SSL problems with locked down proxies


For one of our applications we've been debugging a problem where the application was not able to correctly make an SSL connection to our server.

It is an application designed to run in schools and in most schools it would work perfectly and some others it would completely fail.

After much narrowing down we found that it was limited to Windows XP SP3 machines and newer and was due to their improved support for checking certificate validity.

The problem was that the schools proxy was locked down so that access was only available to authenticated users, except for our URL which was on a whitelist so that students did not need to authenticate to access our system.

However, as part of the SSL improvements in XP SP3, Vista and Windows 7 the application was also trying to check additional urls and the proxy was blocking it.

The URLS were:

  • http://crl.verisign.com
  • http://ocsp.verisign.com

This was because we were using a verisign certificate. If you were using a thawte certificate it would be:

  • http://crl.thawte.com
  • http://ocsp.thawte.com

Adding the above URL's to the proxy whitelist fixed it all up.

Hope it helps.

Cheers,
Mark

Related links:


This post was posted in , , , , by on