Problems with SSL on IE
Igor Sysoev
is at rambler-co.ru
Fri Mar 27 10:32:24 MSK 2009
On Thu, Mar 26, 2009 at 09:10:09PM -0400, Kurt Hansen wrote:
> Igor Sysoev wrote:
> >On Thu, Mar 26, 2009 at 02:34:25PM -0400, Kurt Hansen wrote:
> >
> >>Igor Sysoev wrote:
> >>
> >>>On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:
> >>>
> >>>
> >>>>Igor Sysoev wrote:
> >>>>
> >>>>
> >>>>>On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
> >>>>>
> >>>>>
> >>>>>>Now, I'm not sure where the problem is, the version of nginx,
> >>>>>>OpenSSL, how nginx was compiled for this rpm, or the digital cert. I
> >>>>>>think the digital cert is OK since it is working on all other
> >>>>>>browsers.
> >>>>>>
> >>>>>>Are others having a problem with IE? Successes?
> >>>>>>
> >>>>>>If you want to look at the cert with the problem, here it is:
> >>>>>>https://donate.mercycorps.org/
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>In my test MSIE 6.0 does not like certificate on the site.
> >>>>>
> >>>>>
> >>>>>
> >>>>Thanks for checking!
> >>>>
> >>>>Yes, MSIE doesn't like the certifying authority. Maybe I have the CA
> >>>>cert and the donate.mercycorps.org cert in the wrong order. I think
> >>>>they root cause might by the SSLv3 not working, though.
> >>>>
> >>>>If it were just the cert, I'd get a warning but it would let me
> >>>>connect. With this problem, it won't let me connect if SSLv2 is
> >>>>disabled on the client or the server.
> >>>>
> >>>>
> >>>In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
> >>>the problem why MSIE does not like the cert.
> >>>
> >>>As to SSLv3, could you show
> >>>
> >>>ssl_ciphers
> >>>ssl_prefer_server_ciphers
> >>>
> >>>directives ?
> >>>
> >>>
> >>>
> >>That explains the bad cert -- thanks!
> >>
> >>Here are the directives. For the ssl_ciphers, I copied what I was using
> >>on Apache.
> >>
> >> ssl_ciphers ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
> >> ssl_prefer_server_ciphers on;
> >>
> >
> >This may be an OpenSSL issue, as I connect successfully in local tests.
> >However, your site does not accept MSIE ciphers and just closes connection:
> >
> >$openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher
> >RC4-RSA:RC4-MD5:DES-CBC3-SHA -debug
> >CONNECTED(00000003)
> >write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
> >0000 - 16 03 00 00 2f 01 00 00-2b 03 00 49 cb e0 2b d6 ..../...+..I..+.
> >0010 - 52 1e 30 9d 54 f8 c6 a8-cf dc c7 2d 87 be a8 1e R.0.T......-....
> >0020 - 12 45 04 8e 7a fc 0b e5-03 ed eb 00 00 04 00 04 .E..z...........
> >0030 - 00 0a 01 ...
> >0034 - <SPACES/NULS>
> >read from 0x8103580 [0x8153000] (5 bytes => 0 (0x0))
> >30827:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> >failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:
> >
> >In nginx error_log level there should be errors about "no shared ciphers".
> >
> >You may try to comment out the directive:
> > ssl_prefer_server_ciphers on
> Thank you very much, Igor, for such in depth checking!
>
> I tried commenting out the ssl_prefer_server_ciphers but still the same
> problem.
>
> I looked at my error log. I see seg fault 11 for worker process and this
> message:
>
> panic: MUTEX_LOCK (22) [op.c:352]
>
> It looks like this was discussed back in August, but the discussion was
> in Russian so I wasn't sure the problem or resolution. However, it looks
> like it was also on a RHEL5 or CentOS5 x86-64 system, like mine. Some of
> the Google searches suggested this being a message from perl -- maybe
> the rpm I am using has the perl module compiled in and that is
> conflicting with the perl on my system.
Yes, this is the bug in nginx if it is built with threaded perl at least
on Linux.
> I think my best option is to re-build it from source, despite what the
> rpm-Nazi's might say. ;-)
>
> Should I use the stable or dev tar ball? I think stable.
Try 0.7.44. But before set
error_log /path/to/log info;
for 0.6.x to log handshake error and to see the messages.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list