Hi,
We have just completed a set of trials on the different versions and types of browsers out there. Yes \, we came to the conclusion that version 4.x, 5.x (excluding 5.5) of IE is very flaky. Lots of problems. Even the latest version of Netscape 4.7 has had some funny responses.
Most of the problems that we discovered were to do with SSL connections being broken frequently resulting in a re-nogotiation of the session keys. Then the session was broken a user mesage was thrown up for the user to accept before continuing The problems only seemed to be apparent when using client certificates.
Simon Haddon
x3174
| "Mark Tiramani" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 15/10/2000 11:02 PM
|
To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject: MSIE 4.x - 5.0 and SSL v3 |
<color><param>0100,0100,0100</param>After much trial-and-error, and after trying all the fixes we could find it appears that a range of IE 4.x and 5.0
browsers simply will not work reliably with mod_ssl built on OpenSSL > 0.9.4 when allowed to negotiate any
kind of SSL v3.
FYI, our current secure servers are built as follows:
OpenSSL 0.9.6
Apache 1.3.14
mod_ssl 2.7.1
mod_perl 1.24_01
PHP 4.0.2 (module)
(virtual hosts, but separate SSL server, no HTTP)
We have been forced to use:
SSLProtocol all -SSLv3
This seems to be a nasty one at least for build versions of IE that have been very widely distributed on
various ISP-CDs in the UK. While we are not in a position to test a wide range of IE builds but at least one
that is common, IE 5.00.2314.1003IC, just does NOT work with the following fixes:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
(The FAQ has !</color>EXPORT56 in bold but this is surely incorrect as the cipher tag is EXP56 ?)
SSLCipherSuite ALL:!ADH:!EXP40:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
was not fruitful either. The build described is a 40bit-only cipher version.
This problem has caused us (and I assume others who like to use latest/best versions of server software)
much grief recently. Can anyone throw more light on it and possibly suggest a work-around that would force
broken browsers to use SSL v2, or ciphers that reliably work with SSL v3, but let working SSL v3 browsers
use SSL v3.
But anyway, many thanks to the whole OpenSSL/mod_ssl team for letting us provide high quality SSL
implementations of any kind!<color><param>0100,0100,0100</param>
(I hope the cross-posting is not annoying.)
Mark
<nofill>
Mark Tiramani
FREDO Internet Services
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
