Thursday, 15 October 2015

Fascinating - Internet Explorer and the Lack of Transport Layer Security

I've just spent a happy 10 minutes trying to work out why Internet Explorer 8 wouldn't load a secure web page from WebSphere Application Server, specifically the Integrated Solutions Console (ISC).

This is what I saw from IE: -


whereas Firefox was more than happy to render the page: -


Then I thought back to something a colleague had said earlier in the week ....

I'm using TLS 1.2 as my default encryption in WAS ( see an earlier blog post - WebSphere Application Server - Tinkering with Property Files and a spot of SSL/TLS ) and, therefore, WAS is expecting any client, including a browser, to support TLS 1.2.

Firefox confirms the encryption : -


Thinking back to what my colleague had said, I checked IE's settings: -


and, guess what ....


For the record, I am experimenting with the replacement of WAS' own CA-managed certificates ( yes, WAS can/does act as a Certificate Authority for certificates used inside the cell ) with those generated by Active Directory.

I'll write this up more fully in the future, but one of the net effects is that Internet Explorer, running in the same AD domain, now trusts the WAS HTTPS-secured pages, because they share the same CA signer.

Which is nice ....

*UPDATE*

For the record, WAS was trying to tell me what was going wrong, with: -

...
[15/10/15 15:22:39:130 BST] 000000d4 SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
...
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
...
[15/10/15 15:24:51:003 BST] 000000d5 SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported
...
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported
...

if only I'd looked in SystemOut.log :-)


No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...