Hi Dave, et al:
I just joined the mod_ssl mailing list and found the directives for
SSLRequire and SSLCipherSuite very helpful.
We are running Apache 1.3.14 with mod_ssl 2.7.1, openssl 0.9.6 and mm 1.1.3
on Solaris 7 (yikes!). We are also using a Verisign Global ("Step-up") ID.
While most browsers were "bumping up" to 128-bit encryption, regardless of
their origin (i.e. domestic vs. export, etc.), Mac versions of IE, as well
as IE5.x running on Windows 2000 WITHOUT Service Pack 1 were failing to
negotiate the correct algorithm, killing the connection. This is, in fact, a
known issue and excused by Microsoft in the following KB article:
http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP
After we added the two directives discussed at the beginning of this post,
however, all of our client browsers (including the broken IE5.x variants)
negotiated the handshake correctly and were bumped-up to 128-bit encryption.
It seems that even non-128 bit browsers also work correctly - although I
have only tested this with a Verisign Global ID.
Cheers,
Geoff
> [EMAIL PROTECTED] writes:
> >Can you post the config for your SSL virtual host without comments?
>
> Actually, I just tried adding:
>
> SSLRequire %{SSL_CIPHER} >= 128
>
> And it appears to work on just about every new and old browser/platform!
> Hope this helps some future newbie...
>>Even on non-128 bit browsers?
>>-Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
