I am using red hat linux with:
openssl 0.9.5a 1 Apr 2000
mod_ssl-2.7.1-3
mod_perl-1.24-6
apache-1.3.14-3
My problem is that unless I use:
SSLProtocol all -SSLv3
I get data encryption errors on IE 5.0 Mac. The problem with this
is that IE Windows users must then have "Use SSL 2.0" checked or they
can't make secure connections.
If I understood correctly, David Rees suggested that this is due to
having keep-alive off. But I need keep-alive to be off for
performance reasons. It is a mod_perl application with Apache::DBI
so it needs one db connection per server, and I often have more
concurrent users than the oracle connection limit. Turning
keep-alive on would mean I would have to abandon Apache::DBI, and
performance would suffer (I think) as each request would incur the
overhead of making a db connection.
I am already using:
BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
Is there no solution to the problem?
Is there a way to disable SSLv3 for just IE Mac?
Is this a problem with openssl? Would it help to buy something?
Thanks,
Tim
>> >Use this:
>> >
>> >SSLProtocol all
>> >BrowserMatch "MSIE" nokeepalive ssl-unclean-shutdown downgrade-1.0
>> >force-response-1.0
>>
>> This did not work. IE 5.0 Mac gave 'data encryption errors'.
>>
>>
>> >SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>> > ^^^^^^
>> >
>> >Notice that you should have !EXPORT56 configured, !EXP56 does not work.
>>
>> I made this change, but it did not make any noticeable difference.
>
>
>It appears that some Macs have problems without keep alive. Can you try
>this?
>
>BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0
>force-response-1.0
>BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
