Very weird ssl/network problem

[benplace]

I have a very strange problem and was hoping someone on here would have an idea as this has been run through some pretty smart people with no luck.

We have an internet connection at a location with a hardware VPN. We can access all of the local IP addresses on the remote network with no problem, SSL connections, citrix connections etc.

We have a web page with a java script login. When we access it we can get to the cert is invalid page but when we hit continue it times out.

Tried it on all 30 computers at the location, same thing. I physically brought one computer back with me plugged it in, dhcp and it can get to the site just fine.

Now the odd part, I had a consultant go in and he plugged in his laptop using an ethernet connection that was hooked to one of the non working computers and it friggin worked on his laptop.  We are at a loss, and not sure what to try.

Any gurus out there have any ideas??  (It looks like port 443 SSL works to our citrix web server fine, just not this server thats on the same subnet, however port 80 does work to even that bad server.)

[sc302 Veteran]

I had an issue with a web filter that was behind the firewall causing an issue like this.   I had to allow communications between sites through the webfilter to allow access...all other testing passed just like yours. 

[+BudMan MVC]

What browsers have you hit it with?  And what are the details of the cert.  Sounds like it is a self signed cert if you have to trust it.

 

Can you hit it with openssl cmd line to get some details.

 

something like this

budman@ubuntu:~$ openssl s_client -connect 192.168.1.1:443
CONNECTED(00000003)
depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain,                                                                                       CN = pfSense-55363cbc75739
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain,                                                                                       CN = pfSense-55363cbc75739
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-55363                                                                                      cbc75739
   i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-55363                                                                                      cbc75739
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFYzCCBEugAwIBAgIBADANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
DjAMBgNVBAgTBVN0YXRlMREwDwYDVQQHEwhMb2NhbGl0eTE4MDYGA1UEChMvcGZT
ZW5zZSB3ZWJDb25maWd1cmF0b3IgU2VsZi1TaWduZWQgQ2VydGlmaWNhdGUxKDAm
<snipped>
PpJ9xCli2vZUsLluXWCLMQSni1auiDluVoFHJ4tJN7PKXmFEJxoKYrMSiiC/xXjB
nDIZIrhowgTqOVr/r6eg2JAgsJvF2JhVrQ47BZMqD0GjUPsTFJMR
-----END CERTIFICATE-----
subject=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-55                                                                                      363cbc75739
issuer=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-553                                                                                      63cbc75739
---
No client certificate CA names sent
---
SSL handshake has read 2042 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: D14FFD95195816F574C60468275550E73EDBD5B17CE773E0EBC172686AF90424
    Session-ID-ctx:
    Master-Key: 97951F6B786CFE30156F3B5F557DE54BCF43B8648F5A30DE748495E9CF7099382E6C99A3527DFC817B08DB51878BCDE6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 82 7c 49 18 ca f3 5c 56-73 8b e9 9f 0c 0c 2d ea   .|I...\Vs.....-.
    0010 - ac 59 fb 0d 9d c7 d1 5f-65 4c 70 77 a2 87 9c 57   .Y....._eLpw...W
  <snipped>
    0080 - 25 c5 31 ff 91 82 c6 01-1b cc fa 25 aa 7b 95 28   %.1........%.{.(
    0090 - 3a f5 b1 51 2d 47 34 51-b1 99 fe 4e c8 ab 1c 7c   :..Q-G4Q...N...|

    Start Time: 1429734916
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Another simple test you can do is get a list of ciphers supported by the server

budman@ubuntu:~$ nmap --script ssl-enum-ciphers -p 443 192.168.1.1

Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-22 15:40 CDT
Nmap scan report for 192.168.1.1
Host is up (0.00091s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   SSLv3: No supported ciphers found
|   TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds
budman@ubuntu:~$

[benplace]

Well the odd thing is if I bring the laptop back to the home location I can access the site just fine on it.

That makes me think its not a certificate problem.  There is no firewall between the sites they are on an MPLS circuit.

[benplace]

it is a managed router and it plugs into the network switch.

[sc302 Veteran]

it really sounds like a web filtering issue...possibly endpoint security issue.  or whatever vlan that server is on isn't configured properly to talk to the vpn network....access lists