Alpha Video Training
Results 1 to 19 of 19

Thread: SSL issue with Chrome browser

  1. #1
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default SSL issue with Chrome browser

    My website is experiencing SSL issues that only seem to affect the Chrome browser. The error is intermittent - it only happens on some computers and only sometimes.

    The issue is that the user will occasionally get an SSL Connection error. Most of the time, doing a refresh fixes the problem.

    I have rekeyed my SSL Certificate using a version of Alpha V12 that is only about a month old. (It is a pre-release version.)

    My server is with Go-Daddy and they say that the error is because of the SHA-1 Root certificate that is part of the SSL setup. But I don't know how to fix that.

    Help?

  2. #2
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,021

    Default Re: SSL issue with Chrome browser

    Start by having Qualys SSL Labs run a free SSL test against your site.
    https://www.ssllabs.com/ssltest/

    That site may give you a better idea of what might be wrong with the certificate. Maybe your certificate is not from a trusted source. Where was the SSL certificate purchased from? Who bought and installed the certificate and were all the steps followed to get it properly registered with the certificate authority?

    Another issue that comes up across the various browser platforms is the SSL "Cipher List". Search this newsgroup on that topic.

  3. #3
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default Re: SSL issue with Chrome browser

    I searched for cypher lists. My original cypher list was:

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

    I found a cypher list on this forum that said to use:

    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:-SSLv3

    The post I saw said it was working great.

    After changing to that new cypher list, I got a great rating on the test site you specified (A-) and now it works great in Chrome and Explorer.

    However, now firefox won't connect at all. It says it can't find a connection profile. I assume that means my list is now too short and doesn't include a connection that FF wants to use.

    Can someone please give me a cypher list that will work with Firefox, Explorer, Chrome AND Safari?

  4. #4
    Member NicholasWieland's Avatar
    Real Name
    Nicholas Wieland
    Join Date
    Apr 2008
    Location
    Huntington, NY
    Posts
    546

    Default Re: SSL issue with Chrome browser

    Larry I do not trust Godaddy tech support people the are weak.
    Zebrahost would have this fixed up for you, quickly.
    Nicholas Wieland
    LedgerSuite.com Corp
    nnw@edfi.net
    http://www.ledgersuite.com


  5. #5
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,021

    Default Re: SSL issue with Chrome browser

    Zebrahost is the one that has taken care of my SSL certificate. They did the setup for me, notified me when it was time to renew, and made sure I did the necessary follow up with the certifying authority to have them issue it.

    That all went very smoothly, but when it comes to the Cipher List, it takes a lot more effort. I think it is too important to completely trust someone else to setup. Only YOU can determine the compromise between the level of security vs. the range of browsers that you want to allow into your site.

    Of course, if you have looked into the Cipher List then you may also have discovered that each vendor (Alpha Software, in our case) that uses OpenSSL must compile their own version of SSL libraries from the pure source code that openSSL.org provides. And, digging deeper you may have discovered that running a particular cipher list through different vendors's SSL enabled server software results in different levels of SSL/TSL compatibility. Factors that influence compatibility include: 1) how the vendor chose to process the cipher list and initialize their OpenSSL instance, and 2) which version of source base code from openssl.org the vendor is using.

  6. #6
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default Re: SSL issue with Chrome browser

    Then what I need is a cipher list creator/decipher.

    Something that lists all of the possible ciphers and allows me to choose between them - then creates a cipher list for me that will work in Alpha.

    Even better - something that I can put my current list into, have it tell me what ciphers are in it, then allow me to remove them until it works how I want it.

    That way I can modify the cipher list and test different options out.

    Otherwise I have no idea what to do - this is all Greek to me.

    And while I do value Zebrahost's helpfulness - have servers with them, this server is not on Zebrahost, so ...

  7. #7
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,021

    Default Re: SSL issue with Chrome browser

    Larry,
    As far as I can tell from the openssl wiki site , we need Alpha to give us the openSSL.exe command line tool that they would have built to go along with the two files they distribute: "libeay32.dll" and "ssleay32.dll".

    I just asked Alpha if they could post it for us.


    I found this web site that has a free e-book about OpenSSL: https://www.feistyduck.com/library/openssl-cookbook/

  8. #8
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,701

    Default Re: SSL issue with Chrome browser

    Rich, which version of the DLLs are you using? You will need the matching openssl.exe.

    Also the Feisty Duck books are excellent. The author is the person behind the tools at https://www.ssllabs.com/ssltest/

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  9. #9
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default Re: SSL issue with Chrome browser

    I don't know about Rich, but I am currently using Alpha Version 12.3 Build 3258. It is a pre-release.

    So whatever SSL files come with that.

    I'd be willing to replace the ssl files with new ones to get everything to the right place.

  10. #10
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,021

    Default Re: SSL issue with Chrome browser

    Lenny,
    Alpha Build 2999 is what I will be using. I believe that is the latest official production release.
    The SSL files say "File version 1.01.16" and "Product version 1.0.1p"

    Thanks for jumping in here, Lenny.

  11. #11
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,701

    Default Re: SSL issue with Chrome browser

    All of the OpenSSL 1.0.1p EXEs and DLLs as built by Alpha can now be downloaded from http://downloads.alphasoftware.com/O...SSL_1.0.1p.zip

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  12. #12
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default Re: SSL issue with Chrome browser

    What is the default cypher list that comes with that build, please?

