ssl error - learning website access

[andyoxon]

Mini ao can't get on to this site; keep getting...

Other websites seem fine.  Any ideas?

Secure Connection Failed     
       
An error occurred during a connection to iamlearning.co.uk.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)

[Feanor]

<shrug>

Works ok here on IE9.

What kind of machine is being used, and what browser?

Try another machine, or a different browser.

[andyoxon]

Two PCs: FF and IE, Ok for other sites, but not iamlearning... get same error. 

[andyoxon]

Chrome gives this...

SSL connection error
Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.

Could this be a licence issue?

This site was fine when I checked it at work...

also this...

Secure Connection Failed
     
An error occurred during a connection to iamlearning.co.uk.

You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.

(Error code: sec_error_reused_issuer_and_serial)

       

       
       

  The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

[David Martin]

Can you delete your SSL certificate cache? then see whether it complains.

[andyoxon]

Can you delete your SSL certificate cache? then see whether it complains.

If I go FF options>advanced>encryption>view certificates.... there are none.  Should there be?

Could windows firewall be blocking stuff.  had a look and there are public and private rules to block thinks that don't match.      I wish I knew more about how the firewall worked.

[Fab Foodie]

I seem to be able top access it from my laptop.

[andyoxon]

I seem to be able top access it from my laptop.

Yes, I think it may be the way network or firewall or something is set up.  Wish I knew what!   It's not https generally because i can access work email and googlemail etc....

I tried turning off web and network AV but did not clear problem...

mini is going to have to go to school with a print of the error message - saying 'sorry no can do'.

[iddu]

If I go FF options>advanced>encryption>view certificates.... there are none.  Should there be?

You checking the right tab?

Base explanation AFAICS is (your) workstation is getting same SSL cert from server as it already has.

Drilling down chain shows CA for site is "Comodo High Assurance Server CA"; try nuking this from the "authorities" tab and then accessing the site.

[andyoxon]

If I go FF options>advanced>encryption>view certificates.... there are none.  Should there be?

You checking the "Servers" tab?

Base explanation AFAICS is (your) workstation is getting same SSL cert from server as it already has.

Drilling down chain shows CA for site is "Comodo High Assurance Server CA"; try nuking this from the "servers" tab and then accessing the site.

Thanks.  OK I've found windows control panel 'internet properties' has:
Clear SSL state (what's this?), Certificates, publishers (

Certificates list loads - but can't see comodo...

[iddu]

Thanks.  OK I've found windows control panel 'internet properties' has:

Backup...which browser & version.

[andyoxon]

That was in windows 7 control panel - internet options/properties.

Am using FF 15.0.1 atm, also ie 9.0.10...

iamlearning doesn't seem to work on any of these browsers - making me think it's upstream - firewall?

[David Martin]

Just trying to think if there is a way to force a cache reload from a client if it is your ISP transparently proxying and filtering SSL through a man in the middle process (which would be very norty of them)

[iddu]

Am using FF 15.0.1 atm, also ie 9.0.10...

OK, FF 15.0.1; Tools -> Options -> Advanced -> View Certs -> Authorities tab

Run down the list, looking for "Comodo High Assurance...", of 'type' Software Security device; if you spot any, click "Delete/Distrust" & remove.
Once done, restart FF - this should reinsert Comodo stuff as needed as you try to use website...

[andyoxon]

Thanks -  just tried this and still a problem.  There are other comodo certs still left - not 'high assurance'  (what's comodo?)

What happens if I delete all the certificates?

[andyoxon]

Does this seem right?

Windows Firewall has... status

On
Incoming connections   Block all connections to programs that are not on the list of allowed  (I guess this isn't websites)

[iddu]

Does this seem right?
:
:

Yup, generally, unless you have specific needs, stuff you send out will, if transiting a security device, have an implicit ruleset created to allow response from remote recipient to reach you, that will last only for the lifetime of the 'conversation' just started...

>if I delete all of them
Nothing much, in FF - it will recreate the builtin objects, and use of websites populate non-builtin object versions; if you're worried, you can export each cert before removal.

>still borked.
OK, buggerit - so, it could be something upstream, but not the site itself (hosting serverside issues would tend to stop everyone).

Right, divide & conquer. Is that the only browsing device you have that talks through your networking infrastructure to site?

[andyoxon]

Does this seem right?
:
:

Yup, generally, unless you have specific needs, stuff you send out will, if transiting a security device, have an implicit ruleset created to allow response from remote recipient to reach you, that will last only for the lifetime of the 'conversation' just started...

>if I delete all of them
Nothing much, in FF - it will recreate the builtin objects, and use of websites populate non-builtin object versions; if you're worried, you can export each cert before removal.

