Itai Levy wrote:
>
> Hi,
>
> If I use an IE 5.01 browser in order to connect to an openssl based server I
> need to disable the RC4-MD5 cipher on the server (use: DEFAULT:!RC4-MD5)
> in order to get things work properly.
> If I don't do this, I get a "page cannot be displayed" error message on the
> browser.
> In this configuration I use a verisign or Thawte certificate on the server.
>
> When I use a certificate which was generated and signed by another self
> signed root certificate which is also generated and signed by the openssl
> utility,
> after installing the root certificate on the browser I can connect without
> disabling the RC4-MD5 cipher.
>
> My question is what the connection between the IE 5.01 bug and the
> certificate installed on the server ?
>
Probably the now infamous MSIE "global server" (aka 128 bit, step up,
magic) certificate bug, presumably your Verisign or Thawte certificate
is of this type and the browsers are export versions. MSIE has problems
if it has to switch between a weak and strong cipher with different
message digests.
This has been discussed before so I suggest you check the archives.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
