Welcome! Log In Create A New Profile

Advanced

Re: Problems with SSL on IE

March 26, 2009 04:09PM
On Thu, Mar 26, 2009 at 02:34:25PM -0400, Kurt Hansen wrote:

>
>
> Igor Sysoev wrote:
> >On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:
> >
> >
> >>Igor Sysoev wrote:
> >>
> >>>On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
> >>>
> >>>
> >>>>Now, I'm not sure where the problem is, the version of nginx, OpenSSL,
> >>>>how nginx was compiled for this rpm, or the digital cert. I think the
> >>>>digital cert is OK since it is working on all other browsers.
> >>>>
> >>>>Are others having a problem with IE? Successes?
> >>>>
> >>>>If you want to look at the cert with the problem, here it is:
> >>>>https://donate.mercycorps.org/
> >>>>
> >>>>
> >>>In my test MSIE 6.0 does not like certificate on the site.
> >>>
> >>>
> >>Thanks for checking!
> >>
> >>Yes, MSIE doesn't like the certifying authority. Maybe I have the CA
> >>cert and the donate.mercycorps.org cert in the wrong order. I think they
> >>root cause might by the SSLv3 not working, though.
> >>
> >>If it were just the cert, I'd get a warning but it would let me connect.
> >>With this problem, it won't let me connect if SSLv2 is disabled on the
> >>client or the server.
> >>
> >
> >In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
> >the problem why MSIE does not like the cert.
> >
> >As to SSLv3, could you show
> >
> >ssl_ciphers
> >ssl_prefer_server_ciphers
> >
> >directives ?
> >
> >
> That explains the bad cert -- thanks!
>
> Here are the directives. For the ssl_ciphers, I copied what I was using
> on Apache.
>
> ssl_ciphers ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
> ssl_prefer_server_ciphers on;

This may be an OpenSSL issue, as I connect successfully in local tests.
However, your site does not accept MSIE ciphers and just closes connection:

$openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher RC4-RSA:RC4-MD5:DES-CBC3-SHA -debug
CONNECTED(00000003)
write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
0000 - 16 03 00 00 2f 01 00 00-2b 03 00 49 cb e0 2b d6 ..../...+..I..+.
0010 - 52 1e 30 9d 54 f8 c6 a8-cf dc c7 2d 87 be a8 1e R.0.T......-....
0020 - 12 45 04 8e 7a fc 0b e5-03 ed eb 00 00 04 00 04 .E..z...........
0030 - 00 0a 01 ...
0034 - <SPACES/NULS>
read from 0x8103580 [0x8153000] (5 bytes => 0 (0x0))
30827:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:

In nginx error_log level there should be errors about "no shared ciphers".

You may try to comment out the directive:
ssl_prefer_server_ciphers on;


--
Igor Sysoev
http://sysoev.ru/en/
Subject Author Posted

Problems with SSL on IE

Kurt Hansen March 26, 2009 09:42AM

Re: Problems with SSL on IE

Igor Sysoev March 26, 2009 12:47PM

Re: Problems with SSL on IE

Kurt Hansen March 26, 2009 01:15PM

Re: Problems with SSL on IE

Igor Sysoev March 26, 2009 01:41PM

Re: Problems with SSL on IE

Kurt Hansen March 26, 2009 02:34PM

Re: Problems with SSL on IE

Igor Sysoev March 26, 2009 04:09PM

Re: Problems with SSL on IE

Kurt Hansen March 26, 2009 09:10PM

Re: Problems with SSL on IE

Igor Sysoev March 27, 2009 03:32AM

Re: Problems with SSL on IE

Kurt Hansen March 27, 2009 09:46AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 314
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready