David P. Mott wrote:
> Here are some shots in the dark for you:
> When I tried to tighten down the ciphers and SSL protocols on my server,
> some (but not all) users on both IE6 and IE7 started to get that "page
> not found" error (although my log error was something like "re-negotiate
> failed"). I found that IE7 will fail to renegotiate with an SSLv3-only
> server if IE7 is configured to use both TLSv1 and SSLv3 (I guess it
> tries really hard to use TLSv1). I plan to support SSLv3 and TLSv1 to
> address this problem.
> Specifically:
> Didn't work:
> SSLProtocol -all +SSLv3
> or
> SSLProtocol SSLv3
> Did work:
> SSLProtocol all -SSLv2
> or
> SSLProtocol -all +SSLv3 +TLSv1
> (I prefer the last incantation, which protects against the unexpected
> change in definition of 'all' after an Apache upgrade)
> I also had this, to tighten up the ciphers:
> Also, if your stock config files don't already do it, you may want to
> implement the "fixes" for broken versions of IE (prior to IE6, I believe):
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> although the first line is different for newer versions of Apache:
> BrowserMatch ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0

Thank you. I'll give this a shot. By newer versions of Apache, do you
mean in the 1.3.x build?

John C. Nichel IV
System Administrator
716.362.9212 x16
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org