Dr Henson, Thanks for your reply. According to your answer I need to check the following ciphers: DEFAULT:!EXPORT56 DEFAULT:!MD5 DEFAULT:!SHA1 The problem is that I minimized the IE 5.01's problematic ciphers to one: RC4-MD5. So I use DEFAULT:!RC4-MD5 and still there are some browsers that needs the RC4-MD5 cipher in order to work. So this solution isn't good for me. Is there a way to get into the code and disable the SGC in openssl ? Can I solve the problem by using a server certificate that doesn't support SGC ? Thanks, Itai. -----Original Message----- From: Dr S N Henson [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 7:00 PM To: [EMAIL PROTECTED] Subject: Re: sgc Itai Levy wrote: > > Hi, > > I'm using a web server based on openssl 0.9.5. > When I use a certificate which enables the use of SGC, I have a problem to > connect with IE 5.01 browsers. > I know that the reason for this is that there is a bug in the implementation > of SGC in IE 5.01. > I use the cipher group DEFAULT:!RC4-MD5 as a work around (with these ciphers > I can connect with IE 5.01). > The problem with this is that this ciphers group is not enough for some of > the browsers. > > Is there a way to disable SGC in openssl 0.9.5 ? > > I know that openssl 0.9.4 doesn't support SGC, so there should be no > problem, but I don't want to downgrade. > OpenSSL 0.9.4 didn't support SGC but then you probably aren't using SGC either. You are probably using "step up" which is Netscapes version. The problem is related to some new ciphersuites in OpenSSL 0.9.5 and a bug in MSIE which is triggered by the use of step up and an attempt to use two ciphersuites with different digests. There are several cipher strings you can try: DEFAULT:!EXPORT56 DEFAULT:!MD5 DEFAULT:!SHA1 If some versions of Netscape you are using don't support SHA1 strong ciphersuites then you may need the last one. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
