Try adding this to your SSLCipherSuite line:
!EXP-DES-CBC-SHA
Both of your working browsers are using 128-bit encryption, your IE 5.0
browswer is most likely a 56-bit browser. I've gotten these to work with
only this line:
SSLCipherSuite ALL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
I'm not sure why you're taking out all those ciphers, do they fix other
browsers?
-Dave
On Wed, Dec 20, 2000 at 11:46:47PM -0500, [EMAIL PROTECTED] wrote:
> OK, another data point in the never ending story of how bad MSIE sucks at
> SSL.
>
> Site in question :
> https://www.camelot.ca/
>
> I'm using:
> OS: Red Hat 6.2 / Kernel 2.2.16
> Server: Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6
>
>
> Relevant parts of my config:
> ------------------------------------------------------------------
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> SetEnvIf User-Agent ".*WebTV.*" !ssl-unclean-shutdown
> SSLCipherSuite ALL:!ADH:!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA: \
> !EXP-RC4-MD5:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
> CustomLog /var/log/httpd/ssl/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b \"%{User-Agent}i\" \
> [camelot]"
>
>
> SSLEngine on
> SSLLog logs/camelot.ssl/ssl_log
>
> SSLCertificateFile /usr/local/ssl/certs/www.camelot.ca-2000.cert
> SSLCertificateKeyFile /usr/local/ssl/private/www.camelot.ca-2000.key
> --------------------------------------------------------------------
>
> I can connect with MSIE 5.0 once. Then I have to either restart the server
> or MSIE. So, this is either MSIE corrupting internal data in the SSL
> implementation, or Apache is still using keepalive, despite the
> "nokeepalive".
>
> I realise that upgrading MSIE would fix this, however I don't know
> if I can require this of all folks who want to purchase from this site.
>
> Of interest :
> A working version of MSIE 5.5 has the following log :
> [20/Dec/2000:22:43:54 -0500] 203.101.127.178 SSLv3 RC4-MD5 "GET /
> HTTP/1.1" - "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" [camelot]
>
> A working once only version of MSIE 5.0 logs the following on it's first
> connection. Other attemps log nothing :
> [20/Dec/2000:22:09:24 -0500] 207.253.79.23 SSLv3 EXP-DES-CBC-SHA "GET /
> HTTP/1.1" - "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
> [camelot]
>
> A working version of Netscape 4.73 logs the following :
> [20/Dec/2000:22:54:06 -0500] 207.253.184.23 SSLv3 RC4-MD5 "GET / HTTP/1.0"
> - "Mozilla/4.73 [en] (X11; U; Linux 2.2.18 i586)" [camelot]
>
> Note that both working versions are using the RC4-MD5 cipher. I'm going
> to explore this more tonight, maybe trying to force MSIE 5.0 to use
> RC4-MD5 also.
>
> I realise that upgrading MSIE would fix this. I wish I didn't have to if
> I can require all folks who want to purchase from this site to do this.
> The lengthy download required for upgrading can be irksome for folks on
> dial-up connections.
>
> -Philip
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
