllowed; Options.BulkCipherAES256 := prNotAllowed; //prAllowed; And lo and behold now Edge and IE11 connects! This makes me suspect that the problem is in my certificate. I cannot be the first person having a site accessed using Edge? I really do not understand fully what's going on here and that feels bad. Should i be happy with my trial-and-error solution? Best regards! /Dany |
Henrick Wibell Hellström 2017-05-09 23:17:21 Registered user |
Do you have a SSL-TLS-FATAL log, and if so, what does it say?
You might experience problems, if you have a certificate with a 1024 bit RSA key. Combined with ExpectOldBrowsers = False, this would effectively disable all cipher suites. Your certificate must have at least a 2048 bit RSA key, or an ECDSA key. |
Dany Marmur 2017-05-10 10:09:39 Registered user |
Yes, the fatal log displays the message from my original post:
"OUTgoing fatal alert:illegal_parameter: A field in the handshake was out of range or inconsistent with other fields. This is always fatal. Extended information: Problem parsing the client hello message." "You might experience problems, if you have a certificate with a 1024 bit RSA key. Combined with ExpectOldBrowsers = False, this would effectively disable all cipher suites. Your certificate must have at least a 2048 bit RSA key, or an ECDSA key." Thank you, i will try to check on these things. Regards, /Dany |
Henrick Wibell Hellström 2017-05-10 11:34:34 Registered user |
Please note that if you had been using ST 4.0, logging of these kinds of issues would be slightly better. In such case you would probably also see:
"Certificate with commonname "localhost" not accepted. Status = Too small key. The public key of this certificate is smaller than LeastKeyBitSize." in the log. |
Dany Marmur 2017-05-11 15:22:35 Registered user |
Yes, Henrick, i have been "about" to purchase serious support / "full ST stack" as these things are starting to trickle down through my client contacts from their bosses / boards. And i am aware that the "better" product gives a lot more goodies. However, this year has hitherto been filled with clients' personell "sjukskrivningar/uppsägningar" so i've been putting out some local fires and i still am as i type. It's in the pipeline, need to check som contracts and accounts first.
|