So far I've come across 4 hosts whose SSL doesn't work on my MSNTV browser, OLM, xnethosting, and wisehosting.net. My browser accepts most all RA4-128 bit certificates from Thawte and Verisign except for 40-bit ones which are non-standard anyway. The only common thing I can find in these hosts are they use Geotrust. You may not want to buy a cheap certificate such as Geotrust for SSL. I have a feeling my browser isn't the only one. I'd recommend Thawte. Trying to save a few bucks can cut out millions of people. Just my 2c.

What do you mean by doesn't work? Does it give you a warning message or does it just plain not work?

My browser gives a popup that says "Cannot establish secure communications" and won't go to the page...ie, "doesn't work".

I meant to say "IOW, it doesn't work". :-)

Anyhow, I forgot that some Geotrust Certificates do work on my browser... and what's really strange is that all SecureLook Certificates (even cheaper than GeoTrust @ $79 a year) work. I'd still go with Thawte if it were me. Also, I read somewhere where there were patches for GeoTrust certificates.

BTW, why are most secure pages busy? You find a fast host; but then you have to wait forever for the secure page to load in order to "order" something. This happens on my PC with cable connection too.

Hmm, well it's too late because I bought a GeoTrust certificate last night. :buck: I wanted to go with Thawte, but their order process is too much of a hassle for me right now.

Here is some information for everyone about the GeoTrust Certificates.

At the present time GeoTrust Certifiates are compatible with the following web browsers which represents about 90% compatibility.

AOL Browser 3.0
AOL Browser 4.0
AOL Browser 5.0
Microsoft Internet Explorer 3.02 (128-bit and majority of 40-bit)
Microsoft Internet Explorer 4.x
Microsoft Internet Explorer 5.x
Microsoft Internet Explorer 6.x
Netscape Communicator 4.x
Netscape Navigator 3.x (needs root rollover)
Netscape Navigator 4.x
Netscape Navigator 6.x
Opera 5

All other commonly used browsers may connect securely with Web servers using QuickSSL certificates. However, some older browsers may display a dialogue box indicating that the certificate is not trusted. This means that the certificated is not located in the browser certificate store and, in most cases, the user will be prompted to install it with a few clicks of their mouse.

QuickSSL browser compatibility is increasing at an estimated rate of 2% per month. The anticipated compatibility will be approximately 95% by the end of 2002.

Here is some information for everyone about the GeoTrust Certificates.

At the present time GeoTrust Certifiates are compatible with the following web browsers which represents about 90% compatibility.

AOL Browser 3.0
AOL Browser 4.0
AOL Browser 5.0
Microsoft Internet Explorer 3.02 (128-bit and majority of 40-bit)
Microsoft Internet Explorer 4.x
Microsoft Internet Explorer 5.x
Microsoft Internet Explorer 6.x
Netscape Communicator 4.x
Netscape Navigator 3.x (needs root rollover)
Netscape Navigator 4.x
Netscape Navigator 6.x
Opera 5

All other commonly used browsers may connect securely with Web servers using QuickSSL certificates. However, some older browsers may display a dialogue box indicating that the certificate is not trusted. This means that the certificated is not located in the browser certificate store and, in most cases, the user will be prompted to install it with a few clicks of their mouse.

QuickSSL browser compatibility is increasing at an estimated rate of 2% per month. The anticipated compatibility will be approximately 95% by the end of 2002.

You must be a seller for Geotrust. In most cases, my browser doesn't even give the dialog box with a GeoTrust certificate. It just says "secure communications could not be established". My browser is not the newest, but supposedly compatible with MSIE 4.0. I've always felt that websites, especially if you're selling, should allow for backward compatibility. IOW, never use the latest tools, unless you want to loose customers. Or if you do, give an option on the page.

If your browser is compatible with MSIE 4.0 it should work with the 128 bit SSL cert from GeoTrust.

Tell me if you can pull up our site https://www.ebizid.com

GeoTrust was offering a FREE SSL certificate that was not compatible with any other browsers except MSIE.
This was a 75% compatible Certificate.

I have tested all the browsers in the previous post and know that it works with all of them.

Thanks for your input.

