Thread: [Pi3web-users] openssl 0.9.7c path: IE5.0 fails to negotiate on https with pi3web on SSLv3

Brought to you by: zimpel

pi3web-users

[Pi3web-users] openssl 0.9.7c path: IE5.0 fails to negotiate on https with pi3web on SSLv3

From: Dharmesh S. <for...@ho...> - 2004-02-08 12:46:19

Using the latest patch for openssl - 0.9.7c for Win32 - I.E. 5.0 (default 
browser with Windows 2000) fails to negotiate the https connection with 
pi3web on SSLv3. pi3 reports unknow cipher error:

SSL[SSL.c, 1635]: SSL: Unknown cipher, 'EXP1024-RC4-SHA'

help!!

_________________________________________________________________
Easiest Money Transfer to India . Send Money To 6000 Indian Towns. 
http://go.msnserver.com/IN/42198.asp Easiest Way To Send Money Home!

Re: [Pi3web-users] openssl 0.9.7c path: IE5.0 fails to negotiate on https with pi3web on SSLv3

From: <zi...@t-...> - 2004-02-08 20:33:01

Hi,

'EXP1024-RC4-SHA' shows, that the browser is an export version (limited 
40/56bit encryption).
The problem itself or similar problems seems to be known already, as the 
following thread from an archive of the mod_ssl users forum shows :
http://www.mail-archive.com/mod...@mo.../msg09453.html

Unfortunately they do not clearly point to a solution but you can try 
the following:
- check, whether the (virtual ?) hostname of the server is the same as 
the name in the CN field of the server certificate
- try to modify the openssl cipher string, after installation of Pi3Web 
it is 'DEFAULT', try, e.g. 
ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  (read the openssl documentation for details)
- update the browser to a 128 bit version

--
regards,
Holger

Dharmesh Shah schrieb:

> Using the latest patch for openssl - 0.9.7c for Win32 - I.E. 5.0 
> (default browser with Windows 2000) fails to negotiate the https 
> connection with pi3web on SSLv3. pi3 reports unknow cipher error:
>
> SSL[SSL.c, 1635]: SSL: Unknown cipher, 'EXP1024-RC4-SHA'
>
> help!!
>
> _________________________________________________________________
> Easiest Money Transfer to India . Send Money To 6000 Indian Towns. 
> http://go.msnserver.com/IN/42198.asp Easiest Way To Send Money Home!
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Pi3web-users mailing list
> Pi3...@li...
> https://lists.sourceforge.net/lists/listinfo/pi3web-users
>

Re: [Pi3web-users] openssl 0.9.7c path: IE5.0 fails to negotiate on https with pi3web on SSLv3

From: <zi...@t-...> - 2004-02-08 21:02:39

Meanwhile I found two more references about your problem -

1.) In the archive of the openssl-users list:
http://marc.theaimsgroup.com/?l=openssl-users&m=96286815525666&w=2 <http://marc.theaimsgroup.com/?l=openssl-users&m=96286815525666&w=2>
http://marc.theaimsgroup.com/?l=openssl-users&m=96288263812243&w=2 <http://marc.theaimsgroup.com/?l=openssl-users&m=96288263812243&w=2>

Accordingly to this mail thread it seems to be a problem with export
version of IE5 and SGC (Server Gated Cryptography, an extension to SSL allowing
128 bit in export versions, e.g. for financial transactions).

Accordingly to this source of information you should try this cipher string:
DEFAULT:!EXPORT56

2.) The following has been copied from http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie:


The next problem is that 56bit export versions of MSIE 5.x browsers have 
a broken SSLv3 implementation which badly interacts with OpenSSL 
versions greater than 0.9.4. You can either accept this and force your 
clients to upgrade their browsers, or you downgrade to OpenSSL 0.9.4 
(hmmm), or you can decide to workaround it by accepting the drawback 
that your workaround will horribly affect also other browsers:

SSLProtocol all -SSLv3 This completely disables the SSLv3 protocol and 
lets those browsers work. But usually this is an even less acceptable 
workaround. A more reasonable workaround is to address the problem more 
closely and disable only the ciphers which cause trouble. SSLCipherSuite 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP This also lets 
the broken MSIE versions work, but only removes the newer 56bit TLS 
ciphers.

Another problem with MSIE 5.x clients is that they refuse to connect to 
URLs of the form https://12.34.56.78/ (IP-addresses are used instead of 
the hostname), if the server is using the Server Gated Cryptography 
(SGC) facility. This can only be avoided by using the fully qualified 
domain name (FQDN) of the website in hyperlinks instead, because MSIE 
5.x has an error in the way it handles the SGC negotiation.

Please try out the following cipher string:
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

Hope this helps
--
regards,
Holger


Dharmesh Shah schrieb:

> Using the latest patch for openssl - 0.9.7c for Win32 - I.E. 5.0 
> (default browser with Windows 2000) fails to negotiate the https 
> connection with pi3web on SSLv3. pi3 reports unknow cipher error:
>
> SSL[SSL.c, 1635]: SSL: Unknown cipher, 'EXP1024-RC4-SHA'
>
> help!!
>
> _________________________________________________________________
> Easiest Money Transfer to India . Send Money To 6000 Indian Towns. 
> http://go.msnserver.com/IN/42198.asp Easiest Way To Send Money Home!
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Pi3web-users mailing list
> Pi3...@li...
> https://lists.sourceforge.net/lists/listinfo/pi3web-users
>