56-bit/128-bit IE problems

Hi all,

Encryption isn't a strong point for me unfortunately...

We have a website at http://www.mobiles.co.uk, which as part of the
ordering process connects to our Apache 1.3.22/mod_ssl RedHat machine,
and speaks SSL (the point at which it changes to
https://secure.mobiles.co.uk ).

We have had a few complaints from customers that they have been unable
to connect to the secure parts of our sites. Having ruled out
connectivity issues, and done some VMWare testing at home, I concluded
that the affected versions were (I think) all versions of IE with cypher
strengths of 56-bits. As soon as I patched the virtual machines with the
high-encryption pack, they sprung into life.

So my question really is this: Do I need to look for a problem in the
httpd.conf of our server, do I look for a problem with the
certificate/intermediate certificate, or do I just give up, and just
live with the fact that half our customers can't connect to our site?

I had originally assumed this was to do with a bug in early
implementations of IE5, but since then we have had reports of the same
behaviour in IE6 (which initially comes in 56-bit flavour under win2k
unless patched).

I have had no help from verisign, other than the usual confused
gibberings I have come to expect from them, so I hoped someone out there
might have a clue I can carry on with?

Thanks,

L

--
Louis Sabet
http://www.webtedium.com/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

Hi Louis,
It may be the troublesome 56bit cypher itself, try adding !EXPORT56
to your SSLCipherSuite, have a look at the faq
http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie
Although that does not explain the IE6 problem, unless that's a red
herring.
Mikey





Louis Sabet on 21/06/2002 14:31:41

Please respond to modssl-users@modssl.org

To: modssl-users@modssl.org
cc:

Subject: 56-bit/128-bit IE problems






Hi all,

Encryption isn't a strong point for me unfortunately...

We have a website at http://www.mobiles.co.uk, which as part of the
ordering process connects to our Apache 1.3.22/mod_ssl RedHat machine,
and speaks SSL (the point at which it changes to
https://secure.mobiles.co.uk ).

We have had a few complaints from customers that they have been unable
to connect to the secure parts of our sites. Having ruled out
connectivity issues, and done some VMWare testing at home, I concluded
that the affected versions were (I think) all versions of IE with cypher
strengths of 56-bits. As soon as I patched the virtual machines with the
high-encryption pack, they sprung into life.

So my question really is this: Do I need to look for a problem in the
httpd.conf of our server, do I look for a problem with the
certificate/intermediate certificate, or do I just give up, and just
live with the fact that half our customers can't connect to our site?

I had originally assumed this was to do with a bug in early
implementations of IE5, but since then we have had reports of the same
behaviour in IE6 (which initially comes in 56-bit flavour under win2k
unless patched).

I have had no help from verisign, other than the usual confused
gibberings I have come to expect from them, so I hoped someone out there
might have a clue I can carry on with?

Thanks,

L

--
Louis Sabet
http://www.webtedium.com/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org











All telephone calls are recorded and may be monitored.

E-mail communication is not secure and may be intercepted
by a third party. This message is confidential to the intended addressee.
If you are not the intended addressee, please inform us immediately and then
delete this message. Virgin One account does not accept responsibility for
changes made to this message after it was sent. Although Virgin One account
believes this e-mail is free of any virus or other defect which may affect a
computer, it is the responsibility of the recipient to ensure that it is
virus free and Virgin One account does not accept any responsibility for any
loss or damage arising from its use.

The Virgin One account is a secured personal bank account with The Royal Bank
of Scotland plc administered by Virgin Direct Personal Finance Ltd. It is an
Introducer representative only of Virgin Money Personal Financial Service Ltd,
which is authorised by the Financial Services Authority for life insurance,
pension and unit trust business and represents only the Virgin Money marketing
group.

Registered office: Waterhouse Square, 138-142 Holborn, London EC1N 2TH, UK.
Registered in England no 3414708.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

> I had originally assumed this was to do with a bug in early
> implementations of IE5, but since then we have had reports of the same
> behaviour in IE6 (which initially comes in 56-bit flavour under win2k
> unless patched).

You should read the mod ssl documentation as it describes things like he
'CipherSuite' configuration parameter to use in your Apache httpd.conf file
as defines what ciphers the client is permitted to negotiate when connecting
to your site. Specifically, there's two I see a lot !EXP56:!EXPORT56 that
perhaps would be turnning off such support.

You could also consider getting a Thawte "super cert" which has a capability
to allow the 56-bit export version of IE to not be so stupid and connect at
the higher 128-bit when accessing your site.

Good luck...

David

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

Hi!

