Re: SSL broken after Windows 2003 upgrade
From: Paul (paule_at_nospam-mindspring.com)
Date: 11/13/04
- Next message: Danny: "difference between new site and new virtual directory"
- Previous message: Fernie: "W2000 Server - file system deteriorating"
- In reply to: David Wang [Msft]: "Re: SSL broken after Windows 2003 upgrade"
- Next in thread: David Wang [Msft]: "Re: SSL broken after Windows 2003 upgrade"
- Reply: David Wang [Msft]: "Re: SSL broken after Windows 2003 upgrade"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 13 Nov 2004 12:15:46 -0500
Here is the XML from metabase.xml - this is the only site with a
SecureBinding that is not null. All other sites have SecureBindings=""
(IP address and domain name changed slightly below)
<IIsWebServer Location ="/LM/W3SVC/38"
LogPluginClsid="{FF160663-DE82-11CF-BC0A-00AA006111E0}"
MD_ISM_ACCESS_CHECK="4660"
SSLCertHash="19c4e3734ed15f22cd3cb1706c1fe5800b9fe63f"
SSLStoreName="MY"
SecureBindings="x.x.187.136:443:"
ServerAutoStart="TRUE"
ServerBindings="x.x.187.136:80:secure.ourdomain.com"
ServerComment="Secure OurDomain Site"
>
</IIsWebServer>
......
Using SysInternal's TCPView, the only thing on the machine listening on port
443 is SVCHOST.EXE whose properties reveal:
"C:\WINNT\System32\svchost.exe -k iissvcs"
-- Paul
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:%231ON$EXyEHA.1292@TK2MSFTNGP10.phx.gbl...
> This really sounds like you have a bad SSL Binding inherited from IIS5,
> thus
> HTTP.SYS isn't expecting anything to come over IP:443 and hence returning
> 400. SSL Diag tells you that SSL should be working assuming the website
> connects -- which is where you are falling short.
>
> Look in %systemroot%\system32\inetsrv\metabase.xml for "SecureBinding" and
> please show them all here.
>
> Finally -- are you running any other servers that may be listening on port
> 443 on another IP:Port.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Paul" <paule@nospam-mindspring.com> wrote in message
> news:OxtnU6OyEHA.4028@TK2MSFTNGP15.phx.gbl...
>> the 'bad request' bad is a bit weird.
>> any error in event log ?
>
> Nope.
>
>> httperr ?
>
> Yes, the 400 Bad Request shows up for the http://x.x.x.x request
> (non-SSL)
> but I assume this is correct since the website IP address x.x.x.x is tied
> to
> the host header name "secure.mydomain.com" and there is no "blank"
> catch-all
> host header for it.
>
>> secure.mydomain.com is bind to own IP address ?
>
> Yes.
>
>> at the SSL section change 'default' to the IP address.
>
> Never was "(all unassigned)", I always had it set to the same IP address
> as
> the port 80 section above it.
>
>> restart IIS services.
>
> Done that about 100 times already <g>...
>
>
> Is there anything in the IIS metabase dump (XML) that I can look for as a
> clue to what the problem might be?
>
> Thanks.
> -- Paul
>
>
>>
>> --
>> Regards,
>> Bernard Cheah
>> http://www.tryiis.com/
>> http://support.microsoft.com/
>> http://www.msmvps.com/bernard/
>>
>>
>>
>> "Paul" <paule@nospam-mindspring.com> wrote in message
>> news:OJyXEpHyEHA.1524@TK2MSFTNGP09.phx.gbl...
>>> https:// worked fine in Windows 2000 Server for over a year:
>>> - domain name "secure.mydomain.com"
>>> - on an IP address shared with about 50 other websites (even though
>>> MSKB
>>> tells me now this shouldn't work...)
>>> - not requiring SSL connection, users could connect via http:// or
>> https://
>>> without trouble.
>>>
>>> Upgraded this box to Windows 2003, now https:// is broken.
>>> - moved the secure site to its own IP address with no other sites on it
>>> (per the MSKB suggestion)
>>> - removed and reinstalled SSL cert (Thawte cert)
>>> - IIS manager says cert is good
>>> - Used SSLDiag to test, it says everything ok. SSL handshake
>>> successful.
>> I
>>> notice SSLDiag says it is talking HTTP/1.0 -- could it be that IE6 is
>>> talking HTTP/1.1 and that is the problem?
>>> - Don't see any other bindings on port 443 on any other sites (they are
>> all
>>> on other IP address anyway)
>>> - Default website is "off"
>>> - Administration website is "off"
>>> - Access to http://secure.mydomain.com is fine, returns default home
>>> page
>>> - Try https://secure.mydomain.com, get "page not found or DNS error"
>>> - Try the public static IP address http://x.x.x.x and get the
>>> default.htm
>>> home page
>>> - Try the public static IP address https://x.x.x.x and get prompted in
>>> browser with "certificate invalid" warning dialog box, say "yes,
>>> accept",
>>> then get 400 - Bad request. But maybe this is normal since the cert is
>> tied
>>> to the domain name, not the IP address?
>>> - Can connect via telnet to secure.mydomain.com port 443.
>>>
>>> Like I said, I had no problem whatsoever before upgrading to Windows
>>> 2003.
>>> No hardware or software changes. I am totally stumped, checked numerous
>>> MSKB articles, google searches, etc.
>>>
>>> Help!!
>>>
>>> TIA,
>>> Paul
>>>
>>>
>>>
>>>
>>
>>
>
>
>
- Next message: Danny: "difference between new site and new virtual directory"
- Previous message: Fernie: "W2000 Server - file system deteriorating"
- In reply to: David Wang [Msft]: "Re: SSL broken after Windows 2003 upgrade"
- Next in thread: David Wang [Msft]: "Re: SSL broken after Windows 2003 upgrade"
- Reply: David Wang [Msft]: "Re: SSL broken after Windows 2003 upgrade"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
