Hello,
I want to report that with IE5.5 and IE6 (but not Netscape)
when using as web server: apache 1.3.14 + modssl 2.7.1 + openssl 0.9.6b
and restrict the Ciphersuite to DES3-CBC-SHA all is working fine
but with web server: apache 1.3.24 + modssl 2.8.8 + openssl 0.9.6d
and again restrict the Ciphersuite to DES3-CBC-SHA
then Explorer hangs forever when loading any page
(apache logs indicate a single successful connection and that's all)
clearly this has to do a lot with the openssl change from 0.9.6b to 0.9.6d
[
I am not versed in the modssl/openssl technology but I suspect it
must be something related to the following CHANGE notice
*) Implement a countermeasure against a vulnerability recently found
in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
before application data chunks to avoid the use of known IVs
with data potentially chosen by the attacker.
[Bodo Moeller]
]
even though Netscape still works, this should be considered a bug since
IE is now broken when in the past it worked fine
Can someone comment on this behavior and PLEASE recommend
a workaround (enabling us to keep the same Ciphersuite)?
Thanks in advance,
E.I.Sarmas
email: [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
