libapache-mod-ssl doesn't work with OR without SSLv3...

To: <debian-user@lists.debian.org>
Subject: libapache-mod-ssl doesn't work with OR without SSLv3...
From: "Joe Emenaker" <jemenake@blastpoint.com>
Date: Tue, 23 May 2000 17:29:12 -0700
Message-id: <[🔎] 01b801bfc517$18d8bc00$805b4181@damien>
References: <[🔎] 20000523171341X.cliffwd@sun.com>

I'm trying to get libapache-mod-ssl working.

When I try to connect via https to the server, Netscape tells me that
there's some strange network error or that the server is misconfigured....
basically, that the response came back garbled. So, I found this on
DejaNews:

    6.1.3) I downloaded a version of Netscape's browser
    that is newer than version 4.05. Now, when I go to certain
    https web sites that used to work for me (like my bank) I
    get an error message telling me that "Netscape has received
    bad data from the server." I've been told the problem is with
    SSL v3 in my new browser, and that I should disable SSL v3
    in my browser. What's wrong with SSL v3 in these new
    browsers? Should I disable it?

    Newer versions of Netscape's browsers enforce the legal export
    control requirements of the SSL v3 specification and will not work
    with servers that violate the export control provisions of the SSL v3
    specification.

   blah, blah, blah....

 So, I told Netscape to not use SSLv3 and, pow, everything worked. Problem
is, I can't ask end users to all turn off SSLv3 in their browsers. So, I
tried to turn it off in Apache with the SSLCipherSuite directive:

   SSLCipherSuite ALL:!ADH:!SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

Where I specifically turn OFF SSLv3. Then, when I try to connect with
Netscape, Netscape tells me that it and the server cannot arrive at a
protocol that is suitable to both of them. However, I know that OpenSSL has
SSLv2 ciphers because:

   openssl ciphers -v
'ALL:!ADH:!SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'

returns:

DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-64-MD5              SSLv2 Kx=RSA      Au=RSA  Enc=RC4(64)   Mac=MD5
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5
export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5
export

So... what gives? What the hell am I doing wrong here?

- Joe

Reply to:

References:
- how do I get high uid support
  - From: Cliff Draper <Cliff.Draper@Sun.com>

Prev by Date: Re: Printing to a Hewlett Packard Jet Direct card
Next by Date: Re: scsi disk question: u2w vs. uw
Previous by thread: how do I get high uid support
Next by thread: Re: how do I get high uid support
Index(es):
- Date
- Thread