Windows Vista’s RFC-compliant TLS Extensions – Can your server handle them?


Back in October, we blogged about some of the HTTPS improvements we’re making to IE7. At the time, we mentioned that we have encountered some HTTPS servers which claim to support TLS, but violate the RFC and “hang up” when extensions are received during the HTTPS handshake process. On Wednesday, Windows Networking GPM Billy Anders posted to the Windows Networking team blog, explaining why buggy TLS servers will result in connection failures when Windows Vista clients send TLS extensions.

The IE site-compatibility team will be proactively contacting the few major web sites who are running broken TLS implementations, but please be sure to try out your own secure sites using the upcoming Windows Vista Beta 2. If you cannot connect to the site by default, but successfully connect after you uncheck “Use TLS 1.0” in Tools | Internet Options | Advanced, please contact the manufacturer of your web server software about the availability of a fix for their TLS implementation.

– Eric Lawrence

Comments (38)

  1. JoshCh says:

    Speaking of TLS, will IE7 support RFC 2817 to enable name based virtual hosting for SSL/TLS sites?

  2. Anonymous says:

    The link to the networking team blog is a 404 😛

  3. wndpteam says:

    Frankster: Works for me…

  4. ieblog says:

    Frankster, try visiting the link from the blog entry and not an RSS feed.

    There is an outstanding issue with the Connect site that the blog runs on where they are turning blogs.msdn.com links into relative links in the RSS and Atom feeds. Since you aren’t on the site, that means the links don’t work from an RSS reader.

    They say it will be fixed soon as I had an exchange with them about it today.

    – Al Billings [MSFT]

  5. ieblog says:

    That should be "Community Server" not "Connect." Shows you where my head is…

  6. Anonymous says:

    Microsoft folks being pedantic about RFC compliace?  And doing it with a straight face?  That’s the first laugh-out-loud thing I’ve seen today….

  7. straight_up says:

    KJ, I know, it’s not what most of us developers expect.

    However, I’m glad Microsoft, specifically the IE team, is trying to turn over a new leaf and get serious about standards.

    If they didn’t, wouldn’t we hate them later for it, when browsers following RFC to the letter "break" certain sites that where compatible with IE? –Just like happened with (X)HTML/CSS compliance?

    Thanks for wanting to get it right this time, Microsoft.

  8. Anonymous says:

    Since we don’t have a Windows Vista Beta 2 invitation code, perhaps you can setup a webpage that will test a site for a given domain name, and post that here.

  9. Anonymous says:

    @JoshCh: No, IE will not support 2817 for "upgrade" to SSL.  There are significant UI problems with the approach outlined in 2817 that make it less than ideal for a general purpose user-agent like a web browser.

    In contrast, the Server Name Indicator approach specified in RFC3546 does not suffer from the same UI complications.  As such, IE7 on Windows Vista will support SSL virtual hosting using the TLS extension specified in RFC3546.

  10. ieblog says:

    Posting your home and cell phone number here is probably not a good idea, folks. We don’t offer direct support via the blog. It just would not scale.

    The software is a pre-Beta (not even a Beta). Please don’t install it on a system that is critical for getting your work done. Wait for the final release of IE7 for that.

    Al Billings [MSFT]

  11. microzila says:

    it shure wont scale i just blogged about it at microzila and mozila and opera

  12. Anonymous says:

    Funny to hear Microsoft quoting RFC’s considering how loose they played with standards when it came to CSS 🙂

    Great to see Microsoft on the standards side of the fence this time!

  13. ieblog says:

    Shawn,

    The main issue with our CSS support is that we haven’t released a full update in a long time. You should look at what the support was like when we did release and you’ll see we were a front runner then. That doesn’t change the fact that we do need to update things but there is a context.

    Al Billings [MSFT]

  14. Anonymous says:

    Unchecking the Use "TLS 1.0" did not work for me…

    https://capitalcitydesign.net/  and  https://barkvineyards.com/

    Server problem? Server is Apache 1.3.34 (Unix). The host refuses to upgrade Apache.

    Thanks,

     Bradley Smith

     bradley@capitalcitydesign.net

  15. Anonymous says:

    @Bradley: Do those HTTPS URLs work in ~any~ browser?  I cannot reach either of those sites using IE7 on XP, nor Opera and Firefox.

  16. Rita Z says:

    Bradley: Neither of these sites accept TCP connection on the https port (443). I just checked it with the netmon and they send RSTs back. This has nothing to do with either Vista or SSL negotiation. It just doesn’t come to that point yet…

  17. Anonymous says:

    Paging Al Billings; Al, RuleZ023 posted comment spam, check the link.

    While I’m here:

    "The software is a pre-Beta (not even a Beta)."

