0

With a certain web site, a certain client certificate works fine with Firefox, but not with IE or Edge (all on Windows 10, as both IE and Edge behave the same, I'll use the term "IE/Edge" from now on).

The error shown in IE/Edge is (as usual) pretty vague:

Can’t connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

IE/Edge using another client certificate (from different CA) connects without error to this same website.

Details:

  • server is old (Weblogic 10.3.3, Java 1.6) : does not support sha2 certificates!
  • nonworking certificate is from this CA (SIGEN-CA), old sha1 format
  • the client certificate is old format (sha1)
  • old root certificate was also sha1, but was later revoked and a new sha256 certificate was issued (with the same private key)

Any idea how to make IE/Edge also work in this scenario? (or if it can be solved by changes on the server side)

David Balažic
  • 458
  • 1
  • 7
  • 19
  • It seems IE/Edge sends the sha2 root certificate along with the client certificate (while Firefox does it differently) and this sha2 certificate confuses the Weblogic server. Is there a way to confirm and then change this behavior? – David Balažic Jun 03 '20 at 11:57
  • https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4010323 Sounds like IE/Edge have been updated to ban SHA1 certificate since 2017. You have to get a new SHA2 client certificate. – Lex Li Jun 03 '20 at 13:54
  • @LexLi The same client certificate works with other sites, as mentioned in the question. Only this combination is problematic. – David Balažic Jun 03 '20 at 14:12
  • What kind of symptoms can be observed from TLS handshake packets? Tools like Wireshark should show enough hints. Compare the working/failed cases, and the clue should be clear. – Lex Li Jun 03 '20 at 14:16

0 Answers0