Re: MSIE 4.x - 5.0 and SSL v3

[Jim Hud]

I am not sure how relevant this is, but I am using SSL on MSIE 5.5 on a MS IIS server with an OpenSSL certificate installed and it works OK.   I have been trying the get MS Outlook Express 5 to work with SSL and it just crashes.  I can't find any LDAP client apart from OpenLDAP ones that will use SSL.   The OpenLDAP clients built with OpenSSL 0.9.6 work with SSL against OpenLDAP server built with the same version.   What is mod_ssl anyway, the string "mod_ssl" does not exist in the whole of OpenSSL and only once in OpenLDAP 2.0.6 as a FIXME?   Thanks   ----- Original Message ----- From: Mark Tiramani To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Sunday, October 15, 2000 1:02 PM Subject: MSIE 4.x - 5.0 and SSL v3 After much trial-and-error, and after trying all the fixes we could find it appears that a range of IE 4.x and 5.0 browsers simply will not work reliably with mod_ssl built on OpenSSL > 0.9.4 when allowed to negotiate any kind of SSL v3. FYI, our current secure servers are built as follows: OpenSSL 0.9.6 Apache 1.3.14 mod_ssl 2.7.1 mod_perl 1.24_01 PHP 4.0.2 (module) (virtual hosts, but separate SSL server, no HTTP) We have been forced to use: SSLProtocol all -SSLv3 This seems to be a nasty one at least for build versions of IE that have been very widely distributed on various ISP-CDs in the UK. While we are not in a position to test a wide range of IE builds but at least one that is common, IE 5.00.2314.1003IC, just does NOT work with the following fixes: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP (The FAQ has !EXPORT56 in bold but this is surely incorrect as the cipher tag is EXP56 ?) SSLCipherSuite ALL:!ADH:!EXP40:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP was not fruitful either. The build described is a 40bit-only cipher version. This problem has caused us (and I assume others who like to use latest/best versions of server software) much grief recently. Can anyone throw more light on it and possibly suggest a work-around that would force broken browsers to use SSL v2, or ciphers that reliably work with SSL v3, but let working SSL v3 browsers use SSL v3. But anyway, many thanks to the whole OpenSSL/mod_ssl team for letting us provide high quality SSL implementations of any kind! (I hope the cross-posting is not annoying.) Mark Mark Tiramani FREDO Internet Services [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]