On Friday 01 May 2015 12:11:00 Tanvi Vyas wrote: > > On Apr 27, 2015, at 2:03 PM, Michael Peterson <michaelpeterson...@gmail.com> wrote: > > > > > > Firefox does not like our internal certificates. I'm trying to figure out > > why...> > > > > > > tl;dr - Our internal IIS servers, signed with our internal CA, present a > > "Secure Connection Failed" page, with technical details that say > > "Connection Not Encrypted". The certificate is installed in Firefox's > > internal certificate store. > > > > > > > Here are our certificates > > https://www.highlands.edu/site/is-certification-authority
The root cert is self signed with SHA-512, if it uses SHA-512 also for EE certificates, you're likely hitting MZBZ#1155922 interoperability issue caused by change introduced by MS14-066 in Windows. You don't see this problem with Nginx or Apache because they send the certificate even if the extensions advertised by client don't match the certificate the server has (they let the client decide if it will trust the cert or not), OTOH, IIS decides for the client that it won't be able to handle certificate, so it doesn't send any and aborts connection without telling client why (thus the incomprehensible error message). -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
