Jeff Stewart wrote:
>
> Hi,
>
> I've seen this issue raised before but have been unable to find an
> answer. I have an SSL enabled Apache server running on Solaris.
>
> Details: Solaris 2.6, Apache 1.3.12 + openssl-0.9.5 + mod_ssl-2.6.2
> running on a Sun Netra T1.
>
> We have a Verisign Global ID. Any/all netscape clients have no
> problem. Mac IE4.01 has no problems. Haven't been able to test the x86
> version of IE4.x.
>
Have a look at the server certificate with:
openssl x509 -in cert.pem -text
There should be an extension called "extended key usage": check to see
what it says. If it says Microsoft SGC and Netscape SGC then there
shouldn't be a problem. If it just says Netscape SGC then you may hit an
IE5 bug.
When IE5 uses Netscape SGC (more correctly called "step up") it doesn't
always work unless it switches from 40 bit RC4 to 128 bit RC4. If it
tries via the new 56 bit ciphers or using 3DES it may well fail.
The solution is to disable all but 40 and 128 bit RC4 in the server. You
can do this by setting the cipher string to:
RC4:!EXP56:@STRENGTH
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
