Problems with SSL on IE
Kurt Hansen
khansen at charityweb.net
Thu Mar 26 21:34:25 MSK 2009
Igor Sysoev wrote:
> On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:
>
>
>> Igor Sysoev wrote:
>>
>>> On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
>>>
>>>
>>>> Now, I'm not sure where the problem is, the version of nginx, OpenSSL,
>>>> how nginx was compiled for this rpm, or the digital cert. I think the
>>>> digital cert is OK since it is working on all other browsers.
>>>>
>>>> Are others having a problem with IE? Successes?
>>>>
>>>> If you want to look at the cert with the problem, here it is:
>>>> https://donate.mercycorps.org/
>>>>
>>>>
>>> In my test MSIE 6.0 does not like certificate on the site.
>>>
>>>
>> Thanks for checking!
>>
>> Yes, MSIE doesn't like the certifying authority. Maybe I have the CA
>> cert and the donate.mercycorps.org cert in the wrong order. I think they
>> root cause might by the SSLv3 not working, though.
>>
>> If it were just the cert, I'd get a warning but it would let me connect.
>> With this problem, it won't let me connect if SSLv2 is disabled on the
>> client or the server.
>>
>
> In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
> the problem why MSIE does not like the cert.
>
> As to SSLv3, could you show
>
> ssl_ciphers
> ssl_prefer_server_ciphers
>
> directives ?
>
>
That explains the bad cert -- thanks!
Here are the directives. For the ssl_ciphers, I copied what I was using
on Apache.
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
ssl_prefer_server_ciphers on;
Take care,
Kurt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20090326/c2232ac1/attachment.html>
More information about the nginx
mailing list