Just to throw my bit into the mix, this should also be resolved with SP2 for IE5.01. I believe this kb article predates that. This article was published in December 1999, and last modified 17th September 2001. IE 5.01 SP2 was released on June 19th 2001. (http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default. asp)
I can't find a definitive answer on the MS site, like a list of bugs fixed with SP2. IE5.01SP2 is apparently the lowest "supported" browser by MS now. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See "disproven scientific theories" and Romans 1:22. >-----Original Message----- >From: Carl D'Halluin [mailto:[EMAIL PROTECTED]] >Sent: 08 March 2002 13:15 >To: Christopher Taranto; [EMAIL PROTECTED] >Subject: Re: MSIE broken SSL implementation - problems with mod_ssl / >openssl > > >Hello Christopher, > >I looked around on the www and this is our official statement >towards our customers. Maybe >you can re-use it :-) > >---- >SSL Problem with certain versions of Internet Explorer / >Internet Information Server > >Certain versions of Internet Explorer contain bugs which >cause an incompatibility with all servers having an SSL >implementation based on openssl. >This includes all Apache webservers and commercial products >based on Apache, such >as certain Oracle servers, Ubizen DMZ/Shield 3.0 and higher, >and many other products. > >This bug may also affect certain low-crypto distributions of >Internet Information Server. > >Typical error messages experienced by the clients are : > Internet Explorer 4.x > The server returned an invalid or unrecognized response > Internet Explorer 5.x > Cannot find server or DNS Error > >The bugs are caused by a certain Windows dll file, which >influences all SSL software >on the client machines (or on the IIS server machine). The bug >has been around for >more than two years, and Microsoft is well aware of this >problem. They admit their mistake >and have an entire support page dedicated to it, containing a patch. > >Customers experiencing problems with Internet Explorer when >using SSL, are recommended >to go to the Microsoft patch page, and to install the fix. > >The bug and its patch are very clearly documented at >http://support.microsoft.com/default.aspx?scid=kb;EN-US;q247367 >--- > >Greetings, > >Carl > > >Christopher Taranto wrote: > >> Hi Carl, >> >> Unfortunately, I have had no luck in tracking down or fixing this >> problem. And it's really a big problem in my opinion. I haven't had >> enough time to really dig deep on the using openssl to debug >the connection >> - but I don't really know what I would be looking for >> specifically. Fortunately (I guess otherwise I would have a >special bald >> spot on my head!), I have access to a broken MSIE browser >available in my >> office that I can use to repeatedly test the server for >errors - so there >> is a way of trying to find the problem. >> >> Here is what I have tried: >> >> openssl s_server -accept 4443 -WWW -cert >> /usr/local/apache/conf/ssl.crt/www.condoms.net.crt -key >> /usr/local/apache/conf/ssl.key/www.condoms.net.key -state -debug >> >> When I use this, I get this: >> >> Using default temp DH parameters >> ACCEPT >> >> and the system waits for me forever - and I am not sure what >to put in. >> >> openssl s_client -connect condoms.net:443 >> >> CONNECTED(00000003) >> depth=0 /C=US/ST=California/L=San Francisco/O=Condom >> Sense/OU=DN/CN=www.condoms.net >> verify error:num=20:unable to get local issuer certificate >> verify return:1 >> depth=0 /C=US/ST=California/L=San Francisco/O=Condom >> Sense/OU=DN/CN=www.condoms.net >> verify error:num=27:certificate not trusted >> verify return:1 >> depth=0 /C=US/ST=California/L=San Francisco/O=Condom >> Sense/OU=DN/CN=www.condoms.net >> verify error:num=21:unable to verify the first certificate >> verify