FYI, our current secure servers are built as follows:
OpenSSL 0.9.6
Apache 1.3.14
mod_ssl 2.7.1
mod_perl 1.24_01
PHP 4.0.2 (module)
(virtual hosts, but separate SSL server, no HTTP)
We have been forced to use:
SSLProtocol all -SSLv3
This seems to be a nasty one at least for build versions of IE that have been very widely distributed on various ISP-CDs in the UK. While we are not in a position to test a wide range of IE builds but at least one that is common, IE 5.00.2314.1003IC, just does NOT work with the following fixes:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
(The FAQ has !EXPORT56 in bold but this is surely incorrect as the cipher tag is EXP56 ?)
SSLCipherSuite ALL:!ADH:!EXP40:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
was not fruitful either. The build described is a 40bit-only cipher version.
This problem has caused us (and I assume others who like to use latest/best versions of server software) much grief recently. Can anyone throw more light on it and possibly suggest a work-around that would force broken browsers to use SSL v2, or ciphers that reliably work with SSL v3, but let working SSL v3 browsers use SSL v3.
But anyway, many thanks to the whole OpenSSL/mod_ssl team for letting us provide high quality SSL implementations of any kind!
(I hope the cross-posting is not annoying.)
Mark
Mark Tiramani FREDO Internet Services [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
