David P. Mott wrote:
>
> Here are some shots in the dark for you:
>
> When I tried to tighten down the ciphers and SSL protocols on my server,
> some (but not all) users on both IE6 and IE7 started to get that "page
> not found" error (although my log error was something like "re-negotiate
> failed"). I found that IE7 will fail to renegotiate with an SSLv3-only
> server if IE7 is configured to use both TLSv1 and SSLv3 (I guess it
> tries really hard to use TLSv1). I plan to support SSLv3 and TLSv1 to
> address this problem.
>
> Specifically:
> Didn't work:
> SSLProtocol -all +SSLv3
> or
> SSLProtocol SSLv3
> Did work:
> SSLProtocol all -SSLv2
> or
> SSLProtocol -all +SSLv3 +TLSv1
>
> (I prefer the last incantation, which protects against the unexpected
> change in definition of 'all' after an Apache upgrade)
>
> I also had this, to tighten up the ciphers:
> SSLCipherSuite HIGH:MEDIUM
>
>
> Also, if your stock config files don't already do it, you may want to
> implement the "fixes" for broken versions of IE (prior to IE6, I believe):
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> although the first line is different for newer versions of Apache:
> BrowserMatch ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>


Thank you. I'll give this a shot. By newer versions of Apache, do you
mean in the 1.3.x build?

--
John C. Nichel IV
System Administrator
KegWorks
http://www.kegworks.com
716.362.9212 x16
john@kegworks.com
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org