Igor Sysoev wrote:
> On Thu, Mar 26, 2009 at 02:34:25PM -0400, Kurt Hansen wrote:
>
>> Igor Sysoev wrote:
>>
>>> On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:
>>>
>>>
>>>> Igor Sysoev wrote:
>>>>
>>>>
>>>>> On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
>>>>>
>>>>>
>>>>>> Now, I'm not sure where the problem is, the version of nginx, OpenSSL,
>>>>>> how nginx was compiled for this rpm, or the digital cert. I think the
>>>>>> digital cert is OK since it is working on all other browsers.
>>>>>>
>>>>>> Are others having a problem with IE? Successes?
>>>>>>
>>>>>> If you want to look at the cert with the problem, here it is:
>>>>>> https://donate.mercycorps.org/
>>>>>>
>>>>>>
>>>>>>
>>>>> In my test MSIE 6.0 does not like certificate on the site.
>>>>>
>>>>>
>>>>>
>>>> Thanks for checking!
>>>>
>>>> Yes, MSIE doesn't like the certifying authority. Maybe I have the CA
>>>> cert and the donate.mercycorps.org cert in the wrong order. I think they
>>>> root cause might by the SSLv3 not working, though.
>>>>
>>>> If it were just the cert, I'd get a warning but it would let me connect.
>>>> With this problem, it won't let me connect if SSLv2 is disabled on the
>>>> client or the server.
>>>>
>>>>
>>> In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
>>> the problem why MSIE does not like the cert.
>>>
>>> As to SSLv3, could you show
>>>
>>> ssl_ciphers
>>> ssl_prefer_server_ciphers
>>>
>>> directives ?
>>>
>>>
>>>
>> That explains the bad cert -- thanks!
>>
>> Here are the directives. For the ssl_ciphers, I copied what I was using
>> on Apache.
>>
>> ssl_ciphers ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
>> ssl_prefer_server_ciphers on;
>>
>
> This may be an OpenSSL issue, as I connect successfully in local tests.
> However, your site does not accept MSIE ciphers and just closes connection:
>
> $openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher RC4-RSA:RC4-MD5:DES-CBC3-SHA -debug
> CONNECTED(00000003)
> write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
> 0000 - 16 03 00 00 2f 01 00 00-2b 03 00 49 cb e0 2b d6 ..../...+..I..+.
> 0010 - 52 1e 30 9d 54 f8 c6 a8-cf dc c7 2d 87 be a8 1e R.0.T......-....
> 0020 - 12 45 04 8e 7a fc 0b e5-03 ed eb 00 00 04 00 04 .E..z...........
> 0030 - 00 0a 01 ...
> 0034 -
> read from 0x8103580 [0x8153000] (5 bytes => 0 (0x0))
> 30827:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:
>
> In nginx error_log level there should be errors about "no shared ciphers".
>
> You may try to comment out the directive:
> ssl_prefer_server_ciphers on
Thank you very much, Igor, for such in depth checking!
I tried commenting out the ssl_prefer_server_ciphers but still the same
problem.
I looked at my error log. I see seg fault 11 for worker process and this
message:
panic: MUTEX_LOCK (22) [op.c:352]
It looks like this was discussed back in August, but the discussion was
in Russian so I wasn't sure the problem or resolution. However, it looks
like it was also on a RHEL5 or CentOS5 x86-64 system, like mine. Some of
the Google searches suggested this being a message from perl -- maybe
the rpm I am using has the perl module compiled in and that is
conflicting with the perl on my system.
I think my best option is to re-build it from source, despite what the
rpm-Nazi's might say. ;-)
Should I use the stable or dev tar ball? I think stable.
One other thing -- the cert and all are working on my local system which
is a 32 bit machine.
Take care,
Kurt
