Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: purvis on January 14, 2016, 02:22:52 AM
-
I am having problems accessing the local server with Internet explorer 6 IE6 from a windows 2000 computer.
I use the windows computer to manage the SME 8.2 server.
There is no issue with using Windows XP running Internet Explorer 8 IE8.
I never had a problem before using https with IE6.
If something might have changed with a self assign certificate or something else, please advise.
TLS 1.0 is enabled in the options of IE6.
Thank you.
-
seems to be a problem with IE6 or some setting of it.
-
IE6, simply, doesn't exist
Use another browser
-
I am having problems accessing the local server with Internet explorer 6 IE6 from a windows 2000 computer.
There is no issue with using Windows XP running Internet Explorer 8 IE8.
Sorry but it is just not practical for us to support unsupported browsers and OS. Most of us don't have the equipment to even test this scenario. Please upgrade to an OS and browser that is currently supported by the vendor.
-
purvis
Download an old (compatible) version of Firefox & install it on the Windows 2000 workstation.
Google for old versions, they are hosted at many places.
See if that accesses SME server OK.
Depending on the outcome, then you can start pointing the finger of blame more accurately.
Have you looked at log files, what error message do you receive.
You cannot just say it does not work, you need to provide better information than that if you expect help.
For example, if you have a registered domain name (on the SME server) & that is on root server lists re https access, then IE will need the root server list updated, & that may be an issue if Microsoft are no longer releasing those sort of updates for IE6 (which I suspect they are not).
Usually you can add your server domain to the browser root store, BUT you do not give us any clues as to what your problem is, so please start doing some investigation of the facts (which you have in the log files & in the error messages).
-
See if this can help:
https://www2.warwick.ac.uk/services/its/servicessupport/web/sign-on/faqs/enable-tls/
Or you can re-enable SSLv3:
db configuration setprop httpd-e-smith SSLv3 enabled
expand-template /etc/httpd/conf/httpd.conf
sv t /service/httpd-e-smith
(not recommended of course, but should make your old IE6 working again)
-
See if this can help:
https://www2.warwick.ac.uk/services/its/servicessupport/web/sign-on/faqs/enable-tls/
OP already said "TLS 1.0 is enabled in the options of IE6".
IE6? Seriously?
-
Thank you Daniel.
I will try your method.
From working on this for too many hours yesterday.
I had to recharge my decbatteries
-
purvis, sincerely, the best you can do is follow janet's advice about using FF
-
I don't get it, using commercial 2 products that are EOL and abandoned and then ask questions here?
-
RequestedDeletion
Agree generally.
... but this is a process of elimination troubleshooting method.
Maybe another (known good brand FF) browser works OK.
Purvis gave little info but maybe Daniel is onto the real issue & answer.
I don't get it, using commercial 2 products that are EOL and abandoned and then ask questions here?
-
I am now able to work on the servers without users being attached to the server.
Using the console of the server.
Is there an easy way to recreate a new self assigned ssl certificate on the servers. I do not have a purchased ssl certificate.
Thanks Paul
-
i would suppose this is how to recreate a self assigned certificate.
If i am wrong, please advices
rm /home/e-smith/ssl.{crt,key,pem}/*
config delprop modSSL CommonName
config delprop modSSL crt
config delprop modSSL key
signal-event post-upgrade
signal-event reboot
-
I would search for 'letsencrypt' on the wiki and bugzilla.
-
Thanks.
As i just now discovered.
Internet Explorer 6 IE6 on windows xp is accessing the sme https fine.
It is IE6 on the windows 2000 pro machines that are not working.
I moved all workstations to XP about 2 years ago but i still have a few 2000 machines where I use to service the sme server and do backups with.
I have machines under great control so i do not mind using older verisons of IE plus there are always issues with all software all the time.
I was going to update the 2000 machines to windows xp and i suppose i will have to bit the bullet now.
From another program that i use to access https sites.
It seems some sort of a windows 2000 problem.
I did have problems on windows xp machines when sometime back when i had to enable TLS 1.0 to have some https work.
I will keep you informed.
I am sorry that I overlooked 2 computers running window xp with ie6 where not having issues on my workstations that i use to control the sme server.
