|
Yello again! Not sure if this got to anyone the first time (I
hadn't registered with the group yet). I am running an Apache+mod_ssl+openssl webserver
that uses a Verisign Global ID (128 bit/128 bit secret key). Some Internet Explorer users with low cipher
strengths (i.e. 40 bit or 56 bit) are having trouble using the secured version
of the website. Internet Explorer
displays the "friendly" error page that states the web page cannot be
viewed. Once the user downloads
the high encryption pack from Microsoft's website, however, they can view the
secured version of the website to their heart's content. According to everything I have read,
Apache and the browser are supposed to negotiate the cipher strength (referred
to as Server Gated Cryptography by Microsoft and "stepping up" by
Netscape) and then talk at 128 bit cipher strength. However, I examined the Apache logs and no such negotiation
takes place. I have Apache setup
to allow all forms of cipher strengths with the SSLCipherSuite directive. Currently, Netscape shows no sign of
such behavior. Any help or guesses provided would be greatly appreciated. Thanks in advance, Asser |
- RE: Problem with Apache/SSL and IE. Asser Moustafa
- RE: Problem with Apache/SSL and IE. Wallace, William
- RE: Problem with Apache/SSL and IE. Asser Moustafa
