David,
While posting information about known issues is currently done on our web
site,
http://www.verisign.com/support/vendors/issues.html
the issues posted are ones that have been documented by the vendor in
question.
If you can find someway of having APACHE users list what works and want
doesn't work with our Global Certificates, then I'm willing to take this
issue up with our web master and have the information posted for all to see.
I'm guessing here that it doesn't matter if the end-users is using a Thawte
"Super Cert" or a Verisign "Global Certificate"...the issue still lies with
the initial SSL handshake not being completed by the browser for one reason
or another. (Browser being of the 'exported' version 40/56 bit variety)
Also, regarding MOD_SSL, Mr. Engelschall has stated that MOD does support
the SGC/Step Up function.
(He states: "...Yes, mod_ssl since version 2.1 supports the SGC facility.
You don't have to configure anything special for this, just use a Global ID
as your server certificate. The step up of the clients are then
automatically handled by mod_ssl under run-time. For details please read the
README.GlobalID document in the mod_ssl distribution...")
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC38
But apparently you do have to configure something special...the information
below, in order for export clients to step up to the stronger ciphers.
Therefore, in your opinion, what would seem like the most appropriate step
to take? Have the Apache websites post the correct information or have
Verisign take that responsibility.
Sincerely,
Ray Erdmann
Technical Support
Verisign, Inc.
-----Original Message-----
From: David Rees [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 12, 2001 11:07 AM
To: [EMAIL PROTECTED]
Subject: RE: RE: RE: RE: SSL-induced loading errors
All I said was that it seems that Verisign Step-Up certs require the
following line in the Apache config file to work properly:
SSLRequire %{SSL_CIPHER} >= 128
I deducted this from various reports which I have seen from users on the
mod_ssl list like Ray Erdmann. It seems that if you are using a Verisign
Step-Up cert and do not include the line above, you will get IO Errors when
connecting with MSIE.
However, I don't don't have a Verisign Step-Up cert to verify this myself,
so if you know this to be false, maybe you can post a known working
configuration or what you recommend to your customers.
-Dave
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Ray Erdmann
> Sent: Monday, February 12, 2001 10:59 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: RE: RE: RE: SSL-induced loading errors
>
> But could you elaborate as to why you state "Verisign Requires?"....We're
> not requiring anything on the server side 'except' the certificate request
> file?
>
>
> -----Original Message-----
> From: David Rees [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 09, 2001 4:00 PM
> To: [EMAIL PROTECTED]
> Cc: Ralf S. Engelschall
> Subject: RE: RE: RE: RE: SSL-induced loading errors
>
>
> > >Curious, according to the docs, it shouldn't allow those browsers to
> > >connect. Are you using one of the step-up certificates from Verisign?
> >
> > So I'm told by the guy who acquired our certificates from
> Verisign. How do
> > I tell?
>
> I'm not sure, does anyone else know?
>
> > >Do you also have the following lines installed?
> > >
> > >SSLCipherSuite
> > >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > >
> > >SetEnvIf User-Agent ".*MSIE.*" \
> > > nokeepalive ssl-unclean-shutdown \
> > > downgrade-1.0 force-response-1.0
> > >
> > >If you do, could you try it without "SSLRequire %{SSL_CIPHER} >=
> > 128", I'm
> > >not convinced that the SSLRequire makes a difference.
> >
> > I do have those lines installed, and it was giving me all the decryption
> > errors, which only went away once I added the SSLRequire.
>
> OK, Looks like another item for the FAQ. Ralf, can you add something for
> Decryption errors when using Verisign Step Up certs? It looks like when
> using Verisign step-up certs, they require the line: "SSLRequire
> %{SSL_CIPHER} >=
> > 128" to work properly on all browsers.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
