Here is what works for me with one of Verisign's Global Certs:
<VirtualHost 192.168.30.202:443>
DocumentRoot /usr/local/apache/html
SSLEngine on
SSLCertificateFile conf/server.crt
SSLCACertificateFile conf/gsid.crt
SSLCertificateKeyFile conf/server.key
SSLVerifyClient none
SSLVerifyDepth 10
SSLCipherSuite !EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL: \
!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2: \
+EXP:+eNULL
</VirtualHost>
The way to debug the problem is to watch the ssl_engine log. When an IE
browser connects you might see that it is negotiating an
EXP1024-DES-CBC-SHA which does not work. Next it will negotiate
EXP1024-RC4-SHA which also will not work. Basically just find out what
does not work with IE and put a '!' in front of it. Next test with
other browsers to make sure that the IE fix does not break other
browsers.
Nate Carlson wrote:
>
> On Thu, 7 Sep 2000, Justin Funke wrote:
> > I may be making a presumptuous assumption but I am assuming there is a way
> > to make all versions work. I can't ask my customers to change browsers
> > before buying my product. I wonder if there is a downgrade option. I
> > remember seeing that somewhere. Right now I am willing to try anything....
> >
> > Thanks for the help Carlos,
> >
> > Justin
>
> I just had a problem with this when we deployed mod_ssl for a large
> e-commerce site.. still working on a workaround. IE 4.72(?), IE5.00, AOL 4
> and AOL5 had problems, while all other browsers seemed to work.
>
> Sometimes the problem manifested itself as broken images (this was typical
> of the AOL browsers); other times the generic "Server cannot be found"
> message would pop up in IE.
>
> The solution I implemented temporarily was disabling SSLv2 altogether with
> the following flag:
>
> SSLProtocol all -SSLv3
>
> ..which has resolved the issue until I can find a fix. Using the
>
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
>force-response-1.0
>
> flags resolved problems we were having with IE5.5, but not any of the
> other browsers.
>
> It seems the problem may have something to do with the type of
> SSLSessionCache that is running, but I haven't been able to confirm this
> for sure. (Enabling 'SSLSessionCache dbm:logs/ssl_scache' on my
> development server resolved the issue there, and I am waiting for a
> maintence window on the primary site to give it a shot and see if it
> resolves the issue altogether.) Anyone have further insight into this?
>
> --
> Nate Carlson <[EMAIL PROTECTED]> | Phone : (952)943-8700
> http://www.real-time.com | Fax : (952)943-8500
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
