Hi.
Not everything in my everyday life is about Syspeace, sometimes I also do consultancy stuff 🙂
Here’s a weird thing about IE and certificate management that took me a while to figure out actually.
A customer of mine suddenly couldn’t reach his webmail on his Lotus Domino server. They don’t really use it very often so he didn’t really know when it stopped working.
After trying to reach the Lotus Domino Webmail both from the Internal LAN and outside the firewall with IE , .. nope. Nothing happened.
We could see the “This is not a valid certificate” warning but nothing happened when we clicked “Yes, we know are cheapscates and its a self issued certificate” .. ok.. it doesn’t actually say that but you know what I mean. When trying to reach from other IE installtion , I just got “The page could not be reached” like a network error.
Tried the old tricks with adding it to Trusted sites, decreasing security levels and so on.
I tried from Windows 7, Windows server 2008, 2008 R2, Vista with different IE7, IE8 IE9 and so on .
I tried it with Google Chrome and .. everything worked fine…hmm.. the plot thickens ..
So, it’s a Internet Explorer problem then (and also the built in browser in at least Samsung Galaxy SII) I reckoned.Checked all the settings, SSL, TLS and so on and everything seemed fine . BTW, in teh Galaxy Sii there was a message about something with bad POST header or something.
Then “it hit me ..uhmm– like a two ton .. heavy thing ” .. (yes, that was a Queensrÿche – reference from the album Empire for all you music lovers out there) . What about the certificate on the Domino server. Didn’t I read something about a security patch for Windows and certificates a while back ?
Sure enough, after looking at the certificate (with Google Chrome, the upper left corner, Click the certificate and check properties) the certificate was only a 512 bit encryoted one which I think is the highest a Domino SelfIssued certificates can have,
So. Here’s the link to Microsoft about the issue and a few tips further down on what to do
http://technet.microsoft.com/en-us/security/advisory/2661254
Workaround / solutions.
If it’s you own website . Buy a valid, bonafide certificate that exceeds 1024 bit encryption. There’s no need to buy anything less than 2048 though.Or , stop using HTTPS (no, please don’t. Once upon a time you wanted it to secure your communications, I’m sure there was o good reason for it and surely nothing’s changed? )
If it’s not you own website, use Google Chrome or uninstall the Windows patch. I’d go for door number 1, use Google Chrome,
You could also fool around in the Windows registry according to this KB
http://support.microsoft.com/kb/2661254
Cheers and happy weekend to everyone.
Juha Jurvanen –
