Hi all,
an user report to us that he can't browse internet pages over SSL.
The error reported is "HTTP 400 - bad request"
There is some parameters to check on the blackberry device ?
What kind of tests we can do to troubleshoot the problem ?
Thanks

Hey Forino,

First things first, what version of BES are you using? if you check the MDAT logs do you see any other errors that look to be more specific? Below are just a few KB article I searched for that could be relevant however I can't narrow it down without more info. Hope this helps!

blackberry.com/btsc/KB22536
blackberry.com/btsc/KB19999
blackberry.com/btsc/KB23849
blackberry.com/btsc/KB04252

Our BES version is 5.0.2
I'm going to check the MDAT log.
Thanks for the KB articles.

This is a know issue with BES 5.0-5.0.2 that I recently had as well. The easy fix is on the device go to Options then Security Option. Select Advanced Security Options then TLS. Now select Allow HTTPS Redirections and change it from No to Yes. Next select TLS Default and change that from Proxy to Handheld. Save changes. Until RIM comes out with a fix for BES 5.0s handling of SSL pages you will have to input the site address one by one in TLS on the BES.

Hi There,
We're running into this issue and have noticed some interesting things. Or problem is made worse because this we're seeing it on a customer facing mobile site, customers that are using a similar BES setup cannot access the website on their BB's (every other desktop and mobile browser works though) ... did some investigating and discovered some interesting things... anyone seeing the same?

First off quick overview of my setup:
BES 5.0.2 MR2 All devices are forced to browse via MDS-CS. When browsing *SOME* ssl sites I get a:
Access Denied: Insecure SSL Request

The funny thing is that the website in question (an internally hosted, internet accessible mobile client app). This site worked during initial tests a few weeks ago and at that time we were running BES 5.0.2 MR1 but not now after upgrading to MR2. Soo we did some investigating and discovered the following:

1. Our site is using a Digicert EV cert with a SAN attribute (SAN is the same as the subject)
2. if you go to https://www.facebook.com they're also using a Digicert EV cert - you get the same error
3. went to https://www.tdcanadatrust.com (Big Canadian bank) and SSL works
4. went to https://www.cibc.ca and SSL works
5. Started to go HRMM and wondered if this was a digicert issue so I decied to test other CAs
6. https://www.comodo.com fails
7. https://www.thawte.com fails
8. https://www.entrust.com works
9. HUH?!?!

I have an open ticket with RIM on this issue and after analyzing our logs we're seeing the same events as documented in KB22536. While the workaround will fix the issue for us it will not fix the issue with our customers that use the website in question that use MDS browsing/TLS proxy. Since the fix is to either allow untrusted HTTP SSL (I.E. Self signed certs) or to add the website to the device's trusted sites we're asking our clients to trust us more than they should.

So we did some more testing we have a few websites that are using verisign EV certs (not Digicert which is being used on the site in question) and they work! We can browse with no errors. I tested with a client's Blackberry too and it works! ... Soo it has us wondering does the BES have a certificate store which stored commonly used Root CA certs for MDS-CS? and have they not updated the root certificates !??!?

Right now we're waiting for RIM to confirm our findings or provide us with a solution that will ensure our mobile site will work with our clients (E.G. use verisign EV certs).

While poking around I discovered something "eeinterestink"... If you go to https://www.rim.com it works and if you check the cert using a desktop browser it a Thawte cert - but not an EV one, if you go to thawte's site (as I did in my earlier tests) it doesn't work ... so theory #2 does BES 4.1.7 or later have problems with Validating EV certs!?!??!....

As a workaround we're more than likely going to get a Verisign EV cert for our new mobile site as it seems to be the best way to resolve this issue with our clients

Anyone else seeing the same thing? or have any other findins of note?

How do you input the site address for TLS on the BES? I presume this sets the Trusted Host? I am running BES 5.0.2

Input trusted host for TLS - on the device go here (ON BBOS6)
Options->Security->Advanced Security Settings->TLS->Then add a host to your trusted hosts.

I'm pretty sure you can get set this on via MDS-CS as well but we're looking to resolve our Certificate issue. After doing some talking to RIM it looks like BES gets its root certs from the installed version of JAVA and update 22 (the version deployed with sp2) may not have the updated root certs... we're investigating and if I get a final answer I'll post.

Our workaround for this app is/was to get a verisign cert.. We just got it & I'm waiting for my secuirty gurus to install it on our ISA servers to test.

Switching to a verisign certificate looks to have resolved our issue. Anyone know where the default Java Keystore is stored so I can check to see which root CAs its has?