James

No, I can't pull up that site.

Here's one with an Equifax cert that works for me.

https://billing.planetdigita.com/signup/contact.php

It says it's a RSA4-128-bit Equifax Secure. Could GeoTrust have changed something when they took over.?

chrisb,

They have not changed anything that I'm aware of.

You've got me wondering now, I have been selling certs and the GeoTrust certs now for about 3 years now and have never come accross anyone that could not reach a secure site or like the problem you are having.
I have had customers say they have had the pop up window say that it is not from a trusted source but that was usually with the FreeSSL.

I will do some investigation and repost when I have an answer for you and everyone else that is wondering.:confused:

Thanks again for your input.

Originally posted by IWH
chrisb,

They have not changed anything that I'm aware of.

You've got me wondering now, I have been selling certs and the GeoTrust certs now for about 3 years now and have never come accross anyone that could not reach a secure site or like the problem you are having.
I have had customers say they have had the pop up window say that it is not from a trusted source but that was usually with the FreeSSL.

I will do some investigation and repost when I have an answer for you and everyone else that is wondering.:confused:

Thanks again for your input.

Thank *you* for your willingness to help me check this out. I checked out several sites that say they use GeoTrust certificates. If the certificate says "Equifax Secure" then it works, otherwise it doesn't work for me. JFYI, my browser also accepts RSA Data certificates.

I'm thinking that my browser has not been updated yet to accept the "Geotrust" name, but it could be another reason.

Chrisb,

There are a couple of reasons that your browser will not accept the GeoTrust Certificates or any certificates for that matter be it thawt or verisign or GeoTrust.

I have attached a fix for anyone needing to allow older browsers to connect to the apachee web server using ssl.

The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You've to work-around these problems by forcing Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Additionally it is known some MSIE versions have also problems with particular ciphers. Unfortunately one cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific SetEnvIf doesn't work to solve these problems. Instead one has to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects all(!) your clients, i.e., also your non-MSIE clients.
The next problem is that 56bit export versions of MSIE 5.x browsers have a broken SSLv3 implementation which badly interacts with OpenSSL versions greater than 0.9.4. You can either accept this and force your clients to upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you can decide to workaround it by accepting the drawback that your workaround will horribly affect also other browsers:

SSLProtocol all -SSLv3
This completely disables the SSLv3 protocol and lets those browsers work. But usually this is an even less acceptable workaround. A more reasonable workaround is to address the problem more closely and disable only the ciphers which cause trouble.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
This also lets the broken MSIE versions work, but only removes the newer 56bit TLS ciphers.
Another problem with MSIE 5.x clients is that they refuse to connect to URLs of the form https://12.34.56.78/ (IP-addresses are used instead of the hostname), if the server is using the Server Gated Cryptography (SGC) facility. This can only be avoided by using the fully qualified domain name (FQDN) of the website in hyperlinks instead, because MSIE 5.x has an error in the way it handles the SGC negotiation.

And finally there are versions of MSIE which seem to require that an SSL session can be reused (a totally non standard-conforming behaviour, of course). Connection with those MSIE versions only work if a SSL session cache is used. So, as a work-around, make sure you are using a session cache (see SSLSessionCache directive).

The above was taken from the modssl website if you need more information on this you can vist their web site at http://www.modssl.com


Chris, in short it is not the GeoTrust certificate that is causing your problems.

I hope this answered your question,

James

Originally posted by IWH
x
Chris, in short it is not the GeoTrust certificate that is causing your problems.

James

Are you sure? I don't think the above is the problem because my Mozilla-compatible browser appears to accept ALL certificates EXCEPT Geotrust (it even accepts GeoTrust, just not their QuickSSL). IOW, GeoTrust's QuickSSL is the ONLY certificate I cannot use. :bawling:

Originally posted by IWH
Here is some information for everyone about the GeoTrust Certificates.

At the present time GeoTrust Certifiates are compatible with the following web browsers which represents about 90% compatibility.

AOL Browser 3.0
AOL Browser 4.0
AOL Browser 5.0


Does this mean that AOL 6.0 and 7.0 are not supported? If so this is a bad as alot of users I would guess are still using AOL