On Mon, Jul 03, 2000, David Rees wrote:
> I found a good workaround to this problem. Instead of changing SSLProtocol
> to "all -SSLv2", you can make your SSLCipherSuite line read:
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
> Which is the default with the addition of !EXPORT56. I tested on all the
> various browsers we had around here, and it seems to work for all browsers.
>
> Ralf, maybe we can get this in the FAQ or somewhere else easy to find until
> the proper software fix is released? This is quite a showstopper for a
> large number of people.
Hmmm.... the "SSLProtocol all -SSLv2" is certainly not optimal, yes. But OTOH
your !EXPORT56 completely _removes_ a few of the newer ciphers. Actually:
EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export
EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export
EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export
EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export
Hmmm... this again might be not optimal, too. Although I still do
not know whether browsers already support those ciphers at all and
correctly. So, what do others think on this? I at least will add -SSLv2
and !EXPORT56 to a new FAQ entry about MSIE....
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]