Search code examples
sslasp-classicwindows-server-2003msxmlserverxmlhttp

Can't connect to server over HTTPS which uses a SHA2 certificate using MSXML2.ServerXMLHTTP


We updated our SSL certificate to SHA2, but the intermediate certificate was SHA1. Chrome and other browsers have decided that the entire chain must be SHA2. Our customers were calling concerned about the yellow caution in the address bar. Rumor has it that in a few months Chrome and other browsers will replace the mildly unobtrusive caution with a stop screen. We certainly don't want that!

...

So we reissued the certificate and the new one is signed by the SHA2 intermediate. When we use that certificate to encrypt the traffic on our server, our applications that are using MSXML2.ServerXMLHTTP (running on Windows Server 2003) to access remote web services on that server can no longer connect.

After researching, we applied these two hotfixes that looked like they might could have addressed the issue:

https://support.microsoft.com/kb/938397/en-us https://support.microsoft.com/kb/968730/en-us

But the problem persists. Switch the cert back to the SHA2 with SHA1 intermediate and we have no issues.

We have installed the intermediate SHA2 certificate in the trusted store but the problem persists.

We have tried specifying all versions of the MSXML2.ServerXMLHTTP and all fail.

ASP code :

function query(xml)

    dim xmlhttp, xmlDoc, url

    url = application("component_url")

    set xmlhttp = server.createobject("MSXML2.ServerXMLHttp")
    call xmlhttp.open ("POST", url, false)
    call xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")

    on error resume next
        err.clear   

        call xmlhttp.send(xml)

        if err.number <> 0 then
            call sendAlert("An error has occurred while trying to send your request", message)
        else
            dim rt
            rt = ConvertUtf8BytesToString(xmlhttp.responseBody)
            set xmlDoc = server.createobject("MSXML2.DomDocument")          
            xmlDoc.loadXml(rt)
        end if
    on error goto 0

    set query = xmlDoc
    set xmlHttp = nothing
    set xmlDoc = nothing
end function

Solution

  • Your situation is very likely same as this post, specially the last answer as you mention the script has been running for 10+ years.

    Quoting the last answer in full:

    I know it is an old question. This issue could be because of unsupported cipher suites. Try adding - TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA - TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

    That means you have to follow this kb: http://support.microsoft.com/kb/948963 This update is also interesting if you are still using windows 2003. Which will allow connecting to site using SHA2 - http://support.microsoft.com/kb/968730

    Please note that Windows Server 2003 support is ending July 14, 2015

    If the code is running on a Windows Server 2003, I suggest you try it on a newer machine, maybe a laptop with Windows 7 for a quick test.