3

Is there any known bug or cause for an IIS server to just stop serving SSL overnight? The certificate has not been changed for some time and is still valid. Same certificate works on other identically configured servers.

It's listening on TCP Port 443 but cannot establish a connection on that port. There were no patches installed until after the fact in attempt to fix this issue.

Packet Capture

Craig
  • 585
  • 2
  • 13
  • 2
    Define "stop serving". Do you mean that there's no longer a listener on TCP port 443? Is it answering TCP connections but not completing an SSL handshake? – Evan Anderson Nov 24 '14 at 21:24
  • It's listening on TCP 443 but cannot complete the SSL handshake. – Craig Nov 24 '14 at 21:28
  • @Craig 1. Restarting the Server and restarting the IIS does any good? 2. Anything in the event log? (You might see some SChannel errors). 3. Any new GPO? 4. Also, the following link makes a few general suggestions, maybe one can help: http://www.iis.net/learn/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate – EliadTech Nov 27 '14 at 20:36
  • @EliadTech 1) no 2) no 3) no 4)The screen shot is from a TCP dump and SSL diag doesn't provide anything useful. – Craig Dec 01 '14 at 17:22
  • We've also removed and re-added the cert. The same cert is in use on multiple other IIS servers with no issue. We would just rebuild them but there are dozens of sites on the these servers. – Craig Dec 01 '14 at 17:32
  • @Craig Use this site https://www.ssllabs.com/index.html to run a test, maybe it'll reveal something. – EliadTech Dec 01 '14 at 17:43
  • @EliadTech We already tried that as well, for various reasons, a public check tool won't work for us. – Craig Dec 01 '14 at 18:28
  • @Craig Well, then Wireshark is next... – EliadTech Dec 01 '14 at 20:40
  • @EliadTech the image in the question is wireshark. – Colyn1337 Dec 01 '14 at 21:07
  • Right, didn't notice. Anyway, can you temporarily replace the site with regular default one and see what happens? – EliadTech Dec 01 '14 at 22:23
  • Is it a 1024-bit certificate ? – yagmoth555 Dec 02 '14 at 16:21
  • We've tried various things of that nature, it appears to be something with the server itself. – Craig Dec 02 '14 at 20:21

2 Answers2

3

Turns out this was a registry entry that was somehow removed. I can provide some details and I'm sure there will be questions but I won't be able to answer all of them without going into large detail about our environment.

Regardless, here is an article detailing the fix:

http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx

Craig
  • 585
  • 2
  • 13
  • Was it specifically something under the `HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo` key that was missing? – Signal15 Dec 02 '14 at 21:47
  • Yes. There was a significant portion missing from the registry, this was there prior to a few weeks ago. – Craig Dec 02 '14 at 21:49
-1

Have you identified that that every SSL connection (from all clients) to a specific problem server is failing? Is it possible that the problem is only experienced by certain clients, regardless of which server they are hitting? If so, the problem may lie in the certificate validation steps taken by the client. Perhaps only certain clients are experiencing this validation issue, and others are not. Do you get any warnings on the client side when browsing from IE? (aka "There is a problem with this website's security certificate.")?

You can use the CERTUTIL command and the -verify option to investigate if validation is part of the problem. First, browse the site from a client experiencing the problem and save the public key for the cert in question (see pic). Next, invoke the certutil command:

certutil -verify bad.cer

There will be A LOT of text in the output from -verify. There will be a summary at the end with a friendlier message (example: Verifies against UNTRUSTED root). Reply for help with interpreting the output if needed.

Certutil -verify example

certsave

Clayton
  • 4,523
  • 17
  • 24
  • please look at the question, "Is there any known bug or cause for an IIS server to just stop serving SSL overnight? The certificate has not been changed for some time and is still valid. Same certificate works on other identically configured servers." This is not a certificate problem. – Craig Dec 01 '14 at 22:48
  • Pretty closed minded approach for problem solving. Each client performs its own certificate validation, and if something is wrong on a subset of your clients... I'm not saying this IS the cause, but explaining cert validation was too long for a comment. – Clayton Dec 02 '14 at 13:54
  • That's a pretty close minded thought towards current distributed networks. Regardless, we've used other methods to test the cert, just saying that we can't use a public one because it blurs the issue. – Craig Dec 02 '14 at 20:19