> While posting information about known issues is currently done on our web
> site,
> http://www.verisign.com/support/vendors/issues.html
>
> the issues posted are ones that have been documented by the vendor in
> question.
There is no reference to mod_ssl on this page.
> If you can find someway of having APACHE users list what works and want
> doesn't work with our Global Certificates, then I'm willing to take this
> issue up with our web master and have the information posted for
> all to see.
> I'm guessing here that it doesn't matter if the end-users is
> using a Thawte
> "Super Cert" or a Verisign "Global Certificate"...the issue still
> lies with
> the initial SSL handshake not being completed by the browser for
> one reason
> or another. (Browser being of the 'exported' version 40/56 bit variety)
I have no way to verify this myself. Does anyone else on the list?
> Also, regarding MOD_SSL, Mr. Engelschall has stated that MOD does support
> the SGC/Step Up function.
> (He states: "...Yes, mod_ssl since version 2.1 supports the SGC facility.
> You don't have to configure anything special for this, just use a
> Global ID
> as your server certificate. The step up of the clients are then
> automatically handled by mod_ssl under run-time. For details
> please read the
> README.GlobalID document in the mod_ssl distribution...")
> http://www.modssl.org/docs/2.6/ssl_faq.html#ToC38
>
> But apparently you do have to configure something special...the
> information
> below, in order for export clients to step up to the stronger ciphers.
No, in MOST cases, you do NOT have to configure something special, it just
works. For what I know, all Netscape browsers do work as expected.
However, in some cases with some broken MSIE browsers, it seems that at
least on user on the mod_ssl list needed the extra line I posted earlier for
these browsers to work. It is not the first time we've had to include
various hacks to the configuration to work with broken MSIE browsers. (For
example removing all 56-bit ciphers from the list of valid ciphers)
> Therefore, in your opinion, what would seem like the most appropriate step
> to take? Have the Apache websites post the correct information or have
> Verisign take that responsibility.
www.modssl.org isn't Apache's website, it is the mod_ssl web site. If the
line I posted earlier is verified to be needed to work around these broken
MSIE broswers, I would like to see it on the mod_ssl web site under the FAQ,
but so far we have only one case to go by. It seems to me that if you
(Verisign) would like to post something on your website, you should attempt
to reproduce the problem/solution on your own hardware first.
-Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
