If you simply take out the !EXPORT56, you'll most likely find is that most
likely the same 56-bit IE users now can't connect to the side at all.
Take your pick: A warning, or no connection at all. :-(
Taking a look at the Thawte site and their FAQ about Super Certs, it seems
that you can disable only these ciphers and get the broken MSIE clients to
work:
DES-CBC-SHA, DES-CBC-MD5, EDH-RSA-DES-CBC-SHA, EDH-DSS-DES-CBC-SHA
Can you try this?
SSLCipherSuite
ALL:!ADH:!DES-CBC-SHA:!DES-CBC-MD5:!EDH-RSA-DES-CBC-SHA:!EDH-DSS-DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
If anyone else can test this line with various browsers (especially
56-bit versions), it would be helpful, too.
-Dave
On Thu, Mar 29, 2001 at 01:45:58PM +0100, [EMAIL PROTECTED]
wrote:
> Following instructions in the FAQ (thanks for the fix) we have set our
> CipherSuite directive as follows:
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
> We are using Apache 1.3.14 with mod-ssl 2.7.1, and a BT Trustwise (CA
> Verisign) 128-bit "Global Site ID" certificate.
>
> Presumably, taking out the "EXPORT56" set of ciphers will cause some
> browsers to kick down to 40-bit encryption or possibly 64-bit RC4 (is that
> "down" from DES56?). But I can't find a browser that responds this way --
> all our export IE5+ and NS4.6+ browsers kick up to 128.
>
> Can anyone explain the exact consequences of removing the EXPORT56 cipher
> sets, and which browser will get degraded connections? I assume that
> "EXPORT56" comprises the following cipher sets: SSLv3/RSA/DES(56),
> SSLv2/RSA/DES(56).
>
> The reason for my enquiry is that the workaround has the unfortunate effect
> of provoking, in the IE5 security info dialogue, the message "This
> certificate has failed to verify for all of its intended purposes". I know
> that this is a spurious warning, but our customers don't, so I need to craft
> some words of reassurance in *our* FAQ. I've got as far as explaining that,
> to get around the IE5 bug, we have "disabled certain non-essential security
> options". This will satisfy probably 50%-70% of the readership, but there
> are a paranoid (and vociferous) few who will want to know "just what that
> g*d**mn well means", but in low-tech language.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