  13. #13
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,021

    Default Re: SSL issue with Chrome browser

    Lenny, Thanks.

    Others,
    So I did the following:
    1) Download and unzip the file from Lenny's Post #11 above, to a NEW folder.
    2) Went to the command prompt,
    3) CD into that NEW folder.
    4) entered the command, "Openssl"
    5) and then waited for a minute or so for it to initialize and come up with the "OpenSSL>" prompt.
    6) then gave it the command "ciphers -v "my_ciphers"
    where my_ciphers is the string displayed on my Alpha Web Server console under the "SSL" tab.
    7) I got back a list of encryptions that match that string. If you want to see all, just leave out your cipher list. If you want more detail use an upper case "-V".

  14. #14
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,021

    Default Re: SSL issue with Chrome browser

    Larry, I don't have an actual Web Server installed from scratch directly off of build 2999. But the developer server that gets installed with Build 2999 and the 1.0.1p SSL libraries appears to have this as the default cipher list:

    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

  15. #15
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default Re: SSL issue with Chrome browser

    That list looks exactly like the one I have up top.

    It gives a less than stellar rating on the ssl test site and it occasionally (1 in about 40 times) gives Chrome and Safari issues - at least on the Godaddy site that I am using.

    It works fine for IE and Firefox so far as I can tell.

    I really have no idea how to proceed.

  16. #16
    "Certified" Alphaholic
    Real Name
    Rich Fulham
    Join Date
    May 2011
    Location
    Portland, OR
    Posts
    1,021

    Default Re: SSL issue with Chrome browser

    Larry,
    In your first post you said...
    My website is experiencing SSL issues that only seem to affect the Chrome browser. The error is intermittent - it only happens on some computers and only sometimes...
    What's the random error message the users are getting? And, when exactly does the error occur - sometime after being signed in or just when they first navigating to the site?

  17. #17
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default Re: SSL issue with Chrome browser

    The error message is that the system cannot get an SSL connection. It almost exclusively happens on login.

    They type in the username and password, hit login, then the server comes back with an ssl connection error.

    Refreshing the screen usually, but not always fixes the problem. However, we are dealing with the general public, so not everyone knows to do that.

    If I go to the site myself and login, it will work most of the time, but I also occasionally get the same error. I've logged in steadily (log out, log in, log out, log in) and sometimes I can't make it happen no matter what I do. Then I'll go back and the first time login it will fail.

    It is quite maddening.

    I called GoDaddy to see if they had a suggestion but they were also not able to duplicate the issue. However, after our call, the tech kept hitting the site until he got the error. (I was shocked when I got an email from him hours later.)

    That was when he suggested the error had to do with the SHA-1 root certificate. (So Kudos to Go Daddy support for sticking with it if they were right.)

    However, I have no idea how to eliminate just that one cipher from the list if that is even possible.

    This is a new issue (first appeared in December so far as I know), the site has been up for several years and not had this issue.

    He was saying that I should use only the certificate file with the bundle_g2 in the file name. But in Alpha it accepts that as the chain file, not as the ssl file. so I don't know how to base the ssl on just the one file.

  18. #18
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,701

    Default Re: SSL issue with Chrome browser

    Larry, that this is a new issue backs up the GoDaddy tech's assertion that this is caused by an SHA-1 certificate. SHA-1 is no longer considered secure and browsers have been slowly tightening restrictions and many have begun to stop accepting them altogether.

    This is NOT the same as your SSL cipher suite - it is how your SSL certificate and the chain file it uses were signed when they were generated. There is no way to impact this by changing your cipher suite.

    As the tech suggested, you need to use a chain file that only has SHA-2 signatures, as well as an certificate with an SHA-2 signature. If your certificate uses an SHA-1 signature, you will need to have a new one issued. If your chain file uses any SHA-1 signatures, you will need to get an updated one from your vender. When GoDaddy says you need to use bundle_g2, that is the chain file, not the certificate itself.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  19. #19
    "Certified" Alphaholic
    Real Name
    Larry Grupido
    Join Date
    May 2010
    Posts
    1,846

    Default Re: SSL issue with Chrome browser

    I did a complete re-key also and the issue still exists. So I guess I need to go back to Godaddy and see what they have to say about it again.

Similar Threads

  1. Browser Question - Chrome and javascript
    By Steve Workings in forum Mobile & Browser Applications
    Replies: 2
    Last Post: 12-10-2015, 09:54 AM
  2. CSS Browser Question. Any Chrome experts out there?
    By lvasic in forum Mobile & Browser Applications
    Replies: 7
    Last Post: 03-07-2014, 06:46 PM
  3. Chrome (Browser not Found)
    By mastermind315 in forum Application Server Version 11 - Web/Browser Applications
    Replies: 0
    Last Post: 09-05-2012, 09:30 PM
  4. Chrome Browser Focus Highlighting
    By iRadiate in forum Application Server Version 10 - Web/Browser Applications
    Replies: 0
    Last Post: 04-20-2011, 09:59 AM
  5. Chrome Browser remembering to much!
    By Tommy Thompson in forum Application Server Version 9 - Web/Browser Applications
    Replies: 1
    Last Post: 12-11-2009, 05:12 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •