12

We updated our SSL certificate to SHA2, but the intermediate certificate was SHA1. Chrome and other browsers have decided that the entire chain must be SHA2. Our customers were calling concerned about the yellow caution in the address bar. Rumor has it that in a few months Chrome and other browsers will replace the mildly unobtrusive caution with a stop screen. We certainly don't want that!

...

So we reissued the certificate and the new one is signed by the SHA2 intermediate. When we use that certificate to encrypt the traffic on our server, our applications that are using MSXML2.ServerXMLHTTP (running on Windows Server 2003) to access remote web services on that server can no longer connect.

After researching, we applied these two hotfixes that looked like they might could have addressed the issue:

https://support.microsoft.com/kb/938397/en-us https://support.microsoft.com/kb/968730/en-us

But the problem persists. Switch the cert back to the SHA2 with SHA1 intermediate and we have no issues.

We have installed the intermediate SHA2 certificate in the trusted store but the problem persists.

We have tried specifying all versions of the MSXML2.ServerXMLHTTP and all fail.

ASP code :

function query(xml)

    dim xmlhttp, xmlDoc, url

    url = application("component_url")

    set xmlhttp = server.createobject("MSXML2.ServerXMLHttp")
    call xmlhttp.open ("POST", url, false)
    call xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")

    on error resume next
        err.clear   

        call xmlhttp.send(xml)

        if err.number <> 0 then
            call sendAlert("An error has occurred while trying to send your request", message)
        else
            dim rt
            rt = ConvertUtf8BytesToString(xmlhttp.responseBody)
            set xmlDoc = server.createobject("MSXML2.DomDocument")          
            xmlDoc.loadXml(rt)
        end if
    on error goto 0

    set query = xmlDoc
    set xmlHttp = nothing
    set xmlDoc = nothing
end function
user2458080
  • 989
  • 8
  • 17
  • How about you show us some code? – user692942 Jan 25 '15 at 12:06
  • What, you mean the code that works fine until you switch out the certificate on the remote server? Sure... No prob: – user2458080 Jan 26 '15 at 13:54
  • Absolutely, just because it worked before doesn't mean that the certificate is at fault. Until we see some code there's not much that can be suggested. – user692942 Jan 26 '15 at 13:58
  • See edits to the main post. This code's been running for at least a decade and when we swap out the certificate on the remote server it breaks. When we switch it back it works. – user2458080 Jan 26 '15 at 14:09
  • What is the specific error you get once the cert is switched? If not an error what is the HTTP status code? – user692942 Jan 26 '15 at 14:36
  • No status code. It never gets that far. It gives the ever-elusive "0x80004005 Unspecified Error" when the .send() method is called. – user2458080 Jan 26 '15 at 21:28
  • Have you tried `xmlHttp.setOption(2) = 13056` which will set the flag `SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS`? See [getOption Method (MSDN Library)](https://msdn.microsoft.com/en-us/library/ms753798(v=vs.85).aspx). – user692942 Jan 27 '15 at 16:11
  • Also is this any help? - From [Why do I get non-database-related 80004005 errors?](http://classicasp.aspfaq.com/general/why-do-i-get-non-database-related-80004005-errors.html) - *"If this is coming from use of MSXML.ServerXMLHTTP, see [Article #2391](http://classicasp.aspfaq.com/components/why-do-i-get-80072ee5-errors.html)"*. – user692942 Jan 27 '15 at 16:48
  • Ah. If I ignore cert errors I get a new message: Number : -2146893018 (0x80090326) Descrip : The message received was unexpected or badly formatted. Category : msxml6.dll – user2458080 Jan 28 '15 at 20:41
  • So it has happened. Chrome now shows a red X and strikethrough for https connections. – user2458080 Apr 15 '15 at 13:50

1 Answers1

3

Your situation is very likely same as this post, specially the last answer as you mention the script has been running for 10+ years.

Quoting the last answer in full:

I know it is an old question. This issue could be because of unsupported cipher suites. Try adding - TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA - TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

That means you have to follow this kb: http://support.microsoft.com/kb/948963 This update is also interesting if you are still using windows 2003. Which will allow connecting to site using SHA2 - http://support.microsoft.com/kb/968730

Please note that Windows Server 2003 support is ending July 14, 2015

If the code is running on a Windows Server 2003, I suggest you try it on a newer machine, maybe a laptop with Windows 7 for a quick test.

Community
  • 1
  • 1
John Siu
  • 5,056
  • 2
  • 26
  • 47