<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=KOI8-R" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Igor Sysoev wrote:
<blockquote cite="mid:20090326200951.GC67219@rambler-co.ru" type="cite">
<pre wrap="">On Thu, Mar 26, 2009 at 02:34:25PM -0400, Kurt Hansen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
Igor Sysoev wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Thu, Mar 26, 2009 at 01:15:01PM -0400, Kurt Hansen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Igor Sysoev wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Thu, Mar 26, 2009 at 09:42:46AM -0400, Kurt Hansen wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Now, I'm not sure where the problem is, the version of nginx, OpenSSL,
how nginx was compiled for this rpm, or the digital cert. I think the
digital cert is OK since it is working on all other browsers.
Are others having a problem with IE? Successes?
If you want to look at the cert with the problem, here it is:
<a class="moz-txt-link-freetext" href="https://donate.mercycorps.org/">https://donate.mercycorps.org/</a>
</pre>
</blockquote>
<pre wrap="">In my test MSIE 6.0 does not like certificate on the site.
</pre>
</blockquote>
<pre wrap="">Thanks for checking!
Yes, MSIE doesn't like the certifying authority. Maybe I have the CA
cert and the donate.mercycorps.org cert in the wrong order. I think they
root cause might by the SSLv3 not working, though.
If it were just the cert, I'd get a warning but it would let me connect.
With this problem, it won't let me connect if SSLv2 is disabled on the
client or the server.
</pre>
</blockquote>
<pre wrap="">In SSLv2 mode the site sends the *.mercycorps.org cert only, so this is
the problem why MSIE does not like the cert.
As to SSLv3, could you show
ssl_ciphers
ssl_prefer_server_ciphers
directives ?
</pre>
</blockquote>
<pre wrap="">That explains the bad cert -- thanks!
Here are the directives. For the ssl_ciphers, I copied what I was using
on Apache.
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:RC4+RSA:+HIGH:+MEDIUM:!LOW:!EXP;
ssl_prefer_server_ciphers on;
</pre>
</blockquote>
<pre wrap=""><!---->
This may be an OpenSSL issue, as I connect successfully in local tests.
However, your site does not accept MSIE ciphers and just closes connection:
$openssl s_client -connect donate.mercycorps.org:443 -ssl3 -cipher RC4-RSA:RC4-MD5:DES-CBC3-SHA -debug
CONNECTED(00000003)
write to 0x8103580 [0x8158000] (52 bytes => 52 (0x34))
0000 - 16 03 00 00 2f 01 00 00-2b 03 00 49 cb e0 2b d6 ..../...+..I..+.
0010 - 52 1e 30 9d 54 f8 c6 a8-cf dc c7 2d 87 be a8 1e R.0.T......-....
0020 - 12 45 04 8e 7a fc 0b e5-03 ed eb 00 00 04 00 04 .E..z...........
0030 - 00 0a 01 ...
0034 - <SPACES/NULS>
read from 0x8103580 [0x8153000] (5 bytes => 0 (0x0))
30827:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:530:
In nginx error_log level there should be errors about "no shared ciphers".
You may try to comment out the directive:
ssl_prefer_server_ciphers on</pre>
</blockquote>
Thank you very much, Igor, for such in depth checking!<br>
<br>
I tried commenting out the ssl_prefer_server_ciphers but still the same
problem.<br>
<br>
I looked at my error log. I see seg fault 11 for worker process and
this message:<br>
<br>
panic: MUTEX_LOCK (22) [op.c:352]<br>
<br>
It looks like this was discussed back in August, but the discussion was
in Russian so I wasn't sure the problem or resolution. However, it
looks like it was also on a RHEL5 or CentOS5 x86-64 system, like mine.
Some of the Google searches suggested this being a message from perl --
maybe the rpm I am using has the perl module compiled in and that is
conflicting with the perl on my system.<br>
<br>
I think my best option is to re-build it from source, despite what the
rpm-Nazi's might say. ;-)<br>
<br>
Should I use the stable or dev tar ball? I think stable.<br>
<br>
One other thing -- the cert and all are working on my local system
which is a 32 bit machine.<br>
<br>
Take care,<br>
<br>
Kurt<br>
</body>
</html>