Mr. Rees,
This URL only outlines current issues that have been documented by that
particular 'server vendor'.
(Therefore, since we have only had a few calls, I believe less then 6 is
about accurate, then it will not be posted until more calls have been logged
and it becomes apparent that we need to look into this matter more
thoroughly)
I believe our stand is this: ( I could be wrong about this so I wouldn't
quote me..:) )
If the 'vendor' can confirm this to be an issue and/or bug, then we will
attempt to post this information on our knowledgebase and make it public.
(Upon our own testing and findings)
If it needs to be posted as a "FYI" for Apache users, then we would need to
know if it will resolve every issue and this might be difficult to ascertain
at this time.
As for testing the function of Apache stepping up international browsers,
I'll see what our web master would like to do before we move forward.
Of course, any and all outside comments and/or fixes would be extremely
helpful.
Sincerely,
Ray Erdmann
Technical Support
Verisign, Inc.
-----Original Message-----
From: David Rees [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 12, 2001 3:10 PM
To: [EMAIL PROTECTED]
Subject: RE: RE: RE: RE: SSL-induced loading errors
> While posting information about known issues is currently done on our web
> site,
> http://www.verisign.com/support/vendors/issues.html
>
> the issues posted are ones that have been documented by the vendor in
> question.
There is no reference to mod_ssl on this page.
> If you can find someway of having APACHE users list what works and want
> doesn't work with our Global Certificates, then I'm willing to take this
> issue up with our web master and have the information posted for
> all to see.
> I'm guessing here that it doesn't matter if the end-users is
> using a Thawte
> "Super Cert" or a Verisign "Global Certificate"...the issue still
> lies with
> the initial SSL handshake not being completed by the browser for
> one reason
> or another. (Browser being of the 'exported' version 40/56 bit variety)
I have no way to verify this myself. Does anyone else on the list?
> Also, regarding MOD_SSL, Mr. Engelschall has stated that MOD does support
> the SGC/Step Up function.
> (He states: "...Yes, mod_ssl since version 2.1 supports the SGC facility.
> You don't have to configure anything special for this, just use a
> Global ID
> as your server certificate. The step up of the clients are then
> automatically handled by mod_ssl under run-time. For details
> please read the
> README.GlobalID document in the mod_ssl distribution...")
> http://www.modssl.org/docs/2.6/ssl_faq.html#ToC38
>
> But apparently you do have to configure something special...the
> information
> below, in order for export clients to step up to the stronger ciphers.
No, in MOST cases, you do NOT have to configure something special, it just
works. For what I know, all Netscape browsers do work as expected.
However, in some cases with some broken MSIE browsers, it seems that at
least on user on the mod_ssl list needed the extra line I posted earlier for
these browsers to work. It is not the first time we've had to include
various hacks to the configuration to work with broken MSIE browsers. (For
example removing all 56-bit ciphers from the list of valid ciphers)
> Therefore, in your opinion, what would seem like the most appropriate step
> to take? Have the Apache websites post the correct information or have
> Verisign take that responsibility.
www.modssl.org isn't Apache's website, it is the mod_ssl web site. If the
line I posted earlier is verified to be needed to work around these broken
MSIE broswers, I would like to see it on the mod_ssl web site under the FAQ,
but so far we have only one case to go by. It seems to me that if you
(Verisign) would like to post something on your website, you should attempt
to reproduce the problem/solution on your own hardware first.
-Dave
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
