Hi, we had to reduce the ciphers on our servers to the really limited set of KRB5-RC4-MD5 KRB5-RC4-SHA ADH-RC4-MD5 RC4-SHA to work around this really annoying windows update.
Gerfried On Fri, Feb 24, 2012, Tammany, Curtis wrote: > Hello- > > We have a Apache 2.2.22/ OpenSSL 1.0.0g/ PHP 5.3.10 CAC-enabled website on a > government location. We have a few users with Windows 7/IE8 who used to be > able to access the site but were unable to after a Microsoft patch (KB2585542 > http://support.microsoft.com/kb/2643584 )was pushed. > > The server has the following configuration: > SSLProtocol -all +SSLv3 +TLSv1 > SSLCipherSuite HIGH:MEDIUM > SSLHonorCipherOrder on > > My understanding is that the server should listen for either SSLv3 or TLSv1 > protocols. > > I've been working with a Windows7/ IE8 box to troubleshoot the situation. It > seems I can access the Apache site if SSL 3.0 only is enabled in the browser. > If TLS 1.0 is enabled, the browser will prompt for a client certificate but > will error out "Internet explorer cannot display the webpage" before > prompting the user for their PIN. TLS 1.0 needs to be enabled in the browser > as other (IIS) sites are TLS only. > > Can you offer any insight as to why our Apache site is accessible with only > SSL 3.0 enabled in the browser???? > > If you need more information on the issue, please let me know. > > Check to see if there is a corresponding error message in the server log. If possible try to reproduce with the s_server utility. I've an idea what this might be. Try disabling RSA key exchange ciphersuites on the server too (adding :!kRSA to SSLCipherSuite) and see if that resolves the problem. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
