> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of John Kestner
>
> [EMAIL PROTECTED] writes:
> >> Actually, I just tried adding:
> >>
> >> SSLRequire %{SSL_CIPHER} >= 128
> >>
> >> And it appears to work on just about every new and old
> browser/platform!
> >> Hope this helps some future newbie...
> >
> >Even on non-128 bit browsers?
>
> Yes - it drops back to 40-bit. Doesn't seem quite right, I know - perhaps
> I'm misinterpreting it. But this was a suggestion in the archives at
> http://www.mail-archive.com/[email protected]/msg10187.html
>
> If this isn't as secure as I think, please point it out to me.
Curious, according to the docs, it shouldn't allow those browsers to
connect. Are you using one of the step-up certificates from Verisign?
Do you also have the following lines installed?
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
If you do, could you try it without "SSLRequire %{SSL_CIPHER} >= 128", I'm
not convinced that the SSLRequire makes a difference.
-Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
