Hi Holger,
> There is a simple iptables on the box. By policy, we don't deploy any > magic security snake oil I didn't mean the server or intermediate devices, I meant directly on the windows 7 client: *windows* software security solutions, which intercept SSL/TLS traffic on your local windows machine before they even touch the wire; there are a lot of those products intercepting outgoing https traffic by installing their own certificate in your IE/schannel certificate store. When you surf on your HTTPS site from IE 10 you can view the "security report" by clicking on the lock and with "show certificate" you see all the details about that certificate. When those things like sha1 fingerprint, serial, valid up/until dates and other things match with the certificate you installed on your server, then fine. If on the other hand you see "Kaspersky", "Avast" or other names which have nothing to do with your certificate or CA, then probably one of those security products (or a MITM ...) is intercepting your HTTPS traffic, which *may* be causing issues if that software is buggy. > I couldn't get it to compile, or in fact, I could compile it, but it > would break at the `make test` step and I hadn't yet found time to get > to the bottom of this. Do you run "make depend" also? openssl ask me that after config when I use your parameters: > Since you've disabled or enabled at least one algorithm, you need to do > the following before building: > > make depend > I'll have to reconstruct this on a local VM to anonymize the data a bit. > I'll get back to you as soon as possible. It is kind of a last resort option, perhaps someone has a better idea ... Regards, Lukas