After installing SSL certificate (Comodo positive SSL ) for my website hosted in IIS8. Comodo positive SSL is a commonly used one. The installation part goes smoothly.
But after performing SSL install in IIS8 I came up with an strange error. HTTPS version of my website works fine in Firefox but doesn’t works in Google chrome. In Google chrome I am getting to load website with HTTPS but HTTP version works fine. At that moment the Chrome version we used was Version 54.0.2840.8 dev (64-bit).
In order to troubleshoot this further first we tried to clear the chrome cache and did make sure there isn’t any proxy setup in chrome. But that wouldn’t help to sort out the issue.
Second step I did is tried to load the HTTPS version in a different PC and Laptop and in Android Mobile chrome but I have but got different errors. Below are the corresponding errors.
Error In Android Chrome
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
Error in My PC chrome
err_connection_reset
Error in Different PC Chrome.
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION
In third step we executed below command in windows command prompt to see the installed SSL certificate is actually showing or not. We got this command from one of the IIS forum post. In our case below command shows the SSL certificate installed so it indicated there is no issue happened at the stage of SSL install on IIS8
netsh http show sslcert
After that we got a hint as the ERR_CONNECTION_RESET is not necessarily TLS related, but exactly how is the TLS configured. So I started to dig more in the server logs to find out what’s wrong with my Windows server when there is a request for HTTPS from Chrome.
In forth step we installed Wire-shark and fiddler in my personal computer. Both of these software packages are web debugging tool which is commonly used to troubleshoot client/server request handing. But in this stage I got failed to get filter down and track the actual error.
On further goggling we also understand that in Windows Event Viewer the source schannel will show information about the error which is happening at the time of handing HTTPS requests.
So in fifth step we Did a look in the windows System event viewer for source schannel. Noticed below events.
Event ID: 36874– TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed. Event ID: 36888 – A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.
We goggled such errors and seem the error is related to signature hash algorithm. There is one Microsoft blog article which is related to the same.
https://blogs.technet.microsoft.com/silvana/2014/03/14/schannel-errors-on-scom-agent/
But our case when we compared Windows servers registry values in reference to the blog article we haven’t noticed any mismatch.( was not 100% sure)
During that time we also understood that there is one nice tool named IISCrypto (IISCrypto.exe) which commonly used to build the Windows server for PCI compliance. Using this tool we can disable or enable SSL versions supported by server or Hash algorithm.
In my Final step I downloaded IISCrypto.exe and clicked “best practices ” button and “Apply ” the same. After a server reboot magically the SSL started working in Google Chrome too.
Below is the Screenshot for the error I have encounter in Google Chrome.
