Dear Mark,
I ran across your posting (below) in the mod_ssl maillist archive below.
I am experiencing the same problem and the fixes suggested in the FAQ
also failed to correct it for me without using:
SSLProtocol all -SSLv3
I have just implemented this and wonder if you can tell me if you have
encountered any other problems with any other browsers since eliminating
SSLv3 from the protocols.
We are using this a a publicly available production server where we
depend on it for most of the orders we receive from customers and I an
hoping that the above will solve all the problems.
BTW, since MSIE 5.5 seems to work, I used the following rather than what
was in the FAQ...
SetEnvIf User-Agent "MSIE [2-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
SetEnvIf User-Agent "MSIE 5\.[0-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
Too bad there's no way to limit the SSLProtocol restriction to IExploder
browsers.
Thanks for any feedback.
Dick Kreutzer
AmeriCom Inc.
P.S. Please reply to me at [EMAIL PROTECTED] as I am not currently a
member of the mod_ssl list.
Your original post follows:
> We have been forced to use:
>
>
> SSLProtocol all -SSLv3
>
>
> This seems to be a nasty one at least for build versions of IE that have been very
> widely distributed on various ISP-CDs in the UK. While we are not in a position to
> test a wide range of IE builds but at least one that is common, IE 5.00.2314.1003IC,
> just does NOT work with the following fixes:
>
>
> SetEnvIf User-Agent ".*MSIE.*"
>
> nokeepalive ssl-unclean-shutdown
>
> downgrade-1.0 force-response-1.0
>
>
> SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
>
> (The FAQ has !</color>EXPORT56 in bold but this is surely incorrect as the cipher tag
> is EXP56 ?)
>
>
> SSLCipherSuite ALL:!ADH:!EXP40:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
>
> was not fruitful either. The build described is a 40bit-only cipher version.
>
>
> This problem has caused us (and I assume others who like to use latest/best versions
> of server software) much grief recently. Can anyone throw more light on it and
> possibly suggest a work-around that would force broken browsers to use SSL v2, or
> ciphers that reliably work with SSL v3, but let working SSL v3 browsers use SSL v3.
>
>
> But anyway, many thanks to the whole OpenSSL/mod_ssl team for letting us provide high
> quality SSL implementations of any kind!<color><param>0100,0100,0100</param>
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
