No I wouldnt want to disable SSL3 either... One case I know of like this is to do with advertising EXPORT56 ciphers on the server side... some variants of IE barf if they're talking to a site with a so called 128 bit certificate (an SGC cert).
I have used this when a site has an uber-cert for marketing reasons, and the crypto requirement is not high: SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL the broken clients end up using SSL3 with 40bit keylength, good clients talk SSL3/128bit or TLS, it still gives the option for SSL2 and allows null encryption too. Thomas Binder wrote: >Hi! > >On Tue, Apr 23, 2002 at 06:38:22PM +0200, Nisbach, Thomas wrote: > > >>i found one (unsatisfying) solution: >>I disabled SSLv3 by setting >> >>SSLProtocol -SSLv3 >> >>If i do this MSIE on Mac runs but i worry about >>other browser that would not run anymore :-( >> >> > >Btw, as for my understanding this does not disable TLSv1: Does >IE's TLS1-support work any better than its SSL3 implementation? > >And what also bothers me: Why do these problems only seem to >affect OpenSSL based webservers, and not for example iPlanet? Do >these non-affected servers contain other/better workarounds? Or do >they only support SSL2? > >Is it really such a serious drawback to disable SSL3? Most current >browsers (e.g. links, Mozilla, Opera) seem to support and default >to TLS1, anyway. > > >Ciao > >Thomas >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]