Hi Merton!
don't forget to CC the mailing-list :) > Out of the 5 possible causes you listed, we probably can't do much > about the other ones. But we can control the above two from our end. I > suppose that most 'modern' browsers nowadays should be able to do TLS > v1.0, and SSLv3 is considered as a weaker choice (But I wonder if it > will make more compatible for clients to support both TLSv1.0 and > SSLv3?). The specific ciphers we've chosen is to speed up the SSL but > it might 'screen out' some clients. The issue is probably with embedded, mobile and outdated browsers. If you have a 5 year old Windows CE phone, chances are it will connect in SSLv3 only (for example). > We also see in the log that some clients connected/handshake > successfully initially on some page, but failed the handshake in > subsequent requests to other parts of the site. Keep in mind that a browsers may open a connection to accelerate a _possible_ future HTTP transaction - and if the users doesn't request another page, the connection will just be dropped. Those optimizations in browsers can trigger warnings on the server-side. > Any suggestion on making SSL as much compatible as possible while > keeping it fast? You may enable SSLv3 again and monitor the log. Regards, Lukas
