Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for September 4th, 2013

Troubleshooting Web Certificate Issues in IE

Posted by William Diaz on September 4, 2013


A while back ago one of our internal servers presented an issue to us. While trying to navigate to it, we were running into the following warning: “There is a problem with this website’s security certificate…”

image

The real problem was that clicking the Continue to this website (not recommended) link didn’t let you proceed to the login page, it would simply refresh this page each time. To explorer causes with certificate issues in Windows you simply need to enable CAPI2 logging. CAPI is Microsoft’s cryptography API. Logging can be enabled by going into the Windows event viewer > selecting Application and Services Logs > Microsoft > Windows > CAPI2:

image

Right-click the Operational log and select Enable Log. Recreate the issue, right-click the log again, select Disable Log, and look at the individual events, especially those error events. You will need to scan through the Details tab to isolate the issue as no general information is provided. This is not as bad as it looks. You don’t necessarily need to understand everything you are looking at. The Internet and your favorite search engine can handle the rest. In this case, I started by copying the ErrorStatus lines that had a boolean of true into my search engine. I hit pay dirt when CERT_TRUST_HAS_WEAK_SIGNATURE pointed me to this Microsoft KB article Microsoft Security Advisory: Update for minimum certificate key length. In short, Microsoft disabled support for weak key lengths, i.e. lengths that were not equal to or more than 1024 bits. From the certificate error below, I could see that the key length for the certificate the server was using was only 512 bits long:

image

To work around the issue, we needed to enable support for weak certificates on those workstations that needed access to the site. To do this, open an elevated command prompts and type certutil -setreg chain\minRSAPubKeyBitLength 512. See the KB article for more command line options. This can also be toggled in the registry at HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config and creating a DWORD of minRSAPubKeyBitLength equal to 512.

Posted in Troubleshooting | Tagged: | Leave a Comment »

Java 7 Troubleshooting (disabled support for MD2)

Posted by William Diaz on September 4, 2013


Upon trying to connect to a vendors website application, a user was seeing an error pointing to a failed certificate validation:

image

With java logging enabled, the details were more specific:

com.citrix.sdk.jsse.CitrixSSLException: The certificate validation failed. 
    at com.citrix.sdk.jsse.SocketFactory.createSslSocket(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.o.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.s(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

Looking at the certificate, I could see it was using the relatively old MD2 algorithm. While the user did not experience this issue previously, its worth noting we had just moved to Java 7 from 6. Likely JRE 7 has disabled support for MD2 because it is considered unsecure. Some quick research revealed this was the case. With the site outside of our control, a need existed for the user to be able to access the application. Instead of downgrading to Java 6, enabling MD2 support in Java 7 is a simple matter of editing the java.security file in C:\Program Files (x86)\Java\jre7\lib\security to comment out jdk.certpath.disabledAlgorithms=MD2 or simply remove the MD2 part:

SNAGHTML67b4bc0

Posted in Uncategorized | Tagged: | Leave a Comment »