libapache-mod-ssl doesn't work with OR without SSLv3...
I'm trying to get libapache-mod-ssl working.
When I try to connect via https to the server, Netscape tells me that
there's some strange network error or that the server is misconfigured....
basically, that the response came back garbled. So, I found this on
DejaNews:
6.1.3) I downloaded a version of Netscape's browser
that is newer than version 4.05. Now, when I go to certain
https web sites that used to work for me (like my bank) I
get an error message telling me that "Netscape has received
bad data from the server." I've been told the problem is with
SSL v3 in my new browser, and that I should disable SSL v3
in my browser. What's wrong with SSL v3 in these new
browsers? Should I disable it?
Newer versions of Netscape's browsers enforce the legal export
control requirements of the SSL v3 specification and will not work
with servers that violate the export control provisions of the SSL v3
specification.
blah, blah, blah....
So, I told Netscape to not use SSLv3 and, pow, everything worked. Problem
is, I can't ask end users to all turn off SSLv3 in their browsers. So, I
tried to turn it off in Apache with the SSLCipherSuite directive:
SSLCipherSuite ALL:!ADH:!SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
Where I specifically turn OFF SSLv3. Then, when I try to connect with
Netscape, Netscape tells me that it and the server cannot arrive at a
protocol that is suitable to both of them. However, I know that OpenSSL has
SSLv2 ciphers because:
openssl ciphers -v
'ALL:!ADH:!SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP'
returns:
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export
So... what gives? What the hell am I doing wrong here?
- Joe
Reply to: