bobloblian wrote:
> Hello:
> I have been trying to figure this off and on over the last year, and
> having just spent several more evenings working on it, I am still
> making no progress.
> A year ago, I set up my own CA while learning to do IPSec, and since I
> had the CA constructed, I decided to put my webmail subdomain behind a
> secure connection. I did get it working, but only ever by disabling
> ssl3 and making sure ssl2 was enabled in internet explorer and
> firefox. Well, in the last year, both firefox and vista are now
> causing me grief in that neither of them want to work with my ssl2
> work around - and fair enough, I should have moved on already
> anyway....
> So last week, I decided to start all over. I set up a new CA and
> created myself a certificate for my internal web server. I set up
> apache to use the cert on one of my internal sites, apache starts
> without errors. When I browse to the site with firefox from my linux
> workstation or my windows laptop, I get a dialogue to accept the
> certificate the cert, then I get the page. Exactly as expected,
> everything works.. When I access the site with my windows laptop
> using ie7, I get the warning page that allows me to continue (not
> recommended), and then a page cannot be displayed error.
> I have tried a slew of different CipherSuite arguments, but the only
> time I can get it working is when I !SSLv3 and +SSLv2, and make sure
> sslv2 is selected in the internet options. I have tried several
> example CipherSuites found on the net and then taken one cipher away
> at a time, I have done considerable searching trying to find the magic
> cipher combination, or the magic setting that is not enabled, yet I am
> just having no luck. I have been sifting through pages and pages of
> examples and information, but have become mired.
> When I use cURL I get the report about no trusted CA, and when I use
> it with the --cacert argument, I get what I expect is legitimate
> output (html code). When I ssldump, I see the traffic go through to
> the application data part using firefox, but it stops just short of
> there when I use ie7. I am not a good interpreter of ssldump yet, but
> it appears that client and server finish a few rounds of negotiation,
> then the client simply stops responding. When I use openssl s_client
> to connect, providing the cacert.pem file, it connects and gives me
> all sorts of information about the cert on the server, though it does
> say "No client certificate CA names sent". From what I understand,
> since I am not asking the client to authenticate, then this message is
> expected and does not indicate an error.
> Apache logs are also leading me nowhere, with firefox, I get no error,
> yet with ie7 I get an "OpenSSL: I/O error", followed by "(70014)End
> of file found: SSL input filter read failed.", and then followed by
> "OpenSSL: Write: SSL negotiation finished successfully". So it is
> failing successfully? Argh! Of course, Firefox does not experience
> such an end of file or I/O error.
> I have included things like the MSIE SetEnvIf directive, the
> SSLSessionCache directive in my apache2.conf file, and several other
> suggestions as found on google, but none of them have worked. I have
> searched extensively on every clue I could find as to why the problem
> persists. I know of examples where other sites have used self-signed
> certs (though I am not sure if they are using self-signed CAs), and
> internet explorer works with them using sslv3. Given that everything
> seems to work with firefox, I am operating under the assumption that
> my certificates are correct, that my apache configs are "correct", and
> that it is internet explorer that is broken (a supposition, it seems,
> that is widely supported by other sysadmins). However, given the
> number of users of that product, I consider it important to be able to
> make it work.
> To avoid making this message overly long, I am not posting relevant
> configs or log entries, though I can most certainly make them
> available if anyone would be willing to help me decipher them
> further. If anyone has any suggestions or further documentation I
> could read regarding troubleshooting this issue, I would most
> certainly appreciate it.
>
I've had users before where IE7 simply refuses to accept any SSL
certificate that's not signed by a trusted authority, this could be it.

Have you tried with IE6?

--
DM davidm@cia.com.au

The funny .sig is in the wash, I am your replacement.