SSL Issue on Windows Server 2003

Hit an interesting problem recently where certain SSL enabled websites would not load up on a Windows Server 2003 published desktop.

The browser used was Internet Explorer 8 and it didn't give us a meaningful error message. Just a generic and thoroughly unhelpful "Internet Explorer cannot display the webpage" error.

The website our users were trying to reach was the login page for Websense Secure Email.

To troubleshoot the issue, I installed Google Chrome on an affected server and visited the same website. Chrome was a lot more helpful and it told me that the SSL certificate was "corrupt". Hmm... Curious.

I was able to visit the website without any problems on my Windows 7 machine so I had a closer look at the certificate. On my Windows 7 machine, I could see that the Digest Algorithm was one from the SHA2 family (specifically SHA-256).

When the same fields on the certificate were viewed using the affected Windows Server 2003 machine, it was displaying something else - the OID instead of 'sha256RSA' and 'sha256' respectively for fields 'Signature algorithm' and 'Signature hash algorithm' that was displayed on my Windows 7 machine.

It was fairly evident by that point that the issue was down to lack of support for the SHA2 family of hash algorithms on Windows Server 2003.

The Fix

A quick bit of Google-fu led me to this KB article:

However, instead of installing this update, I installed a later update (which includes a newer version of crypt32.dll):

Problem solved!