Firefox Certificate error with https://IP@:7335/httpbinding

Manuel Rouze · ‎02-16-2015

Hello,

Since we upgraded to IM/P version 10.5.2.10000-9 we cannot connect using HTTPS to URL https://IP@:7335/httpbinding from a browser.

We get the following error from a FireFox browser:

Secure Connection Failed. An error occurred during a connection to 10.1.20.40:7335. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)"

HTTP works fine.

Anything changed vs previous IM/P versions that could cause this ?

(I already restarted the VM. No Luck)

Thanks for your help,

Manuel.

npetrele · ‎02-16-2015

Hi Manuel,

I've seen that error a few times with earlier versions, not 10.5.2. I'm pretty sure it's a Firefox problem, because I was able to get rid of the error by exiting Firefox and starting it again. (You have to be sure Firefox has really exited - sometimes it tends to hang on even though you closed the application.)

Try that and let us know if you're still getting the error.

Also, after you restart Firefox, if you already stored the certificate in Firefox, go into settings and delete that certificate. Navigate to your https://ip@7335/httpbinding URL in the browser and go through the process of accepting and saving the certificate again.

dstaudt · ‎02-16-2015

I've seen this type of error occur due to a mismatch between using secure and insecure connection type, in that if the client assumes the connection is secure, and IM&P sends an insecure response, the response is not what the client expects and looks like a 'record too long'.

You may want to verify the IM&P web client service secure/unsecure setting.

Manuel Rouze · ‎02-17-2015

Thanks for your help, although the issue persists.

I deleted all CUP certificates in FF, restarted it, and am still prompted with the error.

I can access the URL using HTTP, with no issue, and I land on the BOSH/XMPP page with the list of RFCs.

But HTTPS fails.

Same with Google Chrome. In this case, error message is: " Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

Error code: ERR_SSL_PROTOCOL_ERROR"

Attached a screenshot of the CUP security settings.

Do I have to configure TLS Peer Subjects or TLS contexts ??

Manuel.

npetrele · ‎02-17-2015

If it works for you with http, then it looks like you're hitting what David Staudt mentioned. You'll need to check "Enable XMPP Client to IM/P Service Secure Mode. You may have to restart a service after that, if I recall correctly. If that's the case, refresh the server UI page (you can simply save the same settings a second time to do this) and you'll see a yellow triangle in the upper right that directs you as to what to restart. I think it's the XCP Router, but check the yellow triangle to be sure.

Keep in mind that it's an either/or setting. When https works for the BOSH URL, http won't work anymore, and vice versa. So if http to the BOSH URL works, then https will not.

Manuel Rouze · ‎02-26-2015

Still no luck, even after changing those parameters & restarting services.

I am surprised: if it's an either/or setting, why is it working with HTTP if "Enable Web Client to IM/P Service Secure Mode" is checked...

Manuel.

npetrele · ‎02-26-2015

Try using these settings for a secure connection: