Forum: NGINX Problems with SSL on IE

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-03-26 14:53
(Received via mailing list)
Hello,

I'm having problems getting a digital cert to work on IE, both versions
6 and 7.

It appears IE wants to only use SSLv2 when connecting. If I disable
SSLv2, IE refuses to connect at all.

There are a few problems with using SSLv2. First, the default security
configuration for IE is to disable SSLv2. You have to change the
Internet Options to get it to work.

Secondly, PCI (Payment Card Industry) Compliance isn't possible with
SSLv2 enabled.

I'm using nginx v0.6.34. I installed it using an rpm from the Fedora
EPEL repository.

Now, I'm not sure where the problem is, the version of nginx, OpenSSL,
how nginx was compiled for this rpm, or the digital cert. I think the
digital cert is OK since it is working on all other browsers.

Are others having a problem with IE? Successes?

If you want to look at the cert with the problem, here it is:
https://donate.mercycorps.org/

Take care,

Kurt Hansen
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-03-26 17:58
(Received via mailing list)
On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:

> Internet Options to get it to work.
>
> Are others having a problem with IE? Successes?
>
> If you want to look at the cert with the problem, here it is:
> https://donate.mercycorps.org/

In my test MSIE 6.0 does not like certificate on the site.
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-03-26 18:22
(Received via mailing list)
Igor Sysoev wrote:
>>
>
> In my test MSIE 6.0 does not like certificate on the site.
>
Thanks for checking!

Yes, MSIE doesn't like the certifying authority. Maybe I have the CA
cert and the donate.mercycorps.org cert in the wrong order. I think they
root cause might by the SSLv3 not working, though.

If it were just the cert, I'd get a warning but it would let me connect.
With this problem, it won't let me connect if SSLv2 is disabled on the
client or the server.

Take care,

Kurt
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-03-26 18:58
(Received via mailing list)
On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:

> >>https://donate.mercycorps.org/
> If it were just the cert, I'd get a warning but it would let me connect.
> With this problem, it won't let me connect if SSLv2 is disabled on the
> client or the server.

In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
the problem why MSIE does not like the cert.

As to SSLv3, could you show

ssl_ciphers
ssl_prefer_server_ciphers

directives ?
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-03-26 19:48
(Received via mailing list)
Igor Sysoev wrote:
>>>> digital cert is OK since it is working on all other browsers.
>> Thanks for checking!
> In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
> the problem why MSIE does not like the cert.
>
> As to SSLv3, could you show
>
> ssl_ciphers
> ssl_prefer_server_ciphers
>
> directives ?
>
>
That explains the bad cert -- thanks!

Here are the directives. For the ssl_ciphers, I copied what I was using
on Apache.

    ssl_ciphers  ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
    ssl_prefer_server_ciphers   on;


Take care,

Kurt
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-03-26 21:22
(Received via mailing list)
On Thu, Mar 26, 2009 at 02:34:25PM -0400, Kurt Hansen wrote:

> >>>
> >>>In my test MSIE 6.0 does not like certificate on the site.
> >>client or the server.
> >directives ?
> >
> >
> That explains the bad cert -- thanks!
>
> Here are the directives. For the ssl_ciphers, I copied what I was using
> on Apache.
>
>    ssl_ciphers  ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
>    ssl_prefer_server_ciphers   on;

This may be an OpenSSL issue, as I connect successfully in local tests.
However, your site does not accept MSIE ciphers and just closes
connection:

$openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher
RC4-RSA:RC4-MD5:DES-CBC3-SHA -debug
CONNECTED(00000003)
write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
0000 - 16 03 00 00 2f 01 00 00-2b 03 00 49 cb e0 2b d6
..../...+..I..+.
0010 - 52 1e 30 9d 54 f8 c6 a8-cf dc c7 2d 87 be a8 1e
R.0.T......-....
0020 - 12 45 04 8e 7a fc 0b e5-03 ed eb 00 00 04 00 04
.E..z...........
0030 - 00 0a 01                                          ...
0034 - <SPACES/NULS>
read from 0x8103580 [0x8153000] (5 bytes => 0 (0x0))
30827:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:

In nginx error_log level there should be errors about "no shared
ciphers".

You may try to comment out the directive:
    ssl_prefer_server_ciphers   on;
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-03-27 02:19
(Received via mailing list)
Igor Sysoev wrote:
>>>>> On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
>>>>>>
>>>> root cause might by the SSLv3 not working, though.
>>>
>> on Apache.
> write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
> You may try to comment out the directive:
>     ssl_prefer_server_ciphers   on
Thank you very much, Igor, for such in depth checking!

I tried commenting out the ssl_prefer_server_ciphers but still the same
problem.

I looked at my error log. I see seg fault 11 for worker process and this
message:

panic: MUTEX_LOCK (22) [op.c:352]

It looks like this was discussed back in August, but the discussion was
in Russian so I wasn't sure the problem or resolution. However, it looks
like it was also on a RHEL5 or CentOS5 x86-64 system, like mine. Some of
the Google searches suggested this being a message from perl -- maybe
the rpm I am using has the perl module compiled in and that is
conflicting with the perl on my system.

I think my best option is to re-build it from source, despite what the
rpm-Nazi's might say. ;-)

Should I use the stable or dev tar ball? I think stable.

One other thing -- the cert and all are working on my local system which
is a 32 bit machine.

Take care,

Kurt
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-03-27 08:45
(Received via mailing list)
On Thu, Mar 26, 2009 at 09:10:09PM -0400, Kurt Hansen wrote:

> >>>>
> >>>>>>If you want to look at the cert with the problem, here it is:
> >>>>Yes, MSIE doesn't like the certifying authority. Maybe I have the CA
> >>>
> >>
> >$openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher
> >failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:
> I looked at my error log. I see seg fault 11 for worker process and this
> message:
>
> panic: MUTEX_LOCK (22) [op.c:352]
>
> It looks like this was discussed back in August, but the discussion was
> in Russian so I wasn't sure the problem or resolution. However, it looks
> like it was also on a RHEL5 or CentOS5 x86-64 system, like mine. Some of
> the Google searches suggested this being a message from perl -- maybe
> the rpm I am using has the perl module compiled in and that is
> conflicting with the perl on my system.

Yes, this is the bug in nginx if it is built with threaded perl at least
on Linux.

> I think my best option is to re-build it from source, despite what the
> rpm-Nazi's might say. ;-)
>
> Should I use the stable or dev tar ball? I think stable.

Try 0.7.44. But before set

error_log  /path/to/log  info;

for 0.6.x to log handshake error and to see the messages.
Ed73662bc247c5f8dd7db8fcc646fb27?d=identicon&s=25 Kurt Hansen (Guest)
on 2009-03-27 14:59
(Received via mailing list)
Igor Sysoev wrote:
>> the Google searches suggested this being a message from perl -- maybe
>>
>> Should I use the stable or dev tar ball? I think stable.
>>
>
> Try 0.7.44. But before set
>
> error_log  /path/to/log  info;
>
> for 0.6.x to log handshake error and to see the messages.
>
Thanks, Igor.

I'm pretty sure this rpm was compiled with threaded perl since that is
the default on RHEL and thus CentOS.

I'll install 0.7.44 and anticipate success. :-)

Take care,

Kurt
This topic is locked and can not be replied to.