AppPool does not access to an HTTPS website


#1

Hi,
We have multiple server on Windows 2012R2 server std and 2008R2 server std who will get data from HTTPS website based on Linux server.
Since the automatic renewal certificate on mi-september, our application pools on windows 2012r2 servers, can’t get data from the HTTPS website whereas when we go on the website from Internet Explorer on the same server, we don’t have any problem with certificate.
This problem occurs only on the 2012r2 server, not on the 2008r2.

Thanks for your help

Sorry for my english, i’m french :roll_eyes:


#2

Hi @luigi77

your AppPool interacts with another website? The other website is a Linux site.

The only idea I have: The code starts a http web request and tries to load data.

So you should check what this code is doing and why the connection doesn’t work.

It’s a normal client - server problem.


#3

Hi and thanks for your reply :slight_smile:
The code do a sort of cURL from a XML file to load data as you understanded.
We see nothing errors .
the most stange, is that before the renewal, it worked perfectly. The certificate was renewed at the same time (2008r2 & 2012r2) and only 2012r2 have problems


#4

This isn’t possible. If you would see no error, it would work. So your debug is bad. Or too much Catch without a correct error handling / reporting.


#5

What if you use the curl utility on the command line? Maybe with -v to see more information?

(Is the return value of your call to the other server an empty string instead of the XML file? But with no exception raised?)


#6

Can you test you server with SSLLabs?

Perhaps the 2012R2 system has updated to only support newer ciphers/protocols.
And your server can’t provide any that 2012R2 will use.
Or your server is using DHE ciphers with DH primes that are no longer supported by 2012R2 system.

Hard to say from here…
But that is my best guess.


#7

I agree with @rg305’s idea that the 2012r2 server may have removed support for older cryptographic techniques, while the other system might still support the older technologies. It would be good to know what cryptographic libraries are in use on each system, and what the ciphersuite configuration on the newer system is.

@rg305’s concern about Diffie-Hellman is also a possible explanation in principle, because there have been upgrades over time to the Diffie-Hellman support in both clients and servers. One possibility is that the Linux system uses a relatively modern standard for DH with a large prime number, while perhaps the 2012 client doesn’t allow such a large prime, and perhaps the 2008 client doesn’t use any kind of DH at all.

Anyway, more information about the client, more logging, and attempting with the command line version of curl would be helpful!


closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.