"choose a digital certificate" pop-up in IE

Hello I have browsed the archives but have not found the answer to this question... I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer. When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up. How do we turn off the request for the client certificate in IE? Here are my details....thanks in advance. #vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/ pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1 client=no [https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes #usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none -- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp2860... Sent from the Stunnel - Users mailing list archive at Nabble.com.

Hi Thomas, try the following settings in the global section of your config: sslVersion = all options = NO_SSLv2 The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled. Best regards, Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck Am 19.05.2010 14:30, schrieb KumpelJ:
Hello
I have browsed the archives but have not found the answer to this question...
I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer.
When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up.
How do we turn off the request for the client certificate in IE?
Here are my details....thanks in advance.
#vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
client=no
[https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes
#usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none

Hello Lars, thansk for your reply. Unfortunately this is not working..:( popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif ..so the problem seems to be that the server asks the client/browser to identify himself (but only with Internet Explorer 6?)...but I find no configuration to turn this off. Lars Braeuer-2 wrote:
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181
Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck
Am 19.05.2010 14:30, schrieb KumpelJ:
Hello
I have browsed the archives but have not found the answer to this question...
I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer.
When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up.
How do we turn off the request for the client certificate in IE?
Here are my details....thanks in advance.
#vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
client=no
[https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes
#usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp2860... Sent from the Stunnel - Users mailing list archive at Nabble.com.

Hello Thomas, did you empty the cache of MSIE6 or did you restart the browser before trying again? Another stupid question: Did you restart stunnel properly? Check if the pid is really different after the restart in order to make sure stunnel is not hanging around just pretending it did a restart. Best regards, Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181 Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck Am 19.05.2010 15:56, schrieb KumpelJ:
Hello Lars,
thansk for your reply.
Unfortunately this is not working..:(
popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif ..so the problem seems to be that the server asks the client/browser to identify himself (but only with Internet Explorer 6?)...but I find no configuration to turn this off.
Lars Braeuer-2 wrote:
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181
Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck
Am 19.05.2010 14:30, schrieb KumpelJ:
Hello
I have browsed the archives but have not found the answer to this question...
I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer.
When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up.
How do we turn off the request for the client certificate in IE?
Here are my details....thanks in advance.
#vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
client=no
[https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes
#usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users

of course i've considered these points but it does not work :/ Lars Braeuer-2 wrote:
Hello Thomas,
did you empty the cache of MSIE6 or did you restart the browser before trying again?
Another stupid question: Did you restart stunnel properly? Check if the pid is really different after the restart in order to make sure stunnel is not hanging around just pretending it did a restart.
Best regards,
Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181
Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck
Am 19.05.2010 15:56, schrieb KumpelJ:
Hello Lars,
thansk for your reply.
Unfortunately this is not working..:(
popup still says: http://img266.imageshack.us/img266/7016/ie1we9.gif ..so the problem seems to be that the server asks the client/browser to identify himself (but only with Internet Explorer 6?)...but I find no configuration to turn this off.
Lars Braeuer-2 wrote:
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer -- MPeX.net GmbH / Werner-Voß-Damm 62 / D-12101 Berlin / Germany MPeXnetworks / www.mpexnetworks.de Tel: ++49-30-78097 180 / Fax: ++49-30-78097 181
Sitz, Registergericht: Berlin, Amtsgericht Charlottenburg, HRB 76688 Geschäftsführer: Lars Bräuer, Gregor Lawatscheck, Dr. Robert Lawatscheck
Am 19.05.2010 14:30, schrieb KumpelJ:
Hello
I have browsed the archives but have not found the answer to this question...
I have stunnel set up to handle https connections. It sits on a Debian server alongside HAProxy and works fine with every browser except for Internet Explorer.
When I connect with Internet Explorer, I get a blank "Please choose a digital certificate" pop-up.
How do we turn off the request for the client certificate in IE?
Here are my details....thanks in advance.
#vi /etc/stunnel/stunnel.conf verify=0 CAfile=/etc/ssl/certs/chain.pem cert=/etc/ssl/certs/multidomain.pem CApath=/etc/ssl/certs/
pid = /etc/stunnel/stunnel.pid debug = 3 output = /etc/stunnel/stunnel.log
socket=l:TCP_NODELAY=1 socket=r:TCP_NODELAY=1
client=no
[https] accept=192.168.11.32:443 connect=localhost:444 TIMEOUTclose=0 xforwardedfor=yes
#usr/local/bin/stunnel -version stunnel 4.32 on x86_64-unknown-linux-gnu with OpenSSL 0.9.8g 19 Oct 2007 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
_______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp2860... Sent from the Stunnel - Users mailing list archive at Nabble.com.

the log says: 2010.05.20 14:05:47 LOG7[24166:1086048592]: SSL state (accept): SSLv3 flush data 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 items in the session cache 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client connects (SSL_connect()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client connects that finished 2010.05.20 14:05:47 LOG7[24166:1086048592]: 0 client renegotiations requested 2010.05.20 14:05:47 LOG7[24166:1086048592]: 3 server connects (SSL_accept()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 server connects that finished why "server connects"? shouldn't it be "client connects", because stunnel is used for https? -- View this message in context: http://old.nabble.com/%22choose-a-digital-certificate%22-pop-up-in-IE-tp2860... Sent from the Stunnel - Users mailing list archive at Nabble.com.

KumpelJ wrote:
2010.05.20 14:05:47 LOG7[24166:1086048592]: 3 server connects (SSL_accept()) 2010.05.20 14:05:47 LOG7[24166:1086048592]: 2 server connects that finished
why "server connects"? shouldn't it be "client connects", because stunnel is used for https?
These are "server connects", i.e. connects performed to stunnel operating as an SSL server, and *not* "servers connected", i.e. stunnel connections performed to a remote server. Best regards, Mike

Hi, I have the same problem with the safari browser under windows! kind regards, Rene Plattner Am 19.05.2010 15:16, schrieb Lars Braeuer:
Hi Thomas,
try the following settings in the global section of your config:
sslVersion = all options = NO_SSLv2
The default config seems to have just SSLv3 enabled. Some Internet Explorer versions only work if TLSv1 is enabled, at least as long as SSLv2 is disabled.
Best regards,
Lars Bräuer
-- -------------------------------------------------------------- Dipl.-Ing. René Plattner Zentraler Informatikdienst (Central IT-Services) Universität Innsbruck Technikerstrasse 23 Tel: ++43512/507-2360 6020 Innsbruck Fax: ++43512/507-2944 Austria E-Mail: rene.plattner@uibk.ac.at Homepage: http://www.uibk.ac.at/zid -------------------------------------------------------------- D92E 1AE3 A8AA 9A57 8E5B 9204 F5D0 95DB 4030 742D http://homepage.uibk.ac.at/~c1021058/keys/0x4030742D.pub --------------------------------------------------------------
participants (4)
-
KumpelJ
-
Lars Braeuer
-
Michal Trojnara
-
Rene Plattner