>
> One thing I still don't understand is the following:
>
> If someone downgrades to Apache/1.3.9 (Unix) mod_ssl/2.4.9 OpenSSL/0.9.4
> it works fine with no workarounds required at all. One idea might be
> that the MD5 implementation in IE5 is faulty or they (server and client)
> simply negotiate the wrong MAC but how can a downgrade help under these
> circumstances? Openssl-MD5 certainly can't have the bug in it, because
> 0.9.5a and 0.9.4 both generate the same digest. Maybe somebody has an
> idea !
openssl 0.9.4 works only because of disabled experimental ciphers in
ssl/tls1.h. (#define TLS1_ALLOW_EXPERIMENTAL_CYPHERSUITS 0) in 0.9.5 they
are enabled... That makes the difference. The same (disabling some cyphers)
can be probably done with apache.conf... And that is clearly an openssl
issue as I have verified it with s_server! And with s_server I see exactly
the same IE 5.01 behaviour as with mod_ssl.
Oleg
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
