Fun with IE6, SSLv2 and TLSv1

Internet Explorer pain

A consulting client of mine has a website with some security requirements that mandate the use of encrypted communications. The site had been running on Tomcat 4 on a Win2K server machine, with no particular tuning of how tomcat dealt with crypto. We kinda just dropped in the server-side cert and ran with it, back in 2003 or so.

We recently ran a nessus scan on the machine, which suggested that allowing SSL2 and weak ciphers was perhaps a bad idea. We were intending to retire the Win2K machine anyway and do some other software updates, so we decided to deal with this too. The new machine is a Win2003 R2 server running inside of VMWare, with Tomcat 6 running in a Java 6 JVM, and using the APR connecter rather than the tomcat standard connector.

We initially deployed with the following configuration:


<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true" compression="on"
maxThreads="150" scheme="https" secure="true"
SSLProtocol="TLSv1"
SSLCipherSuite="HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
SSLCertificateKeyFile="conf/privatekey.key"
SSLCertificateFile="conf/site.crt"
SSLPassword="i_can_haz_crypto_k_thx_bye" />



this worked great with IE7, Firefox 2+, and Safari, but IE6 acted as if it couldn't find the site at all - as if it failed DNS resolution! We had some difficulty figuring out what was going on, but we ended up turning on SSLv3 as well as just TLSv1 in the SSLProtocol setting, like so:


<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLEnabled="true" compression="on"
maxThreads="150" scheme="https" secure="true"
SSLProtocol="ALL -SSLv2"
SSLCipherSuite="HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL"
SSLCertificateKeyFile="conf/privatekey.key"
SSLCertificateFile="conf/site.crt"
SSLPassword="i_can_haz_crypto_k_thx_bye" />



and then things seemed much happier. This was particularly confusing, as our IE6 machine had "Support TLS" checked in the Tools->Internet Options->Advanced settings pane. Still not entirely sure what's going on, but turning on SSLv3 and leaving SSLv2 off appears to work.

Time to upgrade the world to Firefox.