-
I would search for 'letsencrypt' on the wiki and bugzilla.
The procedure purvis has found is a *much* simpler and more reliable way to generate a new self-signed certificate.
-
I am sorry that I overlooked 2 computers running window xp with ie6 where not having issues on my workstations that i use to control the sme server.
It seems to me that it is SME Server that is controlling your old machines ;-)
-
I would search for 'letsencrypt' on the wiki and bugzilla.
We don't yet have a working method of using letsencrypt with SME 8.
-
I tried many things and spent a lot of time.
I needed to upgrade the 2000 machines to XP.
It just takes a lot of work but needed anyways to get a few things running like USB 3 and SATA SSD drives working on newer drive interfaces.
But I do try to work out problems. You never know what knowledge of a problem you will need later.
As far as other browsers go.
There is a portable version of firefox that should work and i have finally found ways of locking it down to selected sites.
Once again, on Windows XP, the version of internet explorer version 6 does work. For Now.
I looked at the letsencrypt and maybe it is the problem. I do not understand all things on web server software when the encryption comes to play.
As far as I can tell. I think it might be user agent being received by SME or that windows 2000 does not support the encryption method.
But i am going to give it up and upgrade my backup machines.
Thank you all for the help
paul
-
Is 2000 -> XP an upgrade?
-
But i am going to give it up and upgrade my backup machines
so you're using an old machine with an old os just as target for your backups? and you need a browser?
well.. install any small linux distro with a minimal DE and you're done
-
Stefano & all
I see many comments over the years advising, suggesting, & even "gently" castigating users for continuing to use old operating systems & old versions of software, some of which are considered to, and do, have security vulnerabilities.
There are many situations where old equipment needs to be kept operational.
ie
Personal preference
Personnel & staff familiarity & a resulting heavy financial & time cost to retrain users
Operating system compatibility with motherboards & chipsets (meaning newer OSes will not run on older equipment, particularly re Windows, thus requiring expensive purchase of new workstation hardware to run a new version of Windows to allow the use of a new & expensive software application
High cost of purchasing specialised purpose specific commercial software for which there are no "free or GNU" versions, which leads to retaining such old software where it is still capable of performing the basic functions (albeit without newer whistles & bells or interfaces).
Use on protected or secure networks (or even internal LAN use only), where software is considered "relatively safe" to use, despite having vulnerabilities & no available bug or security updates eg the browsr scenario mentioned recently. Of course the way users use the old browser or OS is also a consideration eg wise or unwise usage patterns.
Desired continued use of old expensive ancillary hardware eg various types of scanners where the "world famous" & "filthy rich" brand name manufacturers refuse to release driver software updates, thus requiring users to keep old hardware & OSes functional to avoid trashing perfectly good hardware peripherals. I think Microsoft & Intel & Hewlett Packard & various other big name manufacturers have a lot to answer for when they get to heaven (for those who believe in that concept).
I realise virtualisation could often be used but that is simply not always practical in many caes.
The list can probably go on & on, but there are many reasons & factors why old stuff is kept in service beyond its normally accepted lifespan. Everybodies situations are different and what works or does not work for one, cannot always be considered as appropriate for another person & their situation.
I should probably just add that some people only want & really do need the latest & greatest & are quite happy to upgrade & pay for it. Others are quite happy to keep older devices & equipment & are perfectly happy with functional limitations & do not really need the latest & greatest.
I'm still using everything from & to iPhone 3G, iPhone 5 & Samsung S5, & Windows 2000, XP, Vista, 7 & 8.1 on old Celeron 500 to Surface Pro, because I need to & because they still work/do what I want & need.
-
hi all
yes I hate go give up and I did find out what seemed to happen.
I might be a little off on my explanation but I will hope what I write can be understood even if I am off with some terminology.
There has been change to the security by using SHA256 algorithm for certificate signing by many websites(https).
I am running a self signing certificate and I do not use any other SSL certificate and will not talk about anything but the self signing certificate built into SME server 8.2.
Somewhere within the last year.
There was a change in SME 8.x(the version of server I am running is 8.2) that creates self signing certificate.
The latest SME software that I have creates a certificate using SHA2/SHA256 algorithm.
