SSL connections to classic webtop fail
Hello,
I have SSGD working for just HTTP access, but when I enable HTTPS the problems begin.
Background:
Server - SLES 9
Global Desktop version - 4.20
SSL Cert - Thawte
I have installed a Thawte cert and am sharing this cert between the web server and SSGD.
The following connections produce different results:
Native Client to https://servername/tarantella - Asked to accept certificate, if accept, connection is fine
browser to https://servername/sgd - Asked to accept certificate, if accept, connection is fine
browser to https://servername/tarantella - fails (trys to connect to servername:5307) until timeout
A quick look at the error.log in /opt/tarantella/var/log/ shows the following:
"Client x.x.x.x:32813 has failed to complete an initial SSL connection. Reported SSL error: Check the client supports SSL. Web browsers must support JDK 1.1"
I know the client supports SSL and that it has had various versions of the JDK, currently it has the most recent.
I've seen other SSL issues on the list that are similar but not the same. What gives?
Thanks!
[1159 byte] By [
morph06] at [2007-11-26 6:19:30]
# 2
Bongout,
I appreciate your candor and I do understand that many times those that post to these sites fail to read provided instructions, unfortunately this isn't the case. I am aware of the firewall transversal configuration and have attempted to account for such but have been unsuccessful.
Before responding, I did reivew my firewall configurations in case I over looked something. I even connected a laptop into the same network segment, removing any VLAN ACL or firewall impact, and I continue to receive the same error.
I will continue to review the firewall "angle" but would welcome any other suggestions. Thanks for responding and for your willingness to help.
# 3
There are problem with Thawte certificates using Tarantella. First make sure the right Root Certificate is installed on your SGD machines. Check the Thawte Knowledge base for details. Search the knowledge base for Tarantella.
Second: remove the expired certificates in windows:
IE| Tools| Internet Options| Content| Certificates| Intermediate Certification Authorities
Remove all Thawte certificates expired which expired in 2004
Arno
# 7
Hi,
a problem with the clients, especially the java client, is the multiple certificate stores that they have to deal with on the same device.
In order to get a successful connection the appropriate root certificates must be in -
- The browser cert store
- The JVM cert store
- The cert store (the customca file) used by the SGD SSL classes
The JVM may use the browser cert store, and indeed the browser itself to drag content down http connections. It may try and do some of this itself in some cases depending on the JVM version.
Different browsers may have different stores.
The SGD SSL classes (and the customca file) are used specifically by the SGD client but confusingly not by the JVM itself.
The customca which installs without complaint is the one you want. It's not an intermediate certificate is it because there are further issues with them you should be aware of?
Is it possible for you to install a previous JRE and see if that works (1.4.2 say)?
I say that because the latest JRE seems to do something slightly different with regards to SSL connections and certificate stores, although I'd expect it to just prompt you rather than fail to connect.
