Debugging IE11 TLS 1.2 HTTPS Connection Failures: Server-Side Fixes for www-prefixed Domains


2 views

During recent compatibility testing, I encountered a peculiar issue where Internet Explorer 11 fails to establish HTTPS connections when TLS 1.2 is enabled - but only for www-prefixed domains. The non-www version of the same site works perfectly. This manifests as a generic "page cannot be displayed" error without any visible SSL-related warnings.

SSL Labs' test shows perfect compatibility with IE11, which makes this behavior particularly confusing. The server configuration includes modern cipher suites:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256
# ... (remaining cipher suites)

The issue appears when:

  • Using nginx 1.7.8 with OpenSSL 1.0.1e
  • Accessing www-prefixed domains
  • IE11 has TLS 1.2 enabled

After analyzing the SSL handshake, I discovered that IE11 handles certificate chain validation differently for www-prefixed domains. The solution involves ensuring proper certificate chain ordering in nginx:

ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private.key;
ssl_trusted_certificate /path/to/ca_bundle.crt;  # Important for IE11
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;

Here's the working configuration that resolved the issue:

server {
    listen 443 ssl;
    server_name dev5media.de www.dev5media.de;
    
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM';
    ssl_prefer_server_ciphers on;
    
    # Certificate chain fix
    ssl_certificate /etc/ssl/certs/dev5media.crt;
    ssl_certificate_key /etc/ssl/private/dev5media.key;
    ssl_trusted_certificate /etc/ssl/certs/ca-intermediate.crt;
    
    # OCSP Stapling for better IE performance
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
}

To verify the solution works:

  1. Clear IE11's SSL cache (Internet Options → Content → Clear SSL state)
  2. Test both www and non-www URLs
  3. Verify using IE11's F12 Developer Tools (Network tab)

If issues persist, consider:

  • Upgrading OpenSSL to 1.0.2+ for better TLS 1.2 support
  • Ensuring all intermediate certificates are properly chained
  • Checking for SNI (Server Name Indication) compatibility

While testing a third-party service that required Internet Explorer 11, I encountered a puzzling issue: IE11 would fail to connect to HTTPS sites when TLS 1.2 was enabled, displaying only a generic "page could not be shown" error. The strange part? SSL Labs tests showed everything was configured correctly on my server.

After extensive testing, I discovered a crucial pattern: IE11 could only connect to the bare domain (dev5media.de) but failed when accessing the www-prefixed version (www.dev5media.de) with TLS 1.2 enabled. This pointed to a specific handshake failure scenario.

My environment consists of:

Debian 7
nginx/1.7.8
OpenSSL 1.0.1e

The cipher suite configuration was quite comprehensive:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:
kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:
AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:-DES:!RC4:!MD5:!PSK:
!aECDH:EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

IE11's SCHANNEL implementation has known issues with certain cipher suite combinations when TLS 1.2 is enabled. The problem becomes more pronounced when dealing with different domain variations (www vs non-www).

Here's the nginx configuration adjustment that resolved the issue:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:
DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:
DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:
AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

For maximum compatibility:

  • Ensure your SSL certificate covers both www and non-www versions
  • Implement proper redirects between domain variations
  • Consider upgrading to a newer version of OpenSSL (1.0.1e has known vulnerabilities)
  • Test with IE11's developer tools (F12) to examine the exact handshake failure

After making changes, verify with:

openssl s_client -connect www.dev5media.de:443 -tls1_2

And check for successful handshake completion.