hi, We're using mod_ssl + apache for encrypting stuff on our site. Our problem is that it only works with 128-bit versions of IE4+ and the newest versions of Netscape. Before I got the cert back from Verisign, I signed my 1024-bit key myself for testing, and it worked fine. 56-bit browsers negotiated 56-bit keys, 128-bit browsers negotiated 128-bit keys. The verisign cert is a Global Server Certificate, which is (as I understand it) their 128-bit certificate. so, I pointed my SSLCertificateFile directive at number the "Intermediate CA Certificate", and my SSLCertificateChainFile at number the "The Server Subscriber Certificate" It sounds to me like there's something about these Chain Files that confuses weak-encryption browsers. The log files (see below) show that 56-bit browsers are freezing during the handshake stage at the point where they should be generating a key and sending it to the server. Other people on this list seem to have had this problem, but the only solution that was suggested was to force SSLv2; this, however, breaks the ChainFile stuff and apache won't start. Can anyone help? Should I just buy a 56-bit cert from Verisign? What can I do? Thanks, seb. --------------------- Exhibit A: ssl_engine_log for unsuccessful session [28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Handshake: start [28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Loop: before/accept initialization[28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Loop: SSLv3 read client hello A [28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Loop: SSLv3 write server hello A [28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Loop: SSLv3 write certificate A [28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Loop: SSLv3 write key exchange A [28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Loop: SSLv3 write server done A [28/Jun/2000 18:43:49 05524] [trace] OpenSSL: Loop: SSLv3 flush data [ --- log stops here --- ] ------------------------- Exhibit B: ssl_engine_log for successful session: [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Handshake: start [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: before/accept initialization[28/Jun/2000 17:55:15 05267] [trace] Inter-Process Session Cache: request=GET status=MISSED id=B9FAA765179D45CED6B784D5F549939B6A33A2C8EAF9695C5B7DA0125D6CA52D (session renewal) [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 read client hello A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 write server hello A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 write certificate A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 write server done A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 flush data [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 read client key exchange A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 read finished A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 write finished A [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Loop: SSLv3 flush data [28/Jun/2000 17:55:15 05267] [trace] Inter-Process Session Cache: request=SET status=OK id=E6442590EA05385BC7C3825655E2DF092326B582AA783D288A1CF56E0C5810F5 timeout=300s (session caching) [28/Jun/2000 17:55:15 05267] [trace] OpenSSL: Handshake: done ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
