Re: [Pi3web-users] openssl 0.9.7c path: IE5.0 fails to negotiate on https with pi3web on SSLv3
Brought to you by:
zimpel
Menu
▾
▴
Re: [Pi3web-users] openssl 0.9.7c path: IE5.0 fails to negotiate on https with pi3web on SSLv3
|
From: <zi...@t-...> - 2004-02-08 21:02:39
|
Meanwhile I found two more references about your problem - 1.) In the archive of the openssl-users list: http://marc.theaimsgroup.com/?l=openssl-users&m=96286815525666&w=2 <http://marc.theaimsgroup.com/?l=openssl-users&m=96286815525666&w=2> http://marc.theaimsgroup.com/?l=openssl-users&m=96288263812243&w=2 <http://marc.theaimsgroup.com/?l=openssl-users&m=96288263812243&w=2> Accordingly to this mail thread it seems to be a problem with export version of IE5 and SGC (Server Gated Cryptography, an extension to SSL allowing 128 bit in export versions, e.g. for financial transactions). Accordingly to this source of information you should try this cipher string: DEFAULT:!EXPORT56 2.) The following has been copied from http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie: The next problem is that 56bit export versions of MSIE 5.x browsers have a broken SSLv3 implementation which badly interacts with OpenSSL versions greater than 0.9.4. You can either accept this and force your clients to upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you can decide to workaround it by accepting the drawback that your workaround will horribly affect also other browsers: SSLProtocol all -SSLv3 This completely disables the SSLv3 protocol and lets those browsers work. But usually this is an even less acceptable workaround. A more reasonable workaround is to address the problem more closely and disable only the ciphers which cause trouble. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP This also lets the broken MSIE versions work, but only removes the newer 56bit TLS ciphers. Another problem with MSIE 5.x clients is that they refuse to connect to URLs of the form https://12.34.56.78/ (IP-addresses are used instead of the hostname), if the server is using the Server Gated Cryptography (SGC) facility. This can only be avoided by using the fully qualified domain name (FQDN) of the website in hyperlinks instead, because MSIE 5.x has an error in the way it handles the SGC negotiation. Please try out the following cipher string: ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Hope this helps -- regards, Holger Dharmesh Shah schrieb: > Using the latest patch for openssl - 0.9.7c for Win32 - I.E. 5.0 > (default browser with Windows 2000) fails to negotiate the https > connection with pi3web on SSLv3. pi3 reports unknow cipher error: > > SSL[SSL.c, 1635]: SSL: Unknown cipher, 'EXP1024-RC4-SHA' > > help!! > > _________________________________________________________________ > Easiest Money Transfer to India . Send Money To 6000 Indian Towns. > http://go.msnserver.com/IN/42198.asp Easiest Way To Send Money Home! > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _______________________________________________ > Pi3web-users mailing list > Pi3...@li... > https://lists.sourceforge.net/lists/listinfo/pi3web-users > |
