Cannot Access Some Sites Through NetScaler and Internet Explorer 9 if TLS 1.2 is Enabled

Cannot Access Some Sites Through NetScaler and Internet Explorer 9 if TLS 1.2 is Enabled

book

Article ID: CTX210190

calendar_today

Updated On:

Description

Cannot access some sites through NetScaler and Internet Explorer 9 browser if TLS 1.2 is enabled in it. Internet Explore 9 shows "Internet Explorer cannot display the webpage" error.

User-added image

If we disable TLS 1.2 in Internet Explorer 9 Advanced Options then we can make it there. But it fails with the above error when TLS 1.2 is enabled.

User-added image

It works fine with Internet Explorer 11, even with TLS 1.2 enabled in it .

Resolution

Remove MD5/MD2 algorithm signed certificate from the certificate chain or we need to get SHA algorithm signed certificates from the Certificate Authority and replace them with the MD5/MD2.

Problem Cause

This issue occurs when the certificate chain for the site has a certificate with MD5 signature algorithm (or any less secure MD hashing algorithms such as MD2 ) because Internet Explorer 9 just breaks the connection for these requests. This is due to the fact that the schannel.dll library restricts the use of MD5/MD2 algorithm for security reasons. Getting the chain of certificates to use certificate with a SHA hash algorithm gets the site working without any issues.

One of the working site used the certificate chain in following manner:

User-added image
While the non-working site was using md2 signature algorithm:
User-added image

Issue/Introduction

Cannot access some sites through NetScaler and Internet Explorer 9 browser if TLS1.2 is enabled in it. Internet Explore 9 shows "Internet Explorer cannot display the webpage" error.

Additional Information

http://blogs.msdn.com/b/friis/archive/2012/08/29/tls-1-2-handshake-failure.aspx 

http://support.microsoft.com/kb/2851628 

 
Powered by Wolken Software