Apache and MSIE on Macs

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2478B.6815CA80
Content-Type: text/plain

Hi,

I have an issue where all web browser clients can connect to my Apache web
server securly using https:// EXCEPT for MAC MSIE (5.0 or 5.1 etc..)
clients.

The ssl certificate that I have installed also uses an intermediate
certificate for chaining.

When the MAC MSIE browser connects .. users get a pop up saying .. "The
issuer of the certificate is unknown" however, if you look in the prefs of
MAC MSIE under security, you can clearly see the issuer.

Netscape on the MAC works fine.

Does anyone know the cause? I know this is Apache and Microsoft related.
There is something on the server that I probably need to change to adapt to
MAC MSIE users but I don't know what it is...

Since I cannot find any articles in the MS KB.. and cannot find any in
Apache newsgroups.. I am lost.

I am Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.0.4pl1



------_=_NextPart_001_01C2478B.6815CA80
Content-Type: text/html

Hi,

I have an issue where all web browser clients can connect to my Apache web

server securly using   EXCEPT for MAC MSIE (5.0 or 5.1 etc..)

clients.

The ssl certificate that I have installed also uses an intermediate

certificate for chaining.

When the MAC MSIE browser connects .. users get a pop up saying .. "The

issuer of the certificate is unknown" however, if you look in the prefs of

MAC MSIE under security, you can clearly see the issuer.

Netscape on the MAC works fine.

Does anyone know the cause?  I know this is Apache and Microsoft related.

There is something on the server that I probably need to change to adapt to

MAC MSIE users but I don't know what it is...

Since I cannot find any articles in the MS KB.. and cannot find any in

Apache newsgroups.. I am lost.

I am Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.0.4pl1

How to work-around Apache, mod_ssl and MSIE problems

I have yet to see a definitive fix for all of the MSIE problems there
are, prior to version 6.0 on both the Mac and PC. So I'd like to share
my experiences with you since this is the hot topic this week.

I don't know if this is really the thing to do, but I've tried a few
things to workaround the problems with SSL handshaking (which I think
this is the problem most people have). Basically, if you can detect the
browser type by reading the server variable USER_AGENT, then can you set
up another SSL port (ex. https://:4433) to handle these "broken"
browsers using a regular expression (ex./MSIE 5/).

Your web app will have to handle the browser detection and re-direction
from port 80 (or whatever non-SSL port) to the custom SSL port. Then, in
httpd.conf, add something like this:

------------------>8 Cut Here 8<------------------

DocumentRoot /path/to/website
ServerName www.website.com

# Add logging config here


SSLEngine On

# Only enable SSLv2 here, because the rest is broken.
SSLProtocol -ALL +SSLv2
SSLOptions +CompatEnvVars +OptRenegotiate
SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

# Change the two paths below as necessary
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

------------------>8 Cut Here 8<------------------

I know SSLv2 is not ideal, but SSLv3 doesn't work in some of these
browsers.

There may be a more elegant way of doing this with mod_rewrite, but I
haven't invested the time into it at this point.

I've had success with MSIE 5.14 on a Mac with OS X and MSIE 5.0 on
Win98, and a few other ones which are broken on a default OS
installation. Basically, it allows you to handle SSL modes per browser
by using the USER_AGENT server var, without requiring your site visitors
to upgrade to the latest version of IE, or reconfiguring their security
settings. Experiment with it. If you can get other encryption modes to
work, let us all know. Remember this: "Use at your own risk". Try it out
on a non-production server first of course.

I think this may help those who've come across broken Internet Explorer
browsers. Just from my own experience, the version which comes with
Windows 98 (Mozilla/4.0 compatible; MSIE 5.0; Windows 98; DigExt) is
still very popular, in wide circulation and very broken.

Hope this helps you all!

- Robert



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org