SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
This results in most people with older clients using 40 bit encryption, and people who care about security and upgrade their software get 128bit SSL3 or TLS..
You should alter your logs to log the resultant SSL cipher type and length so you can get some info on which clients give you problems - and you could put some warning notes about the browser types on the site somewhere to cover your butts.
Louis Sabet wrote:
On Fri, 17 May 2002 13:51:15 +0100 "Jeff" <[EMAIL PROTECTED]> wrote:MS IE 5.00 was a flawed release, that MS very quickly (4 weeks) replaced with 5.01, mainly for security reasons. You should be able to get any reasonable users (corporate or otherwise) to upgrade asap. MSIE 5.00 has some serious bugs when using SSL and cacheing, so you may be able to tweak all your users caching settings, and also to look at making your pages non-cacheable. I have to say though that in our experience with a group of 10 users of 5.00 it was far easier to get them to switch to Netscape until their 5.01 (in fact they went for 5.5) to arrive.Unfortunately in this sector of retail, our target audience is very fickle, and an abundance of similar online retailers in recent years have made this an extremely competitive market. We cannot afford to aggravate any customers at this point. In addition, a large proportion of our customers have little or no previous IT experience and cannot be expected to apply patches no matter how trivial it may seem to us! ***SNIP***The problems you describe with 5.01, I have seen when SSL keepalive settings were enabled on the web-server. The SSLKeepAlive settings were invented to speed up a clients access to your site, so that as subsequent requests for images, css, etc etc were made, the SSL negotiation overhead was short-circuited. Unfortunately the MS 5.xx browsers never quite got it right. We use Apache, and this is the setting in httpd.conf SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0I checked our httpd.conf, and indeed we have the same line in all our SSL sites. So this particular problem must lie elsewhere. I'll agree with peoples' comments on IE5 being terrible, but unfortunately as an online retailer we have no choice as to what our customers access our website with, and a disturbing number of customers (33%) happen to be using IE5.00 to 5.01. If anyone else has any comments, they would be very much appreciated at this point!You can check your SSL logs to see if the keepalive settings are active - it they are you will see an incrementing number associated with each request from the same user that indicates the SSL negotiation was short-cut, and that previously negotiated keys are being used. 'nokeepalive' is fractionally slower, but at least your users will not get the regular 'page cannot be found' issue. As to sharing Client Certs between IE and NS - we do this happily for NS 4.0-4.75 and MSIE 5.01-6.0 without any issues. Regards Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet Sent: 17 May 2002 13:29 To: [EMAIL PROTECTED] Subject: IE 5.00 - 5.01 SSL Connection Failures Hi List, I work for a mobile phone retail company in the UK - www.mobiles.co.uk Recently we discovered that several of our customers were unable to complete the secure portions of their orders. The only common factor with all these problems were that all customers were using IE 5.00 to IE 5.01. Under Internet Explorer they receive "Page Connot Be Found". With Netscape all works fine, and with all other recent Internet Explorer versions, a successful connection can be made. I found nothing useful on the Microsoft site other than this: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 It may be the root of the problem, but we cannot ask the 33% of our customers who use IE5 to patch their machines before accessing our site. It is obvious that MOST connections to https sites can be made from IE5, or it would have been better documented. I contacted Verisign to find out if there was a reason some certificates were useable with IE5, and others weren't, but I found their technical support to be quite useless. My last option is to ask you guys whether this could be a configuration issue - or whether there is some configuration tweak I can make to get around this problem for our IE5 users. Best regards, Louis -- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]-- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
