SSL Issue on Windows Server 2003

Hit an interesting problem recently where certain SSL enabled websites would not load up on a Windows Server 2003 published desktop.

The browser used was Internet Explorer 8 and it didn't give us a meaningful error message. Just a generic and thoroughly unhelpful "Internet Explorer cannot display the webpage" error.

The website our users were trying to reach was the login page for Websense Secure Email.

https://voltage-pp-0000.secure-mailcontrol.com/login

To troubleshoot the issue, I installed Google Chrome on an affected server and visited the same website. Chrome was a lot more helpful and it told me that the SSL certificate was "corrupt". Hmm... Curious.

I was able to visit the website without any problems on my Windows 7 machine so I had a closer look at the certificate. On my Windows 7 machine, I could see that the Digest Algorithm was one from the SHA2 family (specifically SHA-256).

When the same fields on the certificate were viewed using the affected Windows Server 2003 machine, it was displaying something else - the OID instead of 'sha256RSA' and 'sha256' respectively for fields 'Signature algorithm' and 'Signature hash algorithm' that was displayed on my Windows 7 machine.

It was fairly evident by that point that the issue was down to lack of support for the SHA2 family of hash algorithms on Windows Server 2003.

The Fix

A quick bit of Google-fu led me to this KB article:

http://support.microsoft.com/kb/938397

However, instead of installing this update, I installed a later update (which includes a newer version of crypt32.dll):

http://support.microsoft.com/kb/2868626

Problem solved!

SSL Issue on Windows Server 2003

Harish Karayadath

Harish Karayadath

The Fix

Session Reliability (CGP) Issue

Upload images larger than 1 MB