return:1 >> --- >> Certificate chain >> 0 s:/C=US/ST=California/L=San Francisco/O=Condom >> Sense/OU=DN/CN=www.condoms.net >> i:/C=US/O=RSA Data Security, Inc./OU=Secure Server >Certification Authority >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIID0zCCA0CgAwIBAgIQWlU/retDZkl/izm7HTNt4TANBgkqhkiG9w0BAQQFADBf >> MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x >> LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw >> HhcNMDExMTI1MDAwMDAwWhcNMDIxMTI4MjM1OTU5WjB4MQswCQYDVQQGEwJVUzET >> MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNU2FuIEZyYW5jaXNjbzEVMBMG >> A1UEChQMQ29uZG9tIFNlbnNlMQswCQYDVQQLFAJETjEYMBYGA1UEAxQPd3d3LmNv >> bmRvbXMubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC91jpQDQ/gzKLn >> u4BLU9rkzp9RPVSTo10u/A7j4nBGHv9oJrswuNxJA5oyNF/naTHX0xNuzWK9LL7A >> cK/VwciZIHRCXkQq7Xh4pWbdOjRFBhKRmgt0L2roBggPx+ecaH+sUdNOqQvDq68n >> 0iyVCgnNEmGzTfIKiBN5dVJbHNTOnwIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADAL >> BgNVHQ8EBAMCBaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC52ZXJpc2ln >> bi5jb20vUlNBU2VjdXJlU2VydmVyLmNybDCBrAYDVR0gBIGkMIGhMIGeBgtghkgB >> hvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29t >> L0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlT >> aWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcg >> VmVyaVNpZ24wHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBkGCmCGSAGG >> +EUBBg8ECxYJOTI2MDIyNDI3MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY >> aHR0cDovL29jc3AudmVyaXNpZ24uY29tMA0GCSqGSIb3DQEBBAUAA34APutHvd2q >> aMtbW9hBuGRxGdMie9mgwQgcJC+8TX24M8eg9xKGHdk3u5sURI+I1tNgPRoeeVB0 >> TKSgiIHkkYhiCEoQD6aJyRisaVeI4wI8NC1qXSSRcuDDra+52lPUQK9hMIpvzENo >> XV0Cj0KnaPVqkfr/4zRrU9UTE370Jqg= >> -----END CERTIFICATE----- >> subject=/C=US/ST=California/L=San Francisco/O=Condom >> Sense/OU=DN/CN=www.condoms.net >> issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server >Certification Authority >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1539 bytes and written 314 bytes >> --- >> New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA >> Server public key is 1024 bit >> SSL-Session: >> Protocol : TLSv1 >> Cipher : EDH-RSA-DES-CBC3-SHA >> Session-ID: >> 2917B720C36856CC4B2CB63951F9502C449D28905F58FFFF56BF2418AA916E74 >> Session-ID-ctx: >> Master-Key: >> >8DB2F877627C8AEE402DBC388F9ACB72C397637E70C87D43AFD7735E2949827 >C4AAFA6903D88BA7F3B99AFBFAD5BECE4 >> Key-Arg : None >> Start Time: 1015525852 >> Timeout : 300 (sec) >> Verify return code: 21 (unable to verify the first certificate) >> --- >> >> >>Seems like Microsoft deliberately put some broken SSL >implementation in >> >> Seems pretty amazing to me that all of the commercial >servers that use >> mod_ssl as a base would or wouldn't have this same issue - >but I have not >> heard of any problems like this with other apache servers like Raven, >> Stronghold, etc... Maybe there are problems - but I have >not been able to >> find any mention of them. And, it seems very convenient to >MS in light of >> their IIS market share :-) >> >> My server configuration has already been posted in a >previous message (let >> me know if you need me to repost it). >> >> Let me know if any of this makes sense to you or if you have >any ideas. >> >> Sincerely, >> >> Christopher Taranto >> >> At 10:52 AM 3/6/02 +0100, you wrote: >> >Hello, >> > >> >I read your entries in a newsgroup. >> >I am having exactly the same problem, and I don't want to >tell my users >> >"upgrade your browser, or use netscape". >> > >> >I wonder whether you finally found a solution to this embarassing >> >problem. >> >Seems like Microsoft deliberately put some broken SSL >implementation in >> >their browser, in order to kill apache / openssl... >> > >> >Thx >> > >> >Carl D'Halluin >> >Security Engineer. >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
