We recently had a problem where a customer wasn't able to access JIRA via SSL from IE7 on Windows Vista (and IE 5.5 on WinNT although we never got to test that). Firefox worked fine. IE7 from Windows XP worked fine.
The customer was using a self-signed certificate which is perfectly fine, since the browser should simply prompt you to accept the certificate. However IE7 on Vista only reported:
Internet Explorer cannot display the webpage Most likely causes: You are not connected to the Internet. The website is encountering problems. There might be a typing error in the address.
As it turns out, IE7 on Vista does not like the SHA1 certifcate signature alogrithm (the default used by Java's keytool utility). If you specify RSA everything works fine.
So in order for your self-signed certificates to work in IE7 on Vista, use the following command when generating the certificate:
%keytool -genkey -alias tomcat -keyalg RSA
Please see our docs for the full procedure of allowing SSL access to Tomcat.
Relatively unrelated: It seems that IE7 on Vista also doesn't like the certificate on support.atlassian.com:
Now, correct me if I'm wrong, but 26/06/2007 falls into the 27/09/2005 - 27/09/2007 range yes?! The certificate works fine on IE7 with Windows XP. Almost a case for WTF?!
Tags: IE7 Vista SSL
5 Comment(s)
Bugger - we had a similar problem on some of our users' machines, although they were on Win2K and IE6 (see https://support.atlassian.com/browse/JSP-12708). Does that sound related?
-Stefan
By Stefan Kleineikenscheidt at June 26, 2007 12:54 AM
Hi Stefan,
I had a quick look at your case, and it's difficult to say really. The problem I've described in this blog is quite obviously a problem with IE7 (not JIRA) on Vista. Every other browser seemed to work fine. Your case is similar in the sense that only IE6 seems to have the problem and other browsers work fine.
So its probably a problem with IE6, but ultimately this is really more a question for Microsoft Support than for us.
Cheers,
Andreas
By Andreas Knecht at June 26, 2007 4:19 PM
Hi Andreas,
Thanks for the support in solving the issue. It was the same problem with IE 5.5 on NT and Win2K (without SP4).
One thing to mention, though: it was not enough to specify -keyalg RSA with keytool from 1.6, this still signs the certificate with SHA1. We needed to specifiy also -sigalg MD5withRSA and then we got it working.
As for the certificate expiration.... MS rules :)
Cheers,
Cristian
By Anonymous at June 27, 2007 12:27 AM
I believe I've seen a similar issue with IE6 where the certificate seems valid but the warning message is about the date being outside of the validity range. I seem to recall that the same message gets displayed when other certificates in the chain are expired, where it should probably (and more helpfully) say "a parent certificate is invalid". Check that the entire chain is still within the validity period.
By Pablo at June 27, 2007 1:00 PM
Thanks Cristian! I've updated our docs with this little addition as well now.
Pablo, I checked the certificate chain, but all certificates seem to be within a valid date range.
Cheers,
Andreas
By Andreas Knecht at June 27, 2007 4:41 PM