David P. Mott wrote:
Here are some shots in the dark for you:
When I tried to tighten down the ciphers and SSL protocols on my server,
some (but not all) users on both IE6 and IE7 started to get that "page
not found" error (although my log error was something like "re-negotiate
failed"). I found that IE7 will fail to renegotiate with an SSLv3-only
server if IE7 is configured to use both TLSv1 and SSLv3 (I guess it
tries really hard to use TLSv1). I plan to support SSLv3 and TLSv1 to
address this problem.
Specifically:
Didn't work:
SSLProtocol -all +SSLv3
or
SSLProtocol SSLv3
Did work:
SSLProtocol all -SSLv2
or
SSLProtocol -all +SSLv3 +TLSv1
(I prefer the last incantation, which protects against the unexpected
change in definition of 'all' after an Apache upgrade)
I also had this, to tighten up the ciphers:
SSLCipherSuite HIGH:MEDIUM
Also, if your stock config files don't already do it, you may want to
implement the "fixes" for broken versions of IE (prior to IE6, I believe):
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
although the first line is different for newer versions of Apache:
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
Thank you. I'll give this a shot. By newer versions of Apache, do you
mean in the 1.3.x build?
--
John C. Nichel IV
System Administrator
KegWorks
http://www.kegworks.com
716.362.9212 x16
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