    So is that why you call it "Beta2"? Maybe you should call it Beta^-2, the square root of a Beta. Hint: there’s another Greek letter before Beta that you could use to indicate pre-Beta, although I bet the marketing dept. wouldn’t let you.

  18. ieblog says:

    We don’t call it a Beta. Beta 2 isn’t out yet. It’s a preview hence the "Beta 2 Preview" name for it. It’s a snapshot of our Beta 2 code in development.

    Al Billings [MSFT]

  19. ieblog says:

    And as to why we don’t call it an Alpha, it doesn’t really make sense to have a build that comes out between Beta 1 and Beta 2 an Alpha does it? We’ve already had the official Beta 1 and we’re in progress towards Beta 2, Alpha just doesn’t apply.

    Al Billings [MSFT]

  20. Anonymous says:

    EricLaw [MSFT] & Rita Z,

    Thank you for your replies. It looks my hosting company has screwed up… again. Anyone know of any decent hosts out there??

    Bradley Smith

    bradley@capitalcitydesign.net

  21. Anonymous says:

    EricLaw [MSFT] & Rita Z,

    My hosting company fixed the HTTPS issue and the websites works in IE 7 with TLS 1.0 enabled. So Apache 1.3.34 does work (and I guess you can assume all newer versions as well (i can’t vouch for prior versions)).

    Bradley Smith

    bradley@capitalcitydesign.net

  22. Anonymous says:

    Our web hosting company is trying to deal with this as well. They seem to be ok for now. I keeping my fingers crossed

    Bradley Smith: I am also looking to switch web hosts. I would suggest going to couple of web hosting forums because if you go to just one of them they could be biased. I am not putting the dot com part of the URL here – try webhostingtalk and webhostingforum for opinions.

  23. Anonymous says:

    My life’s been pretty dull recently. Shrug. My mind is like a void. I haven’t gotten anything done lately. I can’t be bothered with anything recently.

  24. Anonymous says:

    I would suggest going to couple of web hosting forums because if you go to just one of them they could be biased.

  25. Anonymous says:

    The last problem I ever had with TLS was when my bank switched to not allowing passwords in the URL and I had to select something different in the Advanced options.  I had no problem getting to the barkvineyard site with IE7B2 in XP. Going to some sites that don’t recognize IE7, you may have to play tricks.  To get to http://www.CVS.com, you have to patch the registry to report IE7 as IE6 to fool their site.  I found that in the KB somewhere, but don’t have the link.  IE7B2 seems to be working fine for me.

  26. Anonymous says:

    David Conrad: Beta^-2 is not the square root, that’d be Beat^0.5, get it right if you’re going to be a pedant.

  27. Anonymous says:

    @ Al Billings

    Microsoft has been very consistent with the naming of "IE7 Beta 2 Preview". But Microsoft doesn’t control how people will repeat "Beta 2 Preview" in their blogs or articles or security release notices.

    Look at your fav search engine and scan the entries. If it isn’t a Microsoft article, you’ll find that people will not repeat the "redundant" word "Preview" after "Beta".

    "Snapshot" is a superior word, but it isn’t great here either because you’d have to use a date next to it: "IE 7 Beta 2, May 2006 Snapshot". <— looks not so good

    Remember PKZIP 2.0g ? Letter numbering was great back in it’s day. Told you how many kicks at the can you had to get a specific version ready. When you’re done with the letters, replace it with a number.

    IE7B1d <— looks good to me

    IE7B2  <— looks good also

    When Beta 2 actually comes out, I hope "Preview" will be dropped for a while so confusion will goway when the new posts arrive saying "IE7 Beta 2 ready for download".

  28. Anonymous says:

    I do not like it and would like my old internet explorer back.  How do I do that.

  29. Anonymous says:

    @Zorine– Sorry to hear you didn’t like it.  Any suggestions?

    Uninstalling IE7 is easy.  Go into your system Control Panel and choose Add or Remove Programs.  

  30. Anonymous says:

    Good that SSL 2 is disabled by default (finally) but checking it brought up another question.

    Do you have any plans to improve the UI in the Internet Options box?  A 50-item list of radio buttons and checkboxes is no fun to scroll through, especially when the container is non-resizable!  One of the many things that I love about Firefox is that many of the dialogs (which are static and modal in IE) are resizable and non-modal.

  31. Anonymous says:

    @Michael: Alas, no, we won’t be doing much more with the Internet Options for the IE7 release.  We fixed some key scenarios, but we didn’t have the time to do a major rearchitecture.  This is something that we’ll be looking at for the next releases.

  32. Anonymous says:

    I’ve been asked this a couple of times by a number of people since RC1 came out. I experienced this myself…

  33. Anonymous says:

    Esta build (7100. 0. winmain_ win7rc. 090421- 1700) foi compilada na passada Terça- Feira e ao que parece já começou a ser distribuída a parceiros OEM.