Hey folks,

I've run into a problem when using SSL on my website. If anyone using their built-in software firewall tries to access our secure pages, they're left stuck at a loading screen, and cannot access the pages. I've only run into this issue with Mac OS X users, but I'm sure the same is for anyone using a software firewall on their PC as well.

My question is, do I need to configure my SSL to allow software firewalls, or is it an issue I have no control over?

Thanks for any help. We may be losing a lot of business over this issue.

Jon Marus

No one has any experience with SSL and software firewalls?

Is the SSL legit, or is it expired, for a different site, untrusted certificate provider, etc?

Well have you made sure port 443 is open?

Yes, the certificate is definately legit, hosted on a mediatemple.net server.

So it's probably the ports that are closed when a software firewall is active, correct? What I'm wondering is how to other servers account for users having a firewall? What do they do? Is there a tunneling technique that I have to program into my scripts?

Yes, the certificate is definately legit, hosted on a mediatemple.net server.

So it's probably the ports that are closed when a software firewall is active, correct? What I'm wondering is how to other servers account for users having a firewall? What do they do? Is there a tunneling technique that I have to program into my scripts?

Outside servers have no control over a user's firewall. That's the entire point.

Ok, I understand this. But what I'm wondering is what other sites do. Do they simply tell users they need to turn off their firewall in order to use their secure pages?

No, most SSL pages work fine with firewalls. There must be something particular about your cert. What is the URL of the site being blocked by firewalls?

https://www.macprovideo.com/cart/

That's the secure shopping cart. Whenever I test it with a software firewall on, the pages stall, take a long time to load, or don't load at all. It's a huge concern because we could be missing a lot of sales.

It works fine for me in 10.4 with the firewall on. I think you have some other problem.

There is a problem with your certificate. When I access your site on my laptop (running linux with a firewall, but no problems with SSL) I get a warning:

"This site is using an outdated encryption method currently classified as insecure. It cannot sufficiently protect sensitive data. Do you wish to continue?

- The server is using a short encryption key, which is considered insecure."

I suspect this is why you are getting issues with OS X users.

Thanks guys, I'm going to contact media temple and hopefully they can help me figure it out. I really appreciate the assistance.

Cheers!

Looks like our key size is only 512, which is why Opera flagged it as insecure. Using a larger key size, say 2048, would probably prevent the warning from appearing. But I don't understand how that would affect the lag when trying to access the pages with a firewall enabled.

Do you know what browsers your OSX users are using? I have access to OSX, and can give it a try if you want.

I have tested it on 10.3 and 10.4. We use all Macs in our office, as our company is Mac focused, and no one seems to be able to access the secure pages, yet some clients can, as well as Engelmacher.

I have contacted Media Temple about the certificate, and they are fairly useless, asking me if I'd like to purchase a certificate through them instead, since they don't support other certificates, even though we DID purchase our certificate through them. I did a little more research on the certs, and the 512 key size does seem to be fairly insecure, so maybe they can give me a larger key.

If you could test it under OS X, that would be great.

After some more quick testing, I've noticed that you can access the initial shopping cart page with the firewall on. But if you add a product, then hit checkout, the pages either stall completely, or take an incredibly long time to load. This is where I think we might be losing sales.

I don't think it has anything to do with the public cert key though.

The script that adds the product times out regardless of whether the firewall is enabled or not. The following URL (from clicking on an Add To Cart button)

https://www.macprovideo.com/cart/add/21/1/2

will redirect to

https://www.macprovideo.com/cart/

Which then stalls and times out.

If I delete the PHP session cookie and reload the add to cart URL, it succeeds once and then goes back to stalling.

So, I'd say it's your code, not the firewall.

Hmm.. that stalls if your firewall is disabled as well? When my firewall is off, everything is nearly instantaneous. And seems to be on all the test machines I've tried. I'll have to take a closer look at my scripts, but it's really just some simply PHP redirect and a couple mySQL calls. It shouldn't stall on the add to cart code.

I'd guess it's a session management issue since it seems to be tied to the cookie. You're going to have to tail your logs and debug it. Unless you're using a non-standard port for something, the firewall isn't going to do a thing.

So you think the sessions are causing the lag? I'm not sure how that could affect it.

I'm still banging my head against the wall on this one. I can't seem to find the culprit. It works on some machines, and not on others (And these are Macs with the exact same OS and Browser builds).

Does ANYONE know what else might be the problem? It ONLY occurs with accessing secure pages and only when the software firewall is enabled. Because we are generally a Mac only website, we haven't received much feedback from Windows users having issues.

I'm drowning here. This could be costing us thousands in missed sales.