iis - Azure hosted website certificate chain (comodo) intermittently doesn't send full chain -


we host website in azure. service host has 6 instances. on service have added certificate covers site, , has authentication chain looks like:

our certificate   comodo rdaorganisation validation secure server ca (2014 - 2029)     comodo rsa certification authority (2000 - 2020)       usertrust (2000 - 2020)

we can see in browser, requests have made, chain seems present , ssl handshake can complete.

we have customer has reported having issues connecting remotely. have been using openssl try verify originates.

where knowledge breaks down in interpreting output, , wondered if can either spot difference or identify next step - either or our client.

the command run was

$ openssl s_client -capath /etc/ssl/certs/ -connect <our service uri>

the output in successful case:

connected(00000003) depth=3 c = se, o = addtrust ab, ou = addtrust external ttp network, cn = addtrust external ca root verify return:1 depth=2 c = gb, st = greater manchester, l = salford, o = comodo ca limited, cn = comodo rsa certification authority verify return:1 depth=1 c = gb, st = greater manchester, l = salford, o = comodo ca limited, cn = comodo rsa organization validation secure server ca verify return:1 depth=0 c = dk, <certificate information pertianing our company > --- certificate chain  0 s:/c=dk/<certificate information pertianing our company >    i:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa organization validation secure server ca  1 s:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa organization validation secure server ca    i:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa certification authority  2 s:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa certification authority    i:/c=se/o=addtrust ab/ou=addtrust external ttp network/cn=addtrust external ca root --- server certificate -----begin certificate----- key same between both requests -----end certificate----- subject=/c=dk/<certificate information pertianing our company > issuer=/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa organization validation secure server ca --- no client certificate ca names sent --- ssl handshake has read 5052 bytes , written 509 bytes --- new, tlsv1/sslv3, cipher ecdhe-rsa-aes256-sha384 server public key 2048 bit secure renegotiation supported compression: none expansion: none ssl-session:     protocol  : tlsv1.2     cipher    : ecdhe-rsa-aes256-sha384     session-id: <session id hidden>     session-id-ctx:     master-key: <key hidden>     key-arg   : none     psk identity: none     psk identity hint: none     srp username: none     start time: 1436543517     timeout   : 300 (sec)     verify return code: 0 (ok) ---

and in unsuccessful case:

connected(00000003) depth=1 c = gb, st = greater manchester, l = salford, o = comodo ca limited, cn = comodo rsa organization validation secure server ca verify error:num=20:unable local issuer certificate verify return:0 --- certificate chain  0 s:/c=dk/<certificate information pertianing our company >    i:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa organization validation secure server ca  1 s:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa organization validation secure server ca    i:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa certification authority --- server certificate -----begin certificate----- key same between both requests -----end certificate----- subject=/c=dk/<certificate information pertianing our company > issuer=/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa organization validation secure server ca --- no client certificate ca names sent --- ssl handshake has read 3649 bytes , written 509 bytes --- new, tlsv1/sslv3, cipher ecdhe-rsa-aes256-sha384 server public key 2048 bit secure renegotiation supported compression: none expansion: none ssl-session:     protocol  : tlsv1.2     cipher    : ecdhe-rsa-aes256-sha384     session-id: <session id hidden>     session-id-ctx:     master-key: <key hidden>     key-arg   : none     psk identity: none     psk identity hint: none     srp username: none     start time: 1436543605     timeout   : 300 (sec)     verify return code: 20 (unable local issuer certificate) ---

i can see these different, can see depth fields different, (i'm unsure of means, supposing indication of how far authentication chain openssl got). can see chain seems different in successful case opposed unsuccessful case, addition of

 2 s:/c=gb/st=greater manchester/l=salford/o=comodo ca limited/cn=comodo rsa certification authority    i:/c=se/o=addtrust ab/ou=addtrust external ttp network/cn=addtrust external ca root

the question have can cause happen, server or user issue (especially bearing in mind requests users, seems work fine), , need take next steps identify issue?

thanks time :)

it turns out had our service definition , service configuration files. in them, had included certificate wanted present, not it's authentication chain.

ms support suggested try http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx alternative manually configuring our server instances.

/j r


Comments

Post a Comment

Popular posts from this blog

javascript - Using jquery append to add option values into a select element not working -

i'm looking dynamically populate select element names of items stored array. for reason it's not working , i'm not sure why. html: <div class="col-md-4 col-md-offset-4"> <select class="select1"> </select> , <select class="select2"> </select> </div> note i'm using bootstrap layout. here's jquery i'm using try , populate ".select1" jquery: select: function() { $.each(state.greens, function(index, value) { $(".select1").append("<option value =' " + index + " '>" + state.greens[index].name + "</option>"); }); } note function 'select' stored within object called 'display'. state.greens name of array i'm trying access. so @ end of html page call display.select(); call function. no error messages showing in console. also, saw question: appending
Read more

Android soft keyboard reverts to default keyboard on orientation change -

i'm building android soft keyboard , can't seem fix bug - have arabic , qwerty keyboard , when rotate device on qwerty keyboard (or arabic shift), it's if program has "restarted" , becomes arabic keyboard without shift. the onsaveinstancestate(bundle savedinstancestate) not work because application not extend activity inputmethodservice . i put following in android manifest android:configchanges="keyboard|keyboardhidden|orientation" android:windowsoftinputmode="stateunchanged|adjustresize"> i tried using @override public void onconfigurationchanged(configuration newconfig) { super.onconfigurationchanged(newconfig); log.i(mydebug, "config changed " + currentkeyboard.equals(qwerty)); } however, currentkeyboard.equals(qwerty)) results false , made sure true before orientation change. any appreciated. i think applications fault. if application restarting on orientation change
Read more

jquery - javascript onscroll fade same class but with different div -

i new @ javascript , want learn new. there wrong code : why div fades @ same time. i want ask how fade different div s same class name.can me , explain me. thanks in advance. javascript: $(window).scroll(function(){ if ($( "div.fade" ).offset().top - $(window).scrolltop() <= 100){ $('.fade').addclass( "fade-in"); } else { $('.fade').removeclass("fade-in"); } }); here jsfiddle onscroll = function () { var scrolltop = $(this).scrolltop() ; $("div.fade").each(function(){ if(($(this).offset().top - scrolltop) <= 100){ $(this).toggleclass("fade-in"); } }) }
Read more