All I said was that it seems that Verisign Step-Up certs require the
following line in the Apache config file to work properly:
SSLRequire %{SSL_CIPHER} >= 128
I deducted this from various reports which I have seen from users on the
mod_ssl list like Ray Erdmann. It seems that if you are using a Verisign
Step-Up cert and do not include the line above, you will get IO Errors when
connecting with MSIE.
However, I don't don't have a Verisign Step-Up cert to verify this myself,
so if you know this to be false, maybe you can post a known working
configuration or what you recommend to your customers.
-Dave
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Ray Erdmann
> Sent: Monday, February 12, 2001 10:59 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: RE: RE: RE: SSL-induced loading errors
>
> But could you elaborate as to why you state "Verisign Requires?"....We're
> not requiring anything on the server side 'except' the certificate request
> file?
>
>
> -----Original Message-----
> From: David Rees [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 09, 2001 4:00 PM
> To: [EMAIL PROTECTED]
> Cc: Ralf S. Engelschall
> Subject: RE: RE: RE: RE: SSL-induced loading errors
>
>
> > >Curious, according to the docs, it shouldn't allow those browsers to
> > >connect. Are you using one of the step-up certificates from Verisign?
> >
> > So I'm told by the guy who acquired our certificates from
> Verisign. How do
> > I tell?
>
> I'm not sure, does anyone else know?
>
> > >Do you also have the following lines installed?
> > >
> > >SSLCipherSuite
> > >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > >
> > >SetEnvIf User-Agent ".*MSIE.*" \
> > > nokeepalive ssl-unclean-shutdown \
> > > downgrade-1.0 force-response-1.0
> > >
> > >If you do, could you try it without "SSLRequire %{SSL_CIPHER} >=
> > 128", I'm
> > >not convinced that the SSLRequire makes a difference.
> >
> > I do have those lines installed, and it was giving me all the decryption
> > errors, which only went away once I added the SSLRequire.
>
> OK, Looks like another item for the FAQ. Ralf, can you add something for
> Decryption errors when using Verisign Step Up certs? It looks like when
> using Verisign step-up certs, they require the line: "SSLRequire
> %{SSL_CIPHER} >=
> > 128" to work properly on all browsers.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
