Problems with SSL on IE

Igor Sysoev is at rambler-co.ru
Thu Mar 26 23:09:51 MSK 2009 

On Thu, Mar 26, 2009 at 02:34:25PM -0400, Kurt Hansen wrote:

> 
> 
> Igor Sysoev wrote:
> >On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:
> >
> >  
> >>Igor Sysoev wrote:
> >>    
> >>>On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
> >>> 
> >>>      
> >>>>Now, I'm not sure where the problem is, the version of nginx, OpenSSL, 
> >>>>how nginx was compiled for this rpm, or the digital cert. I think the 
> >>>>digital cert is OK since it is working on all other browsers.
> >>>>
> >>>>Are others having a problem with IE? Successes?
> >>>>
> >>>>If you want to look at the cert with the problem, here it is: 
> >>>>https://donate.mercycorps.org/
> >>>>   
> >>>>        
> >>>In my test MSIE 6.0 does not like certificate on the site.
> >>> 
> >>>      
> >>Thanks for checking!
> >>
> >>Yes, MSIE doesn't like the certifying authority. Maybe I have the CA 
> >>cert and the donate.mercycorps.org cert in the wrong order. I think they 
> >>root cause might by the SSLv3 not working, though.
> >>
> >>If it were just the cert, I'd get a warning but it would let me connect. 
> >>With this problem, it won't let me connect if SSLv2 is disabled on the 
> >>client or the server.
> >>    
> >
> >In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
> >the problem why MSIE does not like the cert.
> >
> >As to SSLv3, could you show
> >
> >ssl_ciphers
> >ssl_prefer_server_ciphers 
> >
> >directives ?
> >
> >  
> That explains the bad cert -- thanks!
> 
> Here are the directives. For the ssl_ciphers, I copied what I was using 
> on Apache.
> 
>    ssl_ciphers  ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
>    ssl_prefer_server_ciphers   on;

This may be an OpenSSL issue, as I connect successfully in local tests.
However, your site does not accept MSIE ciphers and just closes connection:

$openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher RC4-RSA:RC4-MD5:DES-CBC3-SHA -debug
CONNECTED(00000003)
write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
0000 - 16 03 00 00 2f 01 00 00-2b 03 00 49 cb e0 2b d6   ..../...+..I..+.
0010 - 52 1e 30 9d 54 f8 c6 a8-cf dc c7 2d 87 be a8 1e   R.0.T......-....
0020 - 12 45 04 8e 7a fc 0b e5-03 ed eb 00 00 04 00 04   .E..z...........
0030 - 00 0a 01                                          ...
0034 - <SPACES/NULS>
read from 0x8103580 [0x8153000] (5 bytes => 0 (0x0))
30827:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:

In nginx error_log level there should be errors about "no shared ciphers".

You may try to comment out the directive:
    ssl_prefer_server_ciphers   on;


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list