Problems with SSL on IE

Kurt Hansen khansen at charityweb.net
Fri Mar 27 04:10:09 MSK 2009


Igor Sysoev wrote:
> On Thu, Mar 26, 2009 at 02:34:25PM -0400, Kurt Hansen wrote:
>   
>> Igor Sysoev wrote:
>>     
>>> On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:
>>>
>>>       
>>>> Igor Sysoev wrote:
>>>>    
>>>>         
>>>>> On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
>>>>>      
>>>>>           
>>>>>> Now, I'm not sure where the problem is, the version of nginx, OpenSSL, 
>>>>>> how nginx was compiled for this rpm, or the digital cert. I think the 
>>>>>> digital cert is OK since it is working on all other browsers.
>>>>>>
>>>>>> Are others having a problem with IE? Successes?
>>>>>>
>>>>>> If you want to look at the cert with the problem, here it is: 
>>>>>> https://donate.mercycorps.org/
>>>>>>   
>>>>>>        
>>>>>>             
>>>>> In my test MSIE 6.0 does not like certificate on the site.
>>>>>
>>>>>      
>>>>>           
>>>> Thanks for checking!
>>>>
>>>> Yes, MSIE doesn't like the certifying authority. Maybe I have the CA 
>>>> cert and the donate.mercycorps.org cert in the wrong order. I think they 
>>>> root cause might by the SSLv3 not working, though.
>>>>
>>>> If it were just the cert, I'd get a warning but it would let me connect. 
>>>> With this problem, it won't let me connect if SSLv2 is disabled on the 
>>>> client or the server.
>>>>    
>>>>         
>>> In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
>>> the problem why MSIE does not like the cert.
>>>
>>> As to SSLv3, could you show
>>>
>>> ssl_ciphers
>>> ssl_prefer_server_ciphers 
>>>
>>> directives ?
>>>
>>>  
>>>       
>> That explains the bad cert -- thanks!
>>
>> Here are the directives. For the ssl_ciphers, I copied what I was using 
>> on Apache.
>>
>>    ssl_ciphers  ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
>>    ssl_prefer_server_ciphers   on;
>>     
>
> This may be an OpenSSL issue, as I connect successfully in local tests.
> However, your site does not accept MSIE ciphers and just closes connection:
>
> $openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher RC4-RSA:RC4-MD5:DES-CBC3-SHA -debug
> CONNECTED(00000003)
> write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
> 0000 - 16 03 00 00 2f 01 00 00-2b 03 00 49 cb e0 2b d6   ..../...+..I..+.
> 0010 - 52 1e 30 9d 54 f8 c6 a8-cf dc c7 2d 87 be a8 1e   R.0.T......-....
> 0020 - 12 45 04 8e 7a fc 0b e5-03 ed eb 00 00 04 00 04   .E..z...........
> 0030 - 00 0a 01                                          ...
> 0034 - <SPACES/NULS>
> read from 0x8103580 [0x8153000] (5 bytes => 0 (0x0))
> 30827:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:
>
> In nginx error_log level there should be errors about "no shared ciphers".
>
> You may try to comment out the directive:
>     ssl_prefer_server_ciphers   on
Thank you very much, Igor, for such in depth checking!

I tried commenting out the ssl_prefer_server_ciphers but still the same 
problem.

I looked at my error log. I see seg fault 11 for worker process and this 
message:

panic: MUTEX_LOCK (22) [op.c:352]

It looks like this was discussed back in August, but the discussion was 
in Russian so I wasn't sure the problem or resolution. However, it looks 
like it was also on a RHEL5 or CentOS5 x86-64 system, like mine. Some of 
the Google searches suggested this being a message from perl -- maybe 
the rpm I am using has the perl module compiled in and that is 
conflicting with the perl on my system.

I think my best option is to re-build it from source, despite what the 
rpm-Nazi's might say. ;-)

Should I use the stable or dev tar ball? I think stable.

One other thing -- the cert and all are working on my local system which 
is a 32 bit machine.

Take care,

Kurt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20090326/4209edb8/attachment.html>


More information about the nginx mailing list