Login/Register
Can't connect to server over HTTPS which uses a SHA2 certificate using MSXML2.ServerXMLHTTP
Asked Answered
Solved sslasp-classicwindows-server-2003msxmlserverxmlhttp
S

1

12

We updated our SSL certificate to SHA2, but the intermediate certificate was SHA1. Chrome and other browsers have decided that the entire chain must be SHA2. Our customers were calling concerned about the yellow caution in the address bar. Rumor has it that in a few months Chrome and other browsers will replace the mildly unobtrusive caution with a stop screen. We certainly don't want that!

...

So we reissued the certificate and the new one is signed by the SHA2 intermediate. When we use that certificate to encrypt the traffic on our server, our applications that are using MSXML2.ServerXMLHTTP (running on Windows Server 2003) to access remote web services on that server can no longer connect.

After researching, we applied these two hotfixes that looked like they might could have addressed the issue:

https://support.microsoft.com/kb/938397/en-us https://support.microsoft.com/kb/968730/en-us

But the problem persists. Switch the cert back to the SHA2 with SHA1 intermediate and we have no issues.

We have installed the intermediate SHA2 certificate in the trusted store but the problem persists.

We have tried specifying all versions of the MSXML2.ServerXMLHTTP and all fail.

ASP code :

function query(xml)

    dim xmlhttp, xmlDoc, url

    url = application("component_url")

    set xmlhttp = server.createobject("MSXML2.ServerXMLHttp")
    call xmlhttp.open ("POST", url, false)
    call xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")

    on error resume next
        err.clear   

        call xmlhttp.send(xml)

        if err.number <> 0 then
            call sendAlert("An error has occurred while trying to send your request", message)
        else
            dim rt
            rt = ConvertUtf8BytesToString(xmlhttp.responseBody)
            set xmlDoc = server.createobject("MSXML2.DomDocument")          
            xmlDoc.loadXml(rt)
        end if
    on error goto 0

    set query = xmlDoc
    set xmlHttp = nothing
    set xmlDoc = nothing
end function
Shedd answered 23/1, 2015 at 16:26 Comment(10)
How about you show us some code?Hoist
What, you mean the code that works fine until you switch out the certificate on the remote server? Sure... No prob:Shedd
Absolutely, just because it worked before doesn't mean that the certificate is at fault. Until we see some code there's not much that can be suggested.Hoist
See edits to the main post. This code's been running for at least a decade and when we swap out the certificate on the remote server it breaks. When we switch it back it works.Shedd
What is the specific error you get once the cert is switched? If not an error what is the HTTP status code?Hoist
No status code. It never gets that far. It gives the ever-elusive "0x80004005 Unspecified Error" when the .send() method is called.Shedd
Have you tried xmlHttp.setOption(2) = 13056 which will set the flag SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS? See getOption Method (MSDN Library).Hoist
Also is this any help? - From Why do I get non-database-related 80004005 errors? - "If this is coming from use of MSXML.ServerXMLHTTP, see Article #2391".Hoist
Ah. If I ignore cert errors I get a new message: Number : -2146893018 (0x80090326) Descrip : The message received was unexpected or badly formatted. Category : msxml6.dllShedd
So it has happened. Chrome now shows a red X and strikethrough for https connections.Shedd
I
3

Your situation is very likely same as this post, specially the last answer as you mention the script has been running for 10+ years.

Quoting the last answer in full:

I know it is an old question. This issue could be because of unsupported cipher suites. Try adding - TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA - TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

That means you have to follow this kb: http://support.microsoft.com/kb/948963 This update is also interesting if you are still using windows 2003. Which will allow connecting to site using SHA2 - http://support.microsoft.com/kb/968730

Please note that Windows Server 2003 support is ending July 14, 2015

If the code is running on a Windows Server 2003, I suggest you try it on a newer machine, maybe a laptop with Windows 7 for a quick test.

Incredulity answered 18/4, 2015 at 23:6 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.