MSIE 5.0 some more

Wed, 20 Dec 2000 20:36:33 -0800 

OK, another data point in the never ending story of how bad MSIE sucks at
SSL.

Site in question :
https://www.camelot.ca/

I'm using:
OS: Red Hat 6.2 / Kernel 2.2.16 
Server: Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6


Relevant parts of my config:
------------------------------------------------------------------
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
SetEnvIf User-Agent ".*WebTV.*" !ssl-unclean-shutdown
SSLCipherSuite ALL:!ADH:!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA: \
        !EXP-RC4-MD5:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

CustomLog /var/log/httpd/ssl/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b \"%{User-Agent}i\" \
[camelot]"


SSLEngine on
SSLLog logs/camelot.ssl/ssl_log

SSLCertificateFile /usr/local/ssl/certs/www.camelot.ca-2000.cert
SSLCertificateKeyFile /usr/local/ssl/private/www.camelot.ca-2000.key
--------------------------------------------------------------------

I can connect with MSIE 5.0 once.  Then I have to either restart the server
or MSIE.  So, this is either MSIE corrupting internal data in the SSL
implementation, or Apache is still using keepalive, despite the
"nokeepalive".

I realise that upgrading MSIE would fix this, however I don't know
if I can require this of all folks who want to purchase from this site.

Of interest :
A working version of MSIE 5.5 has the following log :
[20/Dec/2000:22:43:54 -0500] 203.101.127.178 SSLv3 RC4-MD5 "GET /
HTTP/1.1" - "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" [camelot]

A working once only version of MSIE 5.0 logs the following on it's first 
connection.  Other attemps log nothing :
[20/Dec/2000:22:09:24 -0500] 207.253.79.23 SSLv3 EXP-DES-CBC-SHA "GET /
HTTP/1.1" - "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
[camelot]

A working version of Netscape 4.73 logs the following :
[20/Dec/2000:22:54:06 -0500] 207.253.184.23 SSLv3 RC4-MD5 "GET / HTTP/1.0"
- "Mozilla/4.73 [en] (X11; U; Linux 2.2.18 i586)" [camelot]

Note that both working versions are using the RC4-MD5 cipher.  I'm going
to explore this more tonight, maybe trying to force MSIE 5.0 to use
RC4-MD5 also.

I realise that upgrading MSIE would fix this.  I wish I didn't have to if
I can require all folks who want to purchase from this site to do this. 
The lengthy download required for upgrading can be irksome for folks on
dial-up connections.  

-Philip

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to