Avaya Application Server Certificate error with Chrome but not with IE

[edlee321]

IP500v2 R9.1 SP12 with Application Server R9.1 SP12

I have a valid certificate for my application server that works with IE, but for some reason when I visit same admin page for application server with Chrome 62 it shows "Not Secure", when I get into the developer tools for chrome to see why, it shows

"Obsolete connection settings
The connection to this site uses TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher)."

On IE it shows the site is secure, my issue is with Chrome.

In application server, the generated certificate was made with highest settings:
Public Key Algorithm: RSA-2048
Secure Hash Algorithm: SHA-256

 

[janni78]

You're not saying which version you are on but this is supposed to be fixed in later versions of SE/AppServer

"Trying is the first step to failure..." - Homer

 

[edlee321]

I just updated the title, i have most updated IP500v2 R9.1 SP12 with Application Server R9.1 SP12, should i generate a new cert?

 

[edlee321]

Ok, issue resolved, i just generated a new cert and restarted the Application server and now shows valid

 

[kyle555]

Chrome and IE have different metrics by which they'll decide something is or isn't secure.

So, even if a cert is valid and kosher, and even if it's CN and subjectAltName have the FQDN in there, if it's not in DNS and you're just testing it out by popping that FQND+IP in your hosts file, IE will call that secure with the little green lock (despite when clicking on that lock it shows the cert with a question mark) whereas Chrome actually checks the DNS server. So foo.bar in your hosts file to 1.2.3.4 and the server with cert to foo.bar at 1.2.3.4 actually exists, if Chrome can't "nslookup foo.bar" and get "1.2.3.4" back, it'll never consider the connection secure.

Welcome to UC and the modern web. It's not good enough for dial tone if it's not good enough to run e-commerce and financial transactions.

 

[Westi]

Avaya works very closely with Microsoft for years and my guess is that MS whitelists the Avaya certificates by default, even the self signed ones.

Joe W.

FHandw, ACSS (SME)


"This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[janni78]

The problem is not SHA1, it's Chrome that considers AES_128_CBC obsolete, IE might not do that yet.
Check the new certificate and see what the encryption is on that.

"Trying is the first step to failure..." - Homer

 

[edlee321]

In the chrome navbar shows site is secure in green, when I goto dev tools, under security overview it states:

"This page is secure (valid HTTPS)" in Green

"Valid certificate
The connection to this site is using a valid, trusted server certificate issued by ipoffice-root-xxxx.avaya.com."

"Secure resources
All resources on this page are served securely"

"Obsolete connection settings
The connection to this site uses TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher)."

although it states AES_128_CBC is obsolete cipher, site is showing all green, and no issues, so i am ok with that.