Mark,
I am using Openssl0.9.5a. Modssl 2.6.6 etc, and have had 'stability' issues with
IE clients.
I must say that all are resolved, and would point you to an earlier post of mine
(thanks M$oft:) - do a search on 'q265369' at
http://marc.theaimsgroup.com/?l=apache-modssl
specifically... Some reseach showed up doument q265369 on support.microsoft.com.
I customised some logs from the server, one to specifically match client
certificate contents and negotiated protocol, and SSLv3 is the most used. (no
news there).
Good Luck,
Mark wrote:
After much trial-and-error, and after trying all the fixes we could find it
appears that a range of IE 4.x and 5.0 browsers simply will not work reliably
with mod_ssl built on OpenSSL > 0.9.4 when allowed to negotiate any kind of SSL
v3.
FYI, our current secure servers are built as follows:
OpenSSL 0.9.6
Apache 1.3.14
mod_ssl 2.7.1
mod_perl 1.24_01
PHP 4.0.2 (module)
(virtual hosts, but separate SSL server, no HTTP)
We have been forced to use:
SSLProtocol all -SSLv3
This seems to be a nasty one at least for build versions of IE that have been
very widely distributed on various ISP-CDs in the UK. While we are not in a
position to test a wide range of IE builds but at least one that is common, IE
5.00.2314.1003IC, just does NOT work with the following fixes:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
(The FAQ has !EXPORT56 in bold but this is surely incorrect as the cipher tag is
EXP56 ?)
SSLCipherSuite ALL:!ADH:!EXP40:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
was not fruitful either. The build described is a 40bit-only cipher version.
This problem has caused us (and I assume others who like to use latest/best
versions of server software) much grief recently. Can anyone throw more light
on it and possibly suggest a work-around that would force broken browsers to
use SSL v2, or ciphers that reliably work with SSL v3, but let working SSL v3
browsers use SSL v3.
But anyway, many thanks to the whole OpenSSL/mod_ssl team for letting us provide
high quality SSL implementations of any kind!
(I hope the cross-posting is not annoying.)
Mark
Mark Tiramani FREDO Internet Services [EMAIL PROTECTED]
