benplace Posted April 22, 2015 Share Posted April 22, 2015 I have a very strange problem and was hoping someone on here would have an idea as this has been run through some pretty smart people with no luck. We have an internet connection at a location with a hardware VPN. We can access all of the local IP addresses on the remote network with no problem, SSL connections, citrix connections etc. We have a web page with a java script login. When we access it we can get to the cert is invalid page but when we hit continue it times out. Tried it on all 30 computers at the location, same thing. I physically brought one computer back with me plugged it in, dhcp and it can get to the site just fine. Now the odd part, I had a consultant go in and he plugged in his laptop using an ethernet connection that was hooked to one of the non working computers and it friggin worked on his laptop. We are at a loss, and not sure what to try. Any gurus out there have any ideas?? (It looks like port 443 SSL works to our citrix web server fine, just not this server thats on the same subnet, however port 80 does work to even that bad server.) Link to comment Share on other sites More sharing options...
sc302 Veteran Posted April 22, 2015 Veteran Share Posted April 22, 2015 I had an issue with a web filter that was behind the firewall causing an issue like this. I had to allow communications between sites through the webfilter to allow access...all other testing passed just like yours. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 22, 2015 MVC Share Posted April 22, 2015 What browsers have you hit it with? And what are the details of the cert. Sounds like it is a self signed cert if you have to trust it. Can you hit it with openssl cmd line to get some details. something like this budman@ubuntu:~$ openssl s_client -connect 192.168.1.1:443 CONNECTED(00000003) depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-55363cbc75739 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-55363cbc75739 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-55363 cbc75739 i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-55363 cbc75739 --- Server certificate -----BEGIN CERTIFICATE----- MIIFYzCCBEugAwIBAgIBADANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx DjAMBgNVBAgTBVN0YXRlMREwDwYDVQQHEwhMb2NhbGl0eTE4MDYGA1UEChMvcGZT ZW5zZSB3ZWJDb25maWd1cmF0b3IgU2VsZi1TaWduZWQgQ2VydGlmaWNhdGUxKDAm <snipped> PpJ9xCli2vZUsLluXWCLMQSni1auiDluVoFHJ4tJN7PKXmFEJxoKYrMSiiC/xXjB nDIZIrhowgTqOVr/r6eg2JAgsJvF2JhVrQ47BZMqD0GjUPsTFJMR -----END CERTIFICATE----- subject=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-55 363cbc75739 issuer=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-553 63cbc75739 --- No client certificate CA names sent --- SSL handshake has read 2042 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: D14FFD95195816F574C60468275550E73EDBD5B17CE773E0EBC172686AF90424 Session-ID-ctx: Master-Key: 97951F6B786CFE30156F3B5F557DE54BCF43B8648F5A30DE748495E9CF7099382E6C99A3527DFC817B08DB51878BCDE6 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 82 7c 49 18 ca f3 5c 56-73 8b e9 9f 0c 0c 2d ea .|I...\Vs.....-. 0010 - ac 59 fb 0d 9d c7 d1 5f-65 4c 70 77 a2 87 9c 57 .Y....._eLpw...W <snipped> 0080 - 25 c5 31 ff 91 82 c6 01-1b cc fa 25 aa 7b 95 28 %.1........%.{.( 0090 - 3a f5 b1 51 2d 47 34 51-b1 99 fe 4e c8 ab 1c 7c :..Q-G4Q...N...| Start Time: 1429734916 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---Another simple test you can do is get a list of ciphers supported by the server budman@ubuntu:~$ nmap --script ssl-enum-ciphers -p 443 192.168.1.1 Starting Nmap 6.40 ( http://nmap.org ) at 2015-04-22 15:40 CDT Nmap scan report for 192.168.1.1 Host is up (0.00091s latency). PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | SSLv3: No supported ciphers found | TLSv1.0: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.1: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds budman@ubuntu:~$ Link to comment Share on other sites More sharing options...
benplace Posted April 22, 2015 Author Share Posted April 22, 2015 Well the odd thing is if I bring the laptop back to the home location I can access the site just fine on it. That makes me think its not a certificate problem. There is no firewall between the sites they are on an MPLS circuit. Link to comment Share on other sites More sharing options...
benplace Posted April 22, 2015 Author Share Posted April 22, 2015 it is a managed router and it plugs into the network switch. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted April 22, 2015 Veteran Share Posted April 22, 2015 it really sounds like a web filtering issue...possibly endpoint security issue. or whatever vlan that server is on isn't configured properly to talk to the vpn network....access lists Link to comment Share on other sites More sharing options...
Recommended Posts