IE can't make SSL connection to OpenLitespeed

#1
Hi,

About a month ago, I installed OpenLitespeed 1.6.7 on Ubuntu.
A few days ago, I noticed that whenever I try to open our website over SSL in Internet Explorer, the browser can't connect to the LiteSpeed server.
After some investigating, I noticed that a normal HTTP connection can be created, but when trying to connect over HTTPS, the connection never gets established and IE displays a generic "This page can't be displayed" error message.

After some googling, I noticed that this might be related to the encryption algorithms which IE probably doesn't support.
More about it here: https://www.litespeedtech.com/suppo...g-internet-explorer-11-to-stop-working.16650/

However, I don't know yet where to set up which encryption algorithms should LiteSpeed use. I am suspecting that this is related to my LetsEncrypt certificate.

I am also running an older OpenLitespeed 1.4.46 on a different server and this one can create a connection with IE without any problems.

Does anyone have any idea what can I do to allow my users to view the website in Internet Explorer?

Thanks in advance,
Papa Zulu
 

lsqtwrk

Administrator
#2
Hi,

the cert itself should not be related in this case.

You can go to OpenLiteSpeed's webadmin console , to set your SSL parameters

You might need ot check both SSL listener ---> SSL setting and vhost ---> SSL setting.


Best regards,
 

Attachments

#3
Hi,

lsqtwrk, thank you for your reply. I started playing around with these SSL settings on listener and virtual host.
However, IE still can't establish a connection to the website.

I checked the ciphers supported by my other server (to which IE can connect) and set the same cipher support for the new server (1.6.7) but IE still can't connect to the site. (Screenshot of ciphers in attachment).

From what I figured out is that the browser gets the certificate, but then something goes wrong. Because when I try to connect to the admin panel through Internet Explorer, the browser warns me about the self signed certificate. I choose to continue and then the website hands. Just This page can’t be displayed message from IE.

I tried to compare various settings between these two servers and everything seems roughly the same.

When I check the access.log I see entries from the successful connections, but no entries from unsuccessful attempts from IE.

Does anyone know if there is a way to debug the SSL connection problems in OpenLiteSpeed?
 

Attachments

#5
Hi,

The handshake simulation seems okay (see attachment).
Also, the first certificate check is okay (in attachment, domain is replaced with ------), but the second one is indicating some issues (see results in attachment). It appears that the second test (without SNI) receives the web admin self signed certificate. But this is probably not causing the issue, because if we would receive this certificate, the browser would ask if we trust it.

When comparing the results with the other server where everything works fine, it seems that the only difference is in the second certificate and in the order of the preferred cipher suites (screenshot attached).

I have now tried it on Win10 Edge and it works okay. Even when it simulates IE 11 or IE 10.
It just doesn't work on my computer Win8.1 IE10 or Win8.1 IE (Edge simulation), so I am not sure now if it is only issue with my computer or is it a general issue :D

I will be happy if anyone has any idea what is going on here.
I can send you the domain via private message if needed.


Thanks
 

Attachments

#8
An update for anyone who might stumble upon this theme in the future.
It seems that the issue is isolated to my computer running Win8.1. Or maybe it just happens on every Win8.1 machine.

I did some traffic analyzing with WireShark.
When IE shows that it is loading the page (the spinner is spinning), it looks like IE is trying to establish TLS1.2 connection. It keeps sending some packets, and the server actually responds, but it looks like something goes wrong.

The handshake seems okay, the server responds with Change Cipher message, but I am not sure if IE accepts the new cipher. This is where my knowledge about TLS connection and packet analyzing starts to end.
I edited the accepted ciphers on the server to match at least one of the ones that IE sends to the server, but it didn't help.

I will probably give up with this issue, as it definitely isn't a critical one, especially because the website works okay in a newer Edge browser.
It is just bugging me all the time because I want to know what is happening there. At first, I thought that it might be an IE caching issue, so I ignored the issue for a month :D

Thanks to @lsqtwrk and @Cold-Egg for taking their precious time and try to help me :)

If I ever figure it out, I will try to remember to post the solution here.

I never liked IE.
 
Top