We've been testing mod_ssl to verify client certificates.
Some users were having difficulty getting into the site
with their Netscape browsers. The reason for this appears
to be the "SSLRequire" expression which includes (in part)
SSLRequire %{SSL_CIPHER} !~ m/^(EXP|NULL)-/
I had actually copied this blindly from the mod_ssl examples
(and am now paying the appropriate price for copying blindly :-))
The users who were having access problems have these values:
SSL_CIPHER = EXP-RC4-MD5
Whereas, most of the (IE) users had these values
SSL_CIPHER = EXP1024-RC4-SHA
The SSLRequire regex blocks the first cipher, but allows the
second one to go through.
Can anyone expound a bit on the logic of this expression?
Is it course filter to keep out certificates with "export quality"
encryption or none at all?
Is "EXP1024" and export quality encryption?
Any rules of thumb, general impressions, or references in
this area would be appreciated.
Thanks!
Dave Benjamin
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