The server was creating a certificate with SHA1 algorithm at some point when SME 8.0 or SME 8.1 came out.
So on windows 2000, IE6 does not support SHA2/SHA256.
Starting with windows xp sp3, IE6 does support SHA2/SHA256.
At some point in time, the server will create a new certificate when the current certificate expires.
The new certificate will be using SHA256 and not SHA1.
I found out a file that has something to do with creating the certificate.
/etc/e-smith/templates/home/e-smith/ssl.crt
inside of the ssl.crt file there is a line that reads like this:
qw(-sha256 -x509 -days), KEYLIFEINDAYS,
but use to be as:
qw(-sha1 -x509 -days), KEYLIFEINDAYS,
creating self ssl signed certificates to SHA1
TO CREATE SHA1 SSL SIGNED CERTIFICATES READ A FEW POST FOLLOWING.
In the wiki pages for SME 8.0
http://wiki.contribs.org/SME_Server:8.0
There reads a line of "Improve security by using SHA1 algorithm for certificate signing."
In the wiki pages for SME 9.1 in the section of other fixes and updates
http://wiki.contribs.org/SME_Server:9.1
There reads a line of "Use sha256 algorithm for signature of SSL cert."
Somehow sha256 got changed in the sme 8.x server whether on purpose or accident.
But I did learn a few things about all this.
I did not discover this until trying to use the server-manager webpage from my backup computer which was using windows 2000.
Here is another web page that may help out with ssl certificates using sha256
https://luxsci.com/blog/new-ssl-certificates-sha256-and-backwards-incompatibility-what-to-do.html
I was also able to use this webpage to look at my servers using Firefox web browser.
https://www.ssllabs.com/ssltest/
I am hoping that someone who knows more about all the effects of the changing from sha1 to sha256 will make an explanation of some sort.
So until i can get my computers over to windows xp sp3. I have made the change back to sha1.
I have my workstation computers restricted to certain internet web site usage and on the windows 2000 machines, I am the only one who uses those computers.
Oh well, changes come in life, but I would rather they happen to other people.
-
to DanB35
I never do a upgrade on windows computers.
I always install a fresh windows os when changing windows os.
I might test doing upgrades but I have never liked them because things seem to break.
-
There's some discussion on the letsencrypt.org forums about WinXP compatibility (which I'm not following very closely, as I don't use XP), and it seems to suggest that you might have better compatibility with Firefox than with IE.
-
you can edit the ssl.crt file using this command line.
nano /etc/e-smith/templates/home/e-smith/ssl.crt
No, you shouldn't do that. You should create a custom template, and edit that. [You've been around long enough you should know this already.]
mkdir -p /etc/e-smith/templates-custom/home/e-smith/
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/
nano /etc/e-smith/templates-custom/home/e-smith/ssl.crt
-
Thank you Charlie.
Thank you for chiming in.
Yes I have been around a long time.
But still understanding and creating custom templates gives me the heebie jeebies!
I will try your fine knowledge and clean up some written comments to not lead others astray.
But the method I used did work and I am glad your method should stick from allowing future updates changing the ssl certificate from sha1 to sha256.
Thanks again Charlie.
Have a good weekend.
-
Following Charlie Brady's suggestion on how to change the SSL Signed Certificate to SHA1 rather than SHA256 using a custom template for SME 8.
This worked for me.
create and make the change from SHA256 to SHA1 to allow for older browsers to access https on the sme server
change -sha256 to -sha1 in the ssl.crt file in the custom templates
make the change in the ssl.crt file line
from:
qw(-sha256 -x509 -days), KEYLIFEINDAYS,
to:
qw(-sha1 -x509 -days), KEYLIFEINDAYS,
basically just editing -sha256 to -sha1
mkdir -p /etc/e-smith/templates-custom/home/e-smith/
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/
nano /etc/e-smith/templates-custom/home/e-smith/ssl.crt
erase current signed certificates prior to rebooting
not sure if this is needed but I erased previous ssl certificate files.
rm /home/e-smith/ssl.*/*
to rebuild SSL signed certificates during a reboot of the server
signal-event post-upgrade;signal-event reboot