I set ServerTrace "true" and got:
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: before/accept initialization
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: before/accept initialization
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 read client hello A
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 write server hello A
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 write certificate A
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 write server done A
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 flush data
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 read client certificate A
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 read client certificate A
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Notice: nsopenssl: trace: nsdserver: SSLv3 read client certificate A
[11/Jul/2002:10:36:53][4331.4101][-conn1-] Error: nsopenssl: error during SSL handshake: Connection reset by peer
At which point I realized it was using SSLv3 after all even though ServerProtocol was set to SSLv2. Adding SSLv3 to ServerProtocol was no help. So I got rid of that and added ":-SSLv3" to the end of ServerCipherSuite and got "Security Failure. The server reply is invalid." on Mac IE, while my log said:
[11/Jul/2002:10:42:44][4397.8201][-conn5-] Notice: nsopenssl: trace: nsdserver: before/accept initialization
[11/Jul/2002:10:42:44][4397.8201][-conn5-] Notice: nsopenssl: trace: nsdserver: before/accept initialization
[11/Jul/2002:10:42:44][4397.8201][-conn5-] Notice: nsopenssl: trace: nsdserver: SSLv3 read client hello C; alert type = fatal; alert desc = handshake failure
[11/Jul/2002:10:42:44][4397.8201][-conn5-] Notice: nsopenssl: trace: nsdserver: SSLv3 read client hello C
[11/Jul/2002:10:42:44][4397.8201][-conn5-] Notice: nsopenssl: trace: nsdserver: SSLv3 read client hello C
[11/Jul/2002:10:42:44][4397.8201][-conn5-] Error: nsopenssl: error -1/1 during SSL handshake
Which leads me to believe the browser will only accept SSLv3 connections. So I need it to work under SSLv3. This is consistent with the mod_ssl FAQ explanation of the problem. But how might I implement their keepalive and HTTP version workaround in AOLserver?
One note: the first time I try to load the page from a fresh browser it complains about my certificate not coming from a recognized authority and it lets me continue but only by turning off encryption. Subsequent loads of the page give me the "decryption error", whether or not I allowed the first load to "continue" despite the unrecognized authority. I still don't know if this unrecognized authority is somehow at the root of the problem, and I won't know until I get a real certificate.