Following instructions in the FAQ (thanks for the fix) we have set our CipherSuite directive as follows:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
We are using Apache 1.3.14 with mod-ssl 2.7.1, and a BT Trustwise (CA Verisign) 128-bit "Global Site ID" certificate.
Presumably, taking out the "EXPORT56" set of ciphers will cause some browsers to kick down to 40-bit encryption or possibly 64-bit RC4 (is that "down" from DES56?). But I can't find a browser that responds this way -- all our export IE5+ and NS4.6+ browsers kick up to 128.
Can anyone explain the exact consequences of removing the EXPORT56 cipher sets, and which browser will get degraded connections? I assume that "EXPORT56" comprises the following cipher sets: SSLv3/RSA/DES(56), SSLv2/RSA/DES(56).
The reason for my enquiry is that the workaround has the unfortunate effect of provoking, in the IE5 security info dialogue, the message "This certificate has failed to verify for all of its intended purposes". I know that this is a spurious warning, but our customers don't, so I need to craft some words of reassurance in *our* FAQ. I've got as far as explaining that, to get around the IE5 bug, we have "disabled certain non-essential security options". This will satisfy probably 50%-70% of the readership, but there are a paranoid (and vociferous) few who will want to know "just what that g*d**mn well means", but in low-tech language.
Regards,
Charles Lambert
IT Architect
Blackwell Ltd.
