Hi Damon,
Could you please put in the corrected part of your httpd.conf file - all
the directives that are relavant to SSL connections.
I am interested in looking at the corrected piece ( and commented pieces as
well).
Rajaram.
To: [EMAIL PROTECTED]
cc:
Subject: Re: SSLCertificateChain
file for Intermediate CA
Damon Maria <[EMAIL PROTECTED]>
05/22/01 08:42 PM
Please respond to modssl-users
----------------------------------+
I think I've solved my problem and would just like to post the answer
for someone else's reference.
The offending line is:
SSLProtocol -all +SSLv2
If I take that line out mod_ssl can load the certificate chain. I
presume there's a good reason for this (chains require SSLv3 at a
guess)?
SSLProtocol was originally added because we just couldn't get around
problems with MSIE 4.x connecting with SSL. Although it is a big hack,
the suggested SSL changes in the mod_ssl FAQ just didn't work for us.
I've since removed the SSLProtocol, added a SSL session cache and added
+eNULL to the end of the SSLCipherSuite. Now I'm just waiting to see if
MSIE 4.x users can still connect.
I've also recently seen talk of
SSLRequire %{SSL_CIPHER} >= 128
solving the MSIE SGC bug. Has someone confirmed this to be true?
thanks for the help,
Damon.
> ---------- VirtualHost ------------
> ServerName www.motorweb.co.nz
>
> SSLEngine on
>
> # The following hopefully get around the MSIE 4.x and 5.0 SGC bug
> # SSLCipherSuite
> ALL:!ADH:!EXPORT56:!SSLv3+EXP:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>
> # The following defintely gets around the MSIE 4.x and 5.0 SGC bug but
> SSLProtocol -all +SSLv2
> SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
>
> SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> # SSLCertificateChainFile /etc/httpd/conf/ssl.crt/intermediate_ca.crt
>
> # SSLLog /var/log/httpd/ssl_engine_log
> # SSLLogLevel debug
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]