Hello
I have browsed the archives but have not found the answer to this question...
I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer.
When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up.
How do we turn off the request for the client certificate in IE?
Here are my details....thanks in advance.
#vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
client=no
[https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes
#usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer
Hello Lars,
thansk for your reply.
Unfortunately this is not working..:(
popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif ..so the problem seems to be that the server asks the client/browser to identify himself (but only with Internet Explorer 6?)...but I find no configuration to turn this off.
Lars Braeuer-2 wrote:
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer
MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181
Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck
Am 19.05.2010 14:30, schrieb KumpelJ:
Hello
I have browsed the archives but have not found the answer to this question...
I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer.
When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up.
How do we turn off the request for the client certificate in IE?
Here are my details....thanks in advance.
#vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
client=no
[https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes
#usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hello Thomas,
did you empty the cache of MSIE6 or did you restart the browser before trying again?
Another stupid question: Did you restart stunnel properly? Check if the pid is really different after the restart in order to make sure stunnel is not hanging around just pretending it did a restart.
Best regards,
Lars Bräuer
of course i've considered these points but it does not work :/
Lars Braeuer-2 wrote:
Hello Thomas,
did you empty the cache of MSIE6 or did you restart the browser before trying again?
Another stupid question: Did you restart stunnel properly? Check if the pid is really different after the restart in order to make sure stunnel is not hanging around just pretending it did a restart.
Best regards,
Lars Bräuer
MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181
Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck
Am 19.05.2010 15:56, schrieb KumpelJ:
Hello Lars,
thansk for your reply.
Unfortunately this is not working..:(
popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif ..so the problem seems to be that the server asks the client/browser to identify himself (but only with Internet Explorer 6?)...but I find no configuration to turn this off.
Lars Braeuer-2 wrote:
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer
MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181
Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck
Am 19.05.2010 14:30, schrieb KumpelJ:
Hello
I have browsed the archives but have not found the answer to this question...
I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer.
When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up.
How do we turn off the request for the client certificate in IE?
Here are my details....thanks in advance.
#vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
client=no
[https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes
#usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
the log says:
2010.05.20 14:05:47 LOG7[24166:1086048592]: SSL state (accept): SSLv3 flush data 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 items in the session cache 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client connects (SSL_connect()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client connects that finished 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client renegotiations requested 2010.05.20 14:05:47 LOG7[24166:1086048592]: 3 server connects (SSL_accept()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 server connects that finished
why "server connects"? shouldn't it be "client connects", because stunnel is used for https?
KumpelJ wrote:
2010.05.20 14:05:47 LOG7[24166:1086048592]: 3 server connects (SSL_accept()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 server connects that finished
why "server connects"? shouldn't it be "client connects", because stunnel is used for https?
These are "server connects", i.e. connects performed to stunnel operating as an SSL server, and *not* "servers connected", i.e. stunnel connections performed to a remote server.
Best regards, Mike
Hi,
I have the same problem with the safari browser under windows!
kind regards,
Rene Plattner
Am 19.05.2010 15:16, schrieb Lars Braeuer:
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer
-
KumpelJ -
Lars Braeuer -
Michal Trojnara -
Rene Plattner