2

We are experiencing issues with some mobile devices such as Windows Mobile (not Phone 7) and BlackBerry's not able to go to a SSL website of ours. The errors returned are below on our Windows Server 2008 R2 box. Any help would be much appreciated to get this working. The only workaround is to have the mobile users install Opera/FireFox mini/mobile browsers. However this is not ideal and not the answer I'm looking for.

Note: Using a PC/Mac/Android/iOS device works fine.

Windows Mobile -

  • Error! Unable to complete secure transaction.
  • Secure connection: fatal error (50)
  • https://mymobilewebsite.com (not our actual site)
  • We've also intermittently seen: "Secure connection: fatal error (10)"

BlackBerry -

  • Selected Server returned an error when attempting to fulfill your request.

(Note: we did follow the instructions to configure ASP.NET 2.0 for BlackBerry, but still get an error.)

Update 2011-05-25: We've found through testing (only with Windows Mobile) that if we disable 3G and go through WiFi it will connect to the website just fine. The kicker is that when we switch off WiFi and go back to 3G the website works. Again this is only for Windows Mobile.

thames
  • 955
  • 3
  • 10
  • 20
  • Where did you get your certificate from? According to [Wikipedia](http://en.wikipedia.org/wiki/Transport_Layer_Security), error 50 is "Decode error". – Lekensteyn Mar 23 '11 at 17:56
  • We have several different SSL protected websites using 2 different vendors. Certificates from both, Thawte and GeoTrust, cause the same errors. It would seem weird that a Thawte certificate would cause this error, but I'm not sure... – thames Mar 23 '11 at 21:18

2 Answers2

1

The root certificates on the device are almost certainly out of date, and your SSL Cert is signed by a root CA they don't recognize. I've seen this quite a bit lately as several popular root CAs have expired in the last year or two.

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • Does Opera mini use their own root certificate chains then? Because the Opera mini browser works on the devices that don't work with their default browser. Certificates we have issue with are both Thawte and GeoTrust. Thawte is our primary cert. – thames Mar 23 '11 at 21:21
  • Certificate path is as follows: **1)** VeriSign Class 3 Public Primary CA **2)** Thawte SGC CA **3)** mymobilewebsite.com – thames Mar 23 '11 at 21:27
  • @Thames, is the server configured with the certificate chain? – Chris S Mar 23 '11 at 22:10
  • @Chris-S, I would assume so. All 3 certificates are valid and the Identity of the website has been verified. Is there another way to tell that I'm missing? – thames Mar 24 '11 at 14:22
  • @Thames, [go to this help tool](http://www.digicert.com/help/), pop in your website. Scroll down to the list of chained certs, there must be at least two, and I've never seen less than three. Check the dates of all the certs (except your top one); if the dates are later than ~2000 then you need to have to have the [chain file installed](http://www.entrust.net/knowledge-base/technote.cfm?tn=8166). If the last cert in the chain has a newer date then the client has to update their list of CAs, no way around it (realistically). – Chris S Mar 24 '11 at 14:33
  • @Chris S, Ok. We've found through testing (only with Windows Mobile) that if we disable 3G and go through WiFi it will connect to the website just fine. The kicker is that when we switch off WiFi and go back to 3G the website works. Again this is only for Windows Mobile. – thames Mar 24 '11 at 14:53
  • @Chris S, the link to the digicert certificate tester came back with all green check marks. Everything is valid and a "chain" image was displayed as well between the website cert and root. – thames Mar 24 '11 at 15:06
  • @Chris S, I've ran the "DigiCert Certificate Utility" and it came back with "The private key was successfully tested" and "Revocation check for certificate chain was successful". It did not find any errors. – thames Mar 24 '11 at 15:16
  • @Chris S, I've also tried http://www.sslshopper.com/index.php?q=ssl-checker.html and it also says everything is ok for the cert and the cert chain. – thames Mar 24 '11 at 16:20
  • @Thames, did you check the dates of the certs? – Chris S Mar 24 '11 at 16:49
  • @Chris S, yes. Even the GeoTrust checker says all chains are installed correctly and are not expired. https://knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=SO9557 – thames Mar 24 '11 at 19:08
  • @Chris S, **1)** VeriSign Class 3 Public Primary CA: Valid 1996 to 2028. **2)** Thawte SGC CA: Valid 2004 to 2015. **3)** mymobilewebsite.com: Valid 2010 to 2013. – thames Mar 24 '11 at 19:11
0

If you chucked us a copy of the public cert we might be able to help more but if not as an add to Chris S post I'd just add to be careful of Intermediate certs in the chain. The full certificate chain must be present and accounted for on the device and a lot of times the Intermediate's are left out.

Also if its just some devices and not others its probably not a problem with the certificate encoding.

SteveJEO
  • 1
  • Does Opera mini use their own root and intermediate certificate chains then? Because the Opera mini browser works on the devices that don't work with their default browser. Certificates we have issue with are both Thawte and GeoTrust. Thawte is our primary cert. – thames Mar 23 '11 at 21:23
  • Certificate path is as follows: **1)** VeriSign Class 3 Public Primary CA **2)** Thawte SGC CA **3)** mymobilewebsite.com – thames Mar 23 '11 at 21:27
  • ~ no the chain's are not operas. They may simply be faster at updating a list but someone else published them. Your cert path from the description says Thawte are the intermediates and veri are the root publishers. Log on to the site using mobile browser like IE on win mobile and check the cert properties. – SteveJEO Mar 24 '11 at 02:52
  • All the mobile browsers that don't work (Windows Mobile and BlackBerry) do not even display the site. All they display is the error messages indicated in the initial question. I cannot see what they see for a certificate path or certificates. There are no issues with Android, iOS, Windows Phone 7, or if they install Opera/FireFox mobile. – thames Mar 24 '11 at 14:32
  • Ok. We've found through testing (only with Windows Mobile) that if we disable 3G and go through WiFi it will connect to the website just fine. The kicker is that when we switch off WiFi and go back to 3G the website works. Again this is only for Windows Mobile. – thames Mar 24 '11 at 14:52