Browser issues

Good morning,

Our company has been noticing quite a few ssl errors in our http logs, we have had
SSL3 disabled due to a bug in internet explorer 5.x I'm sure you're all aware of, but
lately it seems more and more browsers are disabling SSL2, probably due to some
vulnerabilities, and IE6 has TLS1 disabled by default, so the only thing these newer
browsers are accepting is SSL3. The only way I can think of to allow all browsers is
by running two different https servers, on different ports, same domain, one with
SSL3 enabled where the IE6 clients (with SSL2 disabled) will be sent, the other with
SSL3 disabled where IE5.x clients will be sent. My first question is, will this work?
I see some discussion about problems with multiple https ports on the same server,
they would all be on the same certificate/domain. Second question: is there a better
way of overcoming this problem? Can I put something in the httpd.conf that says "if
IE6, allow SSL3, otherwise don't"? My google searches have yielded nothing. I'd
appreciate any input from anybody dealing with this issue.

Regards,

Jeffrey Moss
jeff@americom.com






____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Browser issues

> May not be the answer you're looking for, but have you read/tried the
> advice in this section of the manual?
>
> http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie

Yes, we have had it configured this way for a couple years or so. The problem now is
that people are starting to disable SSL2, if you're wondering how many of these
you're getting, look for this in your logs:

[Thu Feb 13 12:04:23 2003] [error] mod_ssl: SSL handshake failed (server
*****.*******.com:443, client 66.20.223.3) (OpenSSL library error follows)
[Thu Feb 13 12:04:23 2003] [error] OpenSSL: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version number

I am pretty sure this is internet explorer saying "I want to use SSL3 and only SSL3"
and my server has SSL3 disabled. I spoke with a customer who had the IE error page,
and sure enough he had SSL2 and TLS1 disabled, only SSL3 was enabled, so what is
there to do about this, other than running two separate apaches?

> > Good morning,
> >
> > Our company has been noticing quite a few ssl errors in our http logs,
> > we have had SSL3 disabled due to a bug in internet explorer 5.x I'm sure
> > you're all aware of, but lately it seems more and more browsers are
> > disabling SSL2, probably due to some vulnerabilities, and IE6 has TLS1
> > disabled by default, so the only thing these newer browsers are
> > accepting is SSL3. The only way I can think of to allow all browsers is
> > by running two different https servers, on different ports, same domain,
> > one with SSL3 enabled where the IE6 clients (with SSL2 disabled) will be
> > sent, the other with SSL3 disabled where IE5.x clients will be sent. My
> > first question is, will this work? I see some discussion about problems
> > with multiple https ports on the same server, they would all be on the
> > same certificate/domain. Second question: is there a better way of
> > overcoming this problem? Can I put something in the httpd.conf that says
> > "if IE6, allow SSL3, otherwise don't"? My google searches have yielded
> > nothing. I'd appreciate any input from anybody dealing with this issue.
> >
> > Regards,
> >
> > Jeffrey Moss
> > jeff@americom.com
> >
> >
> >
> >
> >
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
>
>
> ===========
> Alan Sparks, UNIX/Linux Systems Administrator
>
>
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org