Hello, I've got Apache and mod-ssl running on Red Hat. The Global ID we got from Verisign seems to work for every other browser except IE 5.0. The PROBLEM: When I hit the submit button on a form using a secured connection, I get a message telling me that I am leaving the secured site, and if I hit yes to continue, it gives me an IE page-not-found-message (not a 404 message). Verisign support suspected this to be a problem with IE 5.0 56bit browsers not properly executing the step-up from 40 to 128 bit encryption. Verisign sent us a possible fix, but it doesn't work for us (I've included the fix below). Is there anyone familiar with this problem? I would appreciate any insights, Dan Zaitsu This is the conversation between Verisign and a Appache Customer. This is a fix for IE 5.0x 56bit browsers not performing the step-up with the Global server ID's If you go to this 'thread', you should be able to find the entire discussion on the topic... http://marc.theaimsgroup.com/?l=apache-modssl&m=97430424603650&w=2 I think we got around the problem (without having to 'redirect' users...) In the Apache webserver config ("httpd.conf") we changed the line which 'rejects' certain browser types (Oddly enough, someone had written into he "mod_ssl" message board, and used the 'keyword' "EXPORT56" instead of "EXP56" which is provided with the initial "httpd.conf" file with Apache, and by using that variation, it seems to work). ##SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL And added a line (within the 'systemwide LOCATION' section) which would make sure that all browsers 'jump up' to the 128bit encryption level: SSLRequire %{SSL_CIPHER} >= 128 The result (from reading thru the Apache SSL logs), is that instead of seeing the browser coming in as an "EXP1024-RC4-SHA (56/128)" version (which Apache/Mod_SSL had a problem negotiating the 128bit encryption level with), it sees it as a "EXP-RC4-MD5 (40/128)" , which though apparently a 'crappier' version, is one that Apache/Mod_SSL could deal with.... The secure web transactions that followed for that client appear as: Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) which means that the webserver was able to force the browser to 'jump up' to it's level of encryption... Just to confirm, this was to resolve the issue with "export" versions not connecting/stepping up? Yes, it's the "export versions" that appear to the webserver as "EXP1024-RC4-SHA (56/128)". It appears that any version of MSIE 5.0XXXXX that was shipping with the original version of Windows-2000 has a 'bug' that results in the 'step-up' issue... Windows-2000 SR1 (service release 1) comes with a slightly newer version, which doesn't have the problem... (do you think that Microsoft did this on purpose, since IIS webservers don't appear to have any problem negotiating with the browsers ?) ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
