"Burns, Robert" wrote:
>
> Brendon,
>
> I'm going to take a couple of guesses here, so don't shoot me if you've checked
>these already... ;->
>
> I noticed below that you are using the SSLCertificateChainFile directive. This
>leads me to believe that you are using a Verisign cert. Do you know if you are using
>the Verisign 'Global' ID cert? (i.e. Server Gated Cryptograpy (SGC))?
>
> If you are, you must ensure that your fully qualified domain name matches the name
>in the certificate EXACTALLY! (I don't know if putting the port number after the
>domain name matters or not....).
I don't think the port number is required.
> I had the same problem when we went from the testing certificate (i.e. SnakeOil) to
>the cert from Verisign. Only IE stopped working. Apparently, they do some
>additional checking in the case of a SGC cert. So, as opposed to presenting a dialog
>asking if you still want to continue, they just shut down the connection.
If you point Nutscrape at the same HTTPS host, you should get
a warning that the CN of the cert doesn't match the CN of the
host. If you do, that is probably why IE is barfing. Also, IP
addresses in a HTTPS URL are a no-no, unless you do the below.
On your test machine running a M$ OS, there is a file called
HOSTS in one of the system folders somewhere. Luckily it's in
UNIX hosts(5) format. Hack this file so that the IP address
of the machine is given a hostname to match the certificate.
This file is checked before WINS/DNS connections so you can
thwart IE in this way quite nicely.
Adam.
>
> Netscape continued to work as expected.
>
> I'd recommend switching back to a SnakeOil cert to see if it can be this or not.
>
> - Bob
>
> > -----Original Message-----
> > From: Brendon Maragia [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, November 15, 2000 4:16 AM
> > To: [EMAIL PROTECTED]
> > Subject: somebody shoot me, please
> >
> >
> > First i'd like to thank everyone for their advice about my
> > MOD_SSL + MSIE5.x
> > problem. I recompiled everything WITHOUT rsaref-2.0 and I
> > still cannot get
> > a connection with MSIE5.5 only MSIE4.0 & 5.0. Heres a quick
> > run down of
> > what i'm running and the virtual host i'm trying to connect to...
> >
> > apache_1.3.14
> > mod_ssl-2.7.1-1.3.14
> > openssl-0.9.6
> >
> > My Virtual Host:
> >
> > <VirtualHost 216.186.181.230:443>
> > DocumentRoot /home/commaflex/public_html/checkout
> > ServerAdmin [EMAIL PROTECTED]
> > ServerName checkout.commaflex.com
> > ErrorLog /home/commaflex/public_html/checkout/.error.log
> > TransferLog /home/commaflex/public_html/checkout/.transfer.log
> > SSLEngine on
> >
> > SSLCertificateFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> >
> > SSLCertificateKeyFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> > SSLCertificateChainFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
> >
> > <Files ~ "\.(cgi|shtml)$">
> > SSLOptions +StdEnvVars
> > </Files>
> > <Directory "/usr/local/apache/htdocs/cgi-bin">
> > SSLOptions +StdEnvVars
> > </Directory>
> >
> > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> > downgrade-1.0 force-response-1.0
> >
> > CustomLog /var/log/apache_ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > SSLLogLevel debug
> > </VirtualHost>
> >
> > ...I've checked all my logs upon trying to connect with
> > MSIE5.0 and the
> > server seems to execute a standard hand shake, and then
> > gracefully execute a
> > standard shutdown with no complaints.
> >
> > All I get from MSIE5.x is "Page Could Not Be Displayed".
> > Could someone
> > pleassee pleaseee help :)
> >
> > Brendon
> > ______________________________________________________________
> > ___________
> > Get Your Private, Free E-mail from MSN Hotmail at
> http://www.hotmail.com.
>
> Share information about yourself, create your own public profile at
> http://profiles.msn.com.
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
