RE: IE 56k errors

David Walgamotte Tue, 14 Nov 2000 07:45:53 -0800

I tried 0.9.6 and it didn't work either.


-----Original Message-----
From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 14, 2000 9:42 AM
To: [EMAIL PROTECTED]
Subject: Re: IE 56k errors


"Dave Stafford" <[EMAIL PROTECTED]> writes:

> > IE. 56k browsers can not read our ssl (Global 128) websites (I wish we
> > could
> > get rid of these buggy IE browsers). Searching the web I found that
> > versions
> > of openssl 0.9.5a and higher have this problem. Has anyone ran into
> > this or
> > heard of an opeenssl fix for this ?
> 
> Although I am no great fan of Msoft, this is hardly a bug. 
> 
> Openssl cannot fix this (unless you issue certs using 56 bit keys). 
> Easiest is to download the 128bit upgrade for ie 4 & 5 from Microsoft.
I wouldn't be so sure. The issue is that there are two variants of
"Global 128". The Netscape version (Step-Up) is slower but is
SSL-compliant.  The Microsoft version (SGC) is faster and cleverer but
actually violates the SSL spec. Different certificate extensions are
used to mark which variant your server supports. For obvious reasons,
there are only two classes of such certificates Step-Up only and
Step-Up + SGC.

Anyway, you've probably got a Step-Up + SGC certificate, in which case
IE will attempt SGC. Since this is a violation of the SSL spec,
OpenSSL naturally rejects this and had to be taught to understand
it. From the changelog, it looks to me like change was made in OpenSSL
0.9.6, so if you install 0.9.6 you should be OK. You could also maybe
get a Step-Up only certificate in which case IE will do Step-Up. This
seems like more work and lamer anyway :)

There's more on this in Chapter 4 of my book.

-Ekr

[Eric Rescorla                                   [EMAIL PROTECTED]]
                http://www.rtfm.com/




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: IE 56k errors

Reply via email to
