Welcome to Port3101.org : Your BES Connection Mark forums read | View Forum Leaders
Port3101.org : Your BES Connection



Reply
LinkBack Thread Tools Display Modes
Problem browsing SSL page
 
  #1 (permalink)  
Old 01-13-2011, 10:03 AM
BES Administrator
 
Join Date: Feb 2010
Posts: 17
Default Problem browsing SSL page

Hi all,
an user report to us that he can't browse internet pages over SSL.
The error reported is "HTTP 400 - bad request"
There is some parameters to check on the blackberry device ?
What kind of tests we can do to troubleshoot the problem ?
Thanks
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 01-13-2011, 04:14 PM
BES Administrator
 
Join Date: Jun 2010
Location: In the woods
Posts: 28
Default

Hey Forino,

First things first, what version of BES are you using? if you check the MDAT logs do you see any other errors that look to be more specific? Below are just a few KB article I searched for that could be relevant however I can't narrow it down without more info. Hope this helps!

blackberry.com/btsc/KB22536
blackberry.com/btsc/KB19999
blackberry.com/btsc/KB23849
blackberry.com/btsc/KB04252
Reply With Quote
  #3 (permalink)  
Old 01-14-2011, 09:30 AM
BES Administrator
 
Join Date: Feb 2010
Posts: 17
Default

Quote:
Originally Posted by HelixFelix View Post
Hey Forino,

First things first, what version of BES are you using? if you check the MDAT logs do you see any other errors that look to be more specific? Below are just a few KB article I searched for that could be relevant however I can't narrow it down without more info. Hope this helps!

blackberry.com/btsc/KB22536
blackberry.com/btsc/KB19999
blackberry.com/btsc/KB23849
blackberry.com/btsc/KB04252
Our BES version is 5.0.2
I'm going to check the MDAT log.
Thanks for the KB articles.
Reply With Quote
  #4 (permalink)  
Old 01-23-2011, 02:39 AM
BES Administrator
 
Join Date: Jun 2009
Location: In the Desert
Posts: 5
Default

This is a know issue with BES 5.0-5.0.2 that I recently had as well. The easy fix is on the device go to Options then Security Option. Select Advanced Security Options then TLS. Now select Allow HTTPS Redirections and change it from No to Yes. Next select TLS Default and change that from Proxy to Handheld. Save changes. Until RIM comes out with a fix for BES 5.0s handling of SSL pages you will have to input the site address one by one in TLS on the BES.
Reply With Quote
  #5 (permalink)  
Old 02-18-2011, 05:56 PM
BES Addict
 
Join Date: Feb 2009
Location: Toronto
Posts: 69
Default Interesting twist on this SSL issue have any of you seen the same.

Hi There,
We're running into this issue and have noticed some interesting things. Or problem is made worse because this we're seeing it on a customer facing mobile site, customers that are using a similar BES setup cannot access the website on their BB's (every other desktop and mobile browser works though) ... did some investigating and discovered some interesting things... anyone seeing the same?

First off quick overview of my setup:
BES 5.0.2 MR2 All devices are forced to browse via MDS-CS. When browsing *SOME* ssl sites I get a:
Access Denied: Insecure SSL Request

The funny thing is that the website in question (an internally hosted, internet accessible mobile client app). This site worked during initial tests a few weeks ago and at that time we were running BES 5.0.2 MR1 but not now after upgrading to MR2. Soo we did some investigating and discovered the following:
  1. Our site is using a Digicert EV cert with a SAN attribute (SAN is the same as the subject)
  2. if you go to https://www.facebook.com they're also using a Digicert EV cert - you get the same error
  3. went to https://www.tdcanadatrust.com (Big Canadian bank) and SSL works
  4. went to https://www.cibc.ca and SSL works
  5. Started to go HRMM and wondered if this was a digicert issue so I decied to test other CAs
  6. https://www.comodo.com fails
  7. https://www.thawte.com fails
  8. https://www.entrust.com works
  9. HUH?!?!