>still borked.
OK, buggerit - so, it could be something upstream, but not the site itself (hosting serverside issues would tend to stop everyone).

Right, divide & conquer. Is that the only browsing device you have that talks through your networking infrastructure to site?

? Lost me a tad.   

This (below) does seem to indicate certificate, is there a more specific log somewhere?

Secure Connection Failed

An error occurred during a connection to www.iamlearning.co.uk.

You have received an invalid certificate.  Please contact the server administrator or email correspondent and give them the following information:

Your certificate contains the same serial number as another certificate issued by the certificate authority.  Please get a new certificate containing a unique serial number.

(Error code: sec_error_reused_issuer_and_serial)   

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
 Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

Why (on chrome) do trusted certs not have 'client authentication' checked?  If I delete the certs - how are they repopulated

[David Martin]

If you delete all the certs then you will just be prompted to accept the certs again when you next access the site. It is the easiest way to go, nuke the SSL cache from orbit. The system will then recreate it as needed without (hopefully) the naming conflict.

It sounded like you had two certificates pointing at different machines (can happen if you have one stored by IP and one stored by FQDN but the FQDN is round robining of multiple IPs)
With direct access to the SSL cache I'd delete the offending certificates, with just a browser interface delete them all and start over. It will not have any effect on the functionality of the web site, it will just promptyou on your next conenction to accept the certificate.

[iddu]

? Lost me a tad.   

Firewall stuff
Don't worry about it. If you start a conversation with some remote thing, generally rules will be dynamically created so they can talk back to you.

Certificates
There was a cabal, and we all agreed to trust some big white hats. These big white hats approved little white hats.

When we talk to minion FRED, and say prove who you are, he says "here's a piece o'paper that tells you to check my bona fides with SALLY", and when we ask SALLY, she says "talk to my boss, Big White Hat TOM". TOM says, "yep, I gave a bit o'paper to SALLY, who gave a bit o'paper to FRED, whose giving you a copy of his paperwork, with a receipt number on it"

So you wander along, and look at stuff from TOM again, and he says "here's my paperwork", and you say "that's rubbish - I've got paperwork from you with that receipt number already".

The copy of paperwork being held could be stored in any of your local 'filing cabinets'; the quick way to determine if it's a copy being held in your personal/family/machine cabinet is to swap out the whole device, but leave all your cabling in place - if a second device manage to access the site w/o issue, then we know we need to trace and burn your copy of TOM's paperwork on first device.  If the second device fails in same manner, finding out why somebodies fobbing you off with paperwork you've already got a copy of can be more complex.

As DM states, in the latter case nuking stuff will generally just require you (at worst) to accept a profferred piece of paper next time you look at a site - 9/10 times if the paperwork is just for you to note the chain of white hats it will be quitely accepted and filed.

[andyoxon]

Thanks.  So if there's a copy of certs in the windows control panel 'internet options' do I need to delete these too, or is this simply an extension of ie9.  The thing is the website doesn't work across multiple browsers making me think there's a mismatch between windows and the browsers. Don't know.

[iddu]

The thing is the website doesn't work across multiple browsers making me think there's a mismatch between windows and the browsers. Don't know.

No - there should be one collection of certificates on the device, which all browsers/applications look to; there may be specific sub-types (e.g. personal/machine/application), but they should all be stored (under the hood) in roughly the same place.

So your view from one browser/application may be showing just a subset it considers of relevance, but if you can see appropriate erroneous certificate then nuking it from one purview should nuke it for all.

Back to the simple question - do you have a second device on which access to said site via the same networking infrastructure works?

[andyoxon]

The thing is the website doesn't work across multiple browsers making me think there's a mismatch between windows and the browsers. Don't know.

No - there should be one collection of certificates on the device, which all browsers/applications look to; there may be specific sub-types (e.g. personal/machine/application), but they should all be stored (under the hood) in roughly the same place.

So your view from one browser/application may be showing just a subset it considers of relevance, but if you can see appropriate erroneous certificate then nuking it from one purview should nuke it for all.

Back to the simple question - do you have a second device on which access to said site via the same networking infrastructure works?

No other laptop also has same error messages.

So if I (tonight) close browsers go into windows control panels 'internet options' and  nuke the certificates > restart PC > try access iamlearning...

[David Martin]

Did both computers access the site without problems before? It appears you don't have an untainted platform.

Can you try creating a new account on the machine and access from there?

[andyoxon]

Did both computers access the site without problems before? It appears you don't have an untainted platform.

Can you try creating a new account on the machine and access from there?

This is the first time we've tried to access the site.  I could try a new account - mini first found she could not access it from her login, then I tried admin.  I did run malwarebytes to check from unwanted progs, it found pup.aka.rkn or summat.  Removed this from both PCs - made no diffs.