On Tue, Jul 04, 2000 at 09:12:51AM +0200, Ralf S. Engelschall wrote:
> On Mon, Jul 03, 2000, David Rees wrote:
> > I found a good workaround to this problem. Instead of changing SSLProtocol
> > to "all -SSLv2", you can make your SSLCipherSuite line read:
> >
> > SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> >
> > Which is the default with the addition of !EXPORT56. I tested on all the
> > various browsers we had around here, and it seems to work for all browsers.
> >
> > Ralf, maybe we can get this in the FAQ or somewhere else easy to find until
> > the proper software fix is released? This is quite a showstopper for a
> > large number of people.
>
> Hmmm.... the "SSLProtocol all -SSLv2" is certainly not optimal, yes. But OTOH
> your !EXPORT56 completely _removes_ a few of the newer ciphers. Actually:
>
> EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export
> EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
> EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export
> EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
> EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export
> EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export
>
> Hmmm... this again might be not optimal, too. Although I still do
> not know whether browsers already support those ciphers at all and
> correctly. So, what do others think on this? I at least will add -SSLv2
> and !EXPORT56 to a new FAQ entry about MSIE....
At least Netscape in its later (international) incarnations supports
EXP1024-RC4-MD5.
In a certain sense I think this discusssion did not lead to the desired
result. The client (IE 5.01) sends a list of supported ciphers to the
server, which (in the case of OpenSSL) selects the first one it supports
itself. If the list of ciphers in the server is changed it works, so that
probably one of the ciphers listed above is the culprit. We should find
out what is wrong in a more detailed way.
It would be most helpful, if one of the IE5.01 users (don't ask me, I have
banned IE for security reasons and my HP-UX box actuall is not a friend
of M$ anyway...) would use an openssl s_server with the same certificate
settings as with mod_ssl and then send the s_server output to see what is
going on.
(I use apache/mod_ssl to run the address list of our sports group. I don't
know in detail who is using which browser, but I did not hear of any
connection problems lately. And I run the EXP1024 cyphers since long before
0.9.5 was released...)
>From my logfiles it seems, that IE5.01 _might_ use EXP1024-RC4-SHA instead
of Netscape's EXP1024-RC4-MD5, but this is just a single entry (please excuse
the long line, but I never linebreak logfiles :-):
40ecc40e.ipt.aol.com - klspiel [09/Apr/2000:15:46:47 +0200] "GET
/freizeit/kleine_spiele/adress_liste/gemischt.php3 HTTP/1.1" 200 14856 ||
https://www.aet.tu-cottbus.de/freizeit/kleine_spiele/adress_liste/ ->
/freizeit/kleine_spiele/adress_liste/gemischt.php3 || Mozilla/4.0 (compatible; MSIE
5.01; Windows 98; A037) || SSL: SSLv3 EXP1024-RC4-SHA -
I must however admit, that I had severe problems with Postfix/TLS, when both
a DSA _and_ a RSA certificate were present (no problem for OpenSSL clients
and Netscape), but IE just didn't work.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