I have an open ticket with RIM on this issue and after analyzing our logs we're seeing the same events as documented in KB22536. While the workaround will fix the issue for us it will not fix the issue with our customers that use the website in question that use MDS browsing/TLS proxy. Since the fix is to either allow untrusted HTTP SSL (I.E. Self signed certs) or to add the website to the device's trusted sites we're asking our clients to trust us more than they should.

So we did some more testing we have a few websites that are using verisign EV certs (not Digicert which is being used on the site in question) and they work! We can browse with no errors. I tested with a client's Blackberry too and it works! ... Soo it has us wondering does the BES have a certificate store which stored commonly used Root CA certs for MDS-CS? and have they not updated the root certificates !??!?

Right now we're waiting for RIM to confirm our findings or provide us with a solution that will ensure our mobile site will work with our clients (E.G. use verisign EV certs).

While poking around I discovered something "eeinterestink"... If you go to https://www.rim.com it works and if you check the cert using a desktop browser it a Thawte cert - but not an EV one, if you go to thawte's site (as I did in my earlier tests) it doesn't work ... so theory #2 does BES 4.1.7 or later have problems with Validating EV certs!?!??!....

As a workaround we're more than likely going to get a Verisign EV cert for our new mobile site as it seems to be the best way to resolve this issue with our clients

Anyone else seeing the same thing? or have any other findins of note?
Reply With Quote
  #6 (permalink)  
Old 02-21-2011, 12:00 PM
BES Activated
 
Join Date: Jul 2010
Posts: 6
Default

Quote:
Originally Posted by mrtonetone View Post
This is a know issue with BES 5.0-5.0.2 that I recently had as well. The easy fix is on the device go to Options then Security Option. Select Advanced Security Options then TLS. Now select Allow HTTPS Redirections and change it from No to Yes. Next select TLS Default and change that from Proxy to Handheld. Save changes. Until RIM comes out with a fix for BES 5.0s handling of SSL pages you will have to input the site address one by one in TLS on the BES.
How do you input the site address for TLS on the BES? I presume this sets the Trusted Host? I am running BES 5.0.2
Reply With Quote
  #7 (permalink)  
Old 02-25-2011, 11:46 AM
BES Addict
 
Join Date: Feb 2009
Location: Toronto
Posts: 69
Default

Input trusted host for TLS - on the device go here (ON BBOS6)
Options->Security->Advanced Security Settings->TLS->Then add a host to your trusted hosts.

I'm pretty sure you can get set this on via MDS-CS as well but we're looking to resolve our Certificate issue. After doing some talking to RIM it looks like BES gets its root certs from the installed version of JAVA and update 22 (the version deployed with sp2) may not have the updated root certs... we're investigating and if I get a final answer I'll post.

Our workaround for this app is/was to get a verisign cert.. We just got it & I'm waiting for my secuirty gurus to install it on our ISA servers to test.
Reply With Quote
  #8 (permalink)  
Old 02-25-2011, 01:34 PM
BES Addict
 
Join Date: Feb 2009
Location: Toronto
Posts: 69
Default Woohoo!

Switching to a verisign certificate looks to have resolved our issue. Anyone know where the default Java Keystore is stored so I can check to see which root CAs its has?
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
KB14674 - Browsing HTTPS web sites fails when using a proxy server that requires auth hdawg Featured BlackBerry KB Articles 0 06-26-2009 10:39 PM
KB10655 - Internet browsing on the BlackBerry smartphone stops functioning hdawg Featured BlackBerry KB Articles 0 05-26-2009 11:14 AM
KB16470 - Browsing fails to function correctly when using PAC files for proxy config Si Featured BlackBerry KB Articles 0 01-05-2009 03:45 AM


All times are GMT -4. The time now is 04:51 PM.
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2018, vBulletin Solutions, Inc.


 

SEO by vBSEO 3.3.2 PL2