Several things to check. First try to see what forms of SGC your certificate supports. You can do this with: openssl x509 -in sgcert.pem -text -noout Look for the extended key usage extension and see whether it says Netscape, MS SGC or both. MSIE SGC was only supported in OpenSSL 0.9.5 and later if I recall. If it says MS SGC then MSIE will try to use MS SGC. If it just says Netscape it will try Netscape SGC but it is MS implementation of Netscape SGC is buggy. I did some experiments and I could only get it to work if I only enabled 128 bit and 40 bit RC4. It has been reported that the various bugs relate to the new MSIE 56 bit export ciphers which were added to OpenSSL after 0.9.4 if I recall. Anyway the thing to do is try messing around with the permitted ciphers, check the server docs for info on how to do that and the docs on the OpenSSL 'ciphers' command For example you can try openssl ciphers -v DEFAULT:!EXPORT56:@STRENGTH openssl ciphers -v RC4:!EXPORT56:@STRENGTH to get a list of the ciphers it will end up using then try setting them in the server. You might want to experiment with s_server to see if MSIE can connect first. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