On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote:
> You could also consider getting a Thawte "super cert" which has
> a capability to allow the 56-bit export version of IE to not be
> so stupid and connect at the higher 128-bit when accessing your
> site.

Just for the record, Thawte's "Super Certs" are what VeriSign
calls "Secure Site Server Pro (Global) ID". But they are quite a
lot cheaper.


Ciao

Thomas
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

Are there still export restriction on the 128bit browsers? I was under
the impression those export restrictions had been lifted a few years back.

Thanks,

Ron DuFresne

On Fri, 21 Jun 2002, Thomas Binder wrote:

> Hi!
>
> On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote:
> > You could also consider getting a Thawte "super cert" which has
> > a capability to allow the 56-bit export version of IE to not be
> > so stupid and connect at the higher 128-bit when accessing your
> > site.
>
> Just for the record, Thawte's "Super Certs" are what VeriSign
> calls "Secure Site Server Pro (Global) ID". But they are quite a
> lot cheaper.
>
>
> Ciao
>
> Thomas
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

The problem here as usual is that he HAS got a SGC certificate - and
some ie's barf unless you drop EXPORT56 from your offering when you have
one of those certs.

not worth the money as far as I'm concerned, not even when getting
thawte's one. I feel its a scam the way they sell SGC's as some sort of
premium security prouct when all they're doing is enabling functionality
the browser already has. These were designed for another purpose
altogether before the USA relaxed its crypto export rules a few years ago.

Thomas Binder wrote:

>Hi!
>
>On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote:
>
>
>>You could also consider getting a Thawte "super cert" which has
>>a capability to allow the 56-bit export version of IE to not be
>>so stupid and connect at the higher 128-bit when accessing your
>>site.
>>
>>
>
>Just for the record, Thawte's "Super Certs" are what VeriSign
>calls "Secure Site Server Pro (Global) ID". But they are quite a
>lot cheaper.
>
>
>Ciao
>
>Thomas
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

Hi!

On Fri, Jun 21, 2002 at 03:29:53PM -0400, R. DuFresne wrote:
> Are there still export restriction on the 128bit browsers? I
> was under the impression those export restrictions had been
> lifted a few years back.

Of course most do, but at least here in Germany a lot of banks
still use Netscape 4.0x with OS/2. For their users, you still need
such special certs, as the banks are also unwilling to use a patch
like Fortify which comes from an "untrusted source".


Ciao

Thomas
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

Right,

Problem solved. I took the suggestion, and read the FAQ. Adding:

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+e NULL

To my VirtualHosts appears to fix the problem (now I can delete about
10Gig's worth of VMWare VM's)

As it happens, yes, we do have Secure Site Pro from Verisign, although
as every day passes, I wish we had stuck with Thawte. For some reason we
never had problems like this until now (which is why I never really
bothered investigating mod_ssl too much). Of-course Verisign couldn't
care less.

I really should publish a book containing a full account of my dealings
with verisign. It would be a comedy hit.

Anyway, in conclusion, thanks everyone who replied - I got this sorted
out faster than I thought I would thanks to you guys.

Regards,

L

On Fri, 21 Jun 2002 20:33:05 +0100
"Peter Viertel" wrote:

> The problem here as usual is that he HAS got a SGC certificate - and
> some ie's barf unless you drop EXPORT56 from your offering when you have
> one of those certs.
>
> not worth the money as far as I'm concerned, not even when getting
> thawte's one. I feel its a scam the way they sell SGC's as some sort of
> premium security prouct when all they're doing is enabling functionality
> the browser already has. These were designed for another purpose
> altogether before the USA relaxed its crypto export rules a few years ago.
>
> Thomas Binder wrote:
>
> >Hi!
> >
> >On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote:
> >
> >
> >>You could also consider getting a Thawte "super cert" which has
> >>a capability to allow the 56-bit export version of IE to not be
> >>so stupid and connect at the higher 128-bit when accessing your
> >>site.
> >>
> >>
> >
> >Just for the record, Thawte's "Super Certs" are what VeriSign
> >calls "Secure Site Server Pro (Global) ID". But they are quite a
> >lot cheaper.
> >
> >
> >Ciao
> >
> >Thomas
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--
Louis Sabet
http://www.webtedium.com/


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 56-bit/128-bit IE problems

In article <00c301c21939$c5e8e500$5a2b7ad8@expertrade.com> David Wall wrote:
> You could also consider getting a Thawte "super cert" which has a capability
> to allow the 56-bit export version of IE to not be so stupid and connect at
> the higher 128-bit when accessing your site.

Could somebody please explain (or point me to URL) how this Thawte "super cert"
works? With quick search I found only general info with no technical details..

Thanks..

Alex
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org