see my post "international IE5: info for FAQ?", 30 June + florin's posts
in short:
1) ignore the MS error, that's just their stupid generic oops page
2) you *CAN* blame MS in part: there are tons of errors in their
implementation of SSL.
3) i'm been researching this for days and still haven't found a solution
40-bit browsers should be able to negotiate 40-bit sessions even though you
have a 128-bit cert.
the really bad browser is MSIE5.01 40 or 56-bit editions. the absolutely
amazing thing is that MS have acknowleged one bug, & released a patch, but
have not merged it into the latest distribution.
i'm surprised you can't get it to work with the 128-bit upgrade. does your
cert come in two bits? have you installed the chain file?
there are ways round this problem. i know this because, for example,
https://ssl128.co.uk uses the exact same cert type as me (verisign 128-bit
'global id') with more or less the same server (stronghold which AFAIK is
apache + mod_ssl) and it works with them. i hope i don't have to use
apache_ssl instead as florin suggests. florin - does this solve all the
problems with IE?
the "good" news is that these problems don't occur with 40-bit certs. while
i try to sort this out, i'm settling for weak encryption.
i'm a bit confused about who else is having the same problems - could anyone
with my symptoms or similar please say aye, and then we could continue all
this in the same thread :
- apache 1.3.12 + mod_ssl + mod_ssl-2.6.4, openssl-0.9.5a
- IE5.01 clients don't connect
- NS4.04 doesn't either, sometimes
- already tried SetEnvIf... fix, SSLProtocol All -SSLv3, forcing lower grade
ciphers
forcing SSLv2 seems to break other browers !@":##!
i have a sneaky suspicion that all this is something to do with the cert
chaining.
grrr,
seb ;)
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Evan Cooch
> Sent: 03 July 2000 14:02
> To: [EMAIL PROTECTED]
> Subject: mod_ssl | Netscape 4.7 works, but not IE 5.xx!?
>
>
> I created a secure site using mod_ssl, and while I can connect no
> problem using Netscape 4.7x using 128-bit encryption, IE 5.xx
> absolutely refuses to show the secure page - at first I thought it was
> becuase I was using the orignal IE with 40-bit encruption, but even
> after upgrading to the 128-bit flavour, IE still refuses to show the
> page.
>
> I've turned on (and off) all of the basic IE security options, but it
> seems to make no difference.
>
> For grins, when I get the ubiquitous page unavailable screen IE brings
> up when it has 'problems', I tried checking the network settings using
> the 'Detect Network Settings' link. At the bottom of the page, ti
> tells me
>
> Cannot find server or DNS error.
>
> Well, DNS error seems extremely unlikely (since everything works
> perfectly in unsecure mode), but the 'can't find the server' bit is
> more intriguing - I'm point to the secure site (on port 443) using the
> following Apache virtualhost directive:
>
> <VirtualHost canuck.dnr.cornell.edu:443>
> DocumentRoot /directory/with/pages/I/want/secure
> ServerName name.of.server.edu
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /usr/local/apache/logs/error_log
> TransferLog /usr/local/apache/logs/access_log
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
> SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
>
> # Server Private Key:
> SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
>
> # Server Certificate Chain:
> #SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
>
> # Certificate Authority (CA):
> #SSLCACertificatePath /usr/local/pkg/apache/conf/ssl.crt
> #SSLCACertificateFile /usr/local/pkg/apache/conf/ssl.crt/ca-bundle.crt
>
> # Certificate Revocation Lists (CRL):
> #SSLCARevocationPath /usr/local/pkg/apache/conf/ssl.crl
> #SSLCARevocationFile /usr/local/pkg/apache/conf/ssl.crl/ca-bundle.crl
>
> # Client Authentication (Type):
> #SSLVerifyClient require
> #SSLVerifyDepth 10
>
>
> # Per-Server Logging:
> # The home of a custom SSL log file. Use this when you want a
> # compact non-error SSL logfile on a virtual host basis.
> CustomLog /usr/local/apache/logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
>
>
> Any suggestions? While I'd like to blame everything on yet another
> insidious plot by Micro$oft, I'm guessing the problem lies more in
> something I haven't set up properly. ;-)
>
>
> Thanks in advance!
>
> Evan Cooch
> Cornell University
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
