On Mon, Mar 15, 1999, [EMAIL PROTECTED] wrote:
> I installed mod_ssl with apache-1.3.4 and it worked nice, but now I
> configure the hhtpd.conf with
>
> SSLProtocol all
> SSLCipherSuite HIGH:MEDIUM
>
> options for accep only strong encryption.
>
> The problem is that when I start the hhttpd daemond and i try to conect
> with Netscape I get a error saying:
>
> "Netscape and this server cannot communicate securely
> because they have no common encryption algorithms(s)"
With the above SSLCipherSuite you actually get:
| :> openssl ciphers -v 'HIGH:MEDIUM'
| EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
| EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
| DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
| DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
| IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
| RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
| RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
| IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
| RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
| RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
So, at least the DES-CBC3-MD5 and RC4-MD5 ciphers are supported by Netscape.
But only on non-export or Fortified versions, of course. So when your
Netscape complains, perhaps it's a regular export-grade version?
> But if I comment that lines and I say that I want use liberal options
> everything work nice. The only thing is that I do not want to use 40 bit
> encyption because that is useless.
Ok, but are you sure your browser supports non-export ciphers, too?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
