At this point it seems to be only a partial patch as a new, hole on a
related issue, not fixed by thisw patch, has just been uncovered in the
underpinnings of IE ssl.
Thanks,
Ron DuFresne
On Fri, 26 May 2000, Airey, John wrote:
> There is a patch at
> http://www.microsoft.com/windows/ie/security/schannel.asp
>
> Which says "The version of Internet Explorer 5.01 that is released on the
> Web contains an incorrect internal key in the Schannel.dll file. This may
> cause programs and services on your computer that use Secure Socket Layer
> (SSL) or Security Support Provider Interface (SSPI) to no longer function.
> Installing this update will eliminate this problem by providing you with a
> corrected Schannel.dll file. If you have installed high (128-bit) encryption
> on your computer, you do not need to install this update".
>
> I've also noticed this problem with IE4.01, which I fixed for one user by
> upgrading to 128bit encryption.
>
> There is a fix available for "SGC cryptography" (q249863i.exe). This answers
> a question posted by James Lyon ([EMAIL PROTECTED]) entitled "IE4 okay
> with latest mod_ssl" which is very much related. Details are at
> http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP?LN=EN-US&SD=g
> n&FR=0
>
> Bottom line - neither is a problem with Apache-mod_ssl but a problem with
> Microsoft's implementation of SSL!
>
> John
>
> -----Original Message-----
> From: Taglang, Guillaume [mailto:[EMAIL PROTECTED]]
> Sent: 25 May 2000 15:53
> To: '[EMAIL PROTECTED]'
> Subject: IE with 56 bits encryption
>
>
>
> Hi all,
>
> We received a SuperCert from thawte for 3 days we installed it on the
> server modify the server config file, and great all works fine ! 128 bits
> encryption for IE and Netscape. But, when we try to access to the site with
> an older browser (IE 5.0 with 56 bits encryption) an error occured. We make
> some test and this is the results (when we access the site with the IP
> adress, it says that the certificate do not match the name of the site) :
>
> |https:// |https://
> | 1.12.123.1/ | www.foo.com/
> --------------------------------------------------
> IE (128 bits | work | work
> encryption) | |
> --------------------------------------------------
> IE (56 and 40| | don't
> bits | work | work
> encryption) | |
> --------------------------------------------------
> Netscape (128| work | work
> encryption) | |
> --------------------------------------------------
> Netscape (56 | |
> and 40 bits | work | work
> encryption) | |
>
> This is an extract of my config file :
>
> [...]
>
> <IfDefine SSL>
> Listen 1.12.123.1:443
> NameVirtualHost 1.12.123.1:443
> </IfDefine>
>
> [...]
>
> <IfDefine SSL>
> <VirtualHost 1.12.123.1:443>
> ServerName www.foo.com
> ServerAdmin [EMAIL PROTECTED]
>
> DocumentRoot "/path/to/htdocs"
> ErrorLog /path/to/error_log
> TransferLog /path/to/access_log
>
> <Directory />
> Options Indexes FollowSymLinks
> AllowOverride None
> </Directory>
>
> SSLEngine on
> SSLCertificateFile /path/to/server.crt
> SSLCertificateKeyFile /path/to/server.key
>
> SSLLogLevel info
> SSLLog /path/to/ssl_engine_log
>
> </VirtualHost>
> </IfDefine>
>
> If you have any idea, suggestion, solution, let me know.
>
> Thanx
>
> Guillaume
>
> ---
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
> ___[_]___
> (. .)
> ...oOOo..(_)..oOOo...
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
