We have a XenApp server that is unable to connect to duosecurity.com on port 443 over HTTP. I feel sure the problem has to do with a missing root or intermediate certificate on the server, and I'm using Fiddler to help troubleshoot. With Fiddler I've found that if I enable "Decrypt HTTPS traffic", IE11 connects to the site fine as expected. If I disable that feature, the IE11 will not make the connection and fails with "Certificate was blocked because it was not signed by a valid security certificate".
I'm attempting to compare the raw session information from a failed connection with that of a successful connection, but still having trouble getting to the source of the problem. Any help is greatly appreciated.
FAILURE:
=======
HTTP/1.0 200 Connection Established
FiddlerGateway: Direct
StartTime: 18:20:01.546
Connection: close
EndTime: 18:20:01.671
ClientToServerBytes: 344
ServerToClientBytes: 3489
This is a CONNECT tunnel, through which encrypted HTTPS traffic flows.
To view the encrypted sessions inside this tunnel, enable the Tools > Fiddler Options > HTTPS > Decrypt HTTPS traffic option.
A SSLv3-compatible ServerHello handshake was found. Fiddler extracted the parameters below.
Major Version: 3
Minor Version: 3
SessionID: empty
Random: A2 8C DF ED A9 F0 05 B0 74 EF EE AF 01 77 DA BA E2 7C 17 47 94 90 EF 85 9D 82 58 17 33 F4 41 54
Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 [0xC027]
CompressionSuite: NO_COMPRESSION [0x00]
Extensions:
server_name empty
renegotiation_info 00
ec_point_formats 03 00 01 02
SUCCESS:
========
HTTP/1.0 200 Connection Established
FiddlerGateway: Direct
StartTime: 11:27:37.650
Connection: close
Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.
Secure Protocol: Tls
Cipher: Aes128 128bits
Hash Algorithm: Sha1 160bits
Key Exchange: 44550 256bits
== Server Certificate ==========
[Subject]
CN=*.duosecurity.com, O="Duo Security, Inc.", L=Ann Arbor, S=Michigan, C=US
[Issuer]
CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
[Serial Number]
03CBE781655532FAE641E04B268E6A52
[Not Before]
10/22/2013 7:00:01 AM
[Not After]
1/4/2017 6:00:00 AM
[Thumbprint]
7D15717C4EBC7367A2E6D5A11CBEC85DAF33A9BB