No I wouldnt want to disable SSL3 either...

One case I know of like this is to do with advertising EXPORT56 ciphers 
on the server side... some variants of IE barf if they're talking to a 
site with a so called 128 bit certificate (an SGC cert).

I have used this when a site has an uber-cert for marketing reasons, and 
the crypto requirement is not high:

SSLCipherSuite 
!EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

the broken clients end up using SSL3 with 40bit keylength, good clients 
talk SSL3/128bit or TLS, it still gives the option for SSL2 and allows 
null encryption too.


Thomas Binder wrote:

>Hi!
>
>On Tue, Apr 23, 2002 at 06:38:22PM +0200, Nisbach, Thomas wrote:
>  
>
>>i found one (unsatisfying) solution:
>>I disabled SSLv3 by setting
>>
>>SSLProtocol -SSLv3
>>
>>If i do this MSIE on Mac runs but i worry about
>>other browser that would not run anymore :-(
>>    
>>
>
>Btw, as for my understanding this does not disable TLSv1: Does
>IE's TLS1-support work any better than its SSL3 implementation?
>
>And what also bothers me: Why do these problems only seem to
>affect OpenSSL based webservers, and not for example iPlanet? Do
>these non-affected servers contain other/better workarounds? Or do
>they only support SSL2?
>
>Is it really such a serious drawback to disable SSL3? Most current
>browsers (e.g. links, Mozilla, Opera) seem to support and default
>to TLS1, anyway.
>
>
>Ciao
>
>Thomas
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>User Support Mailing List                      [EMAIL PROTECTED]
>Automated List Manager                            [EMAIL PROTECTED]
>  
>



______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to