|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2004
/
2004-08
/
IE 5.0 + SSL problem
[
unsubscripe Pound / "wahab" ... ]
[
pound-current oddity / "Jay West" ... ]
IE 5.0 + SSL problem
Chris Gamache <cgg007(at)yahoo.com> |
2004-08-04 18:14:50 |
[ FULL ]
|
Pound -current is running ... Openssl 0.9.7d-r1 (Gentoo) installed
I've placed
ListenHTTPS 192.168.0.2,443 /etc/pound/cert.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
into pound.conf. We're still having problems with IE 5.0 users not being able
to brose the SSL encrypted website. We've put tcpwatch on the job tracking the
traffic into pound and out of pound. We see the traffic hit tcpwatch coming
into pound, and then we get nothing coming out on the other end. If we're not
using ssl we can see traffic, request and response, on both sides of pound. If
we're using IE5.5 and IE6 we can see traffic on both sides of pound.
We tried disabling ssl3 on the IE 5.0 client and we were able to browse! That
makes me think that the ListenHTTPS line needs some more work. Can anyone
propose a better workaround? Ideally, I'd like to use ssl3 for everyone. That
may be impossible.
Please advise.
[...]
|
|
|
REPOST: IE 5.0 + SSL problem
Chris Gamache <cgg007(at)yahoo.com> |
2004-08-06 14:51:01 |
[ FULL ]
|
Everyone must be on holiday! I'll ask again in case I wasn't loud enough the
first time... :)
Pound -current is running ... Openssl 0.9.7d-r1 (Gentoo) installed
I've placed
ListenHTTPS 192.168.0.2,443 /etc/pound/cert.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
into pound.conf. We're still having problems with IE 5.0 users not being able
to browse the SSL encrypted website. We've put tcpwatch on the job tracking the
traffic into pound and out of pound. We see the traffic hit tcpwatch coming
into pound, and then we get nothing coming out on the other end. If we're not
using ssl we can see traffic, request and response, on both sides of pound. If
we're using IE5.5 and IE6 we can see traffic on both sides of pound.
We tried disabling ssl3 on the IE 5.0 client and we were able to browse! That
makes me think that the ListenHTTPS line needs some more work. Can anyone
propose a better workaround? Ideally, I'd like to use ssl3 for everyone. That
may be impossible.
Please advise.
[...]
|
|
|
Re: REPOST: IE 5.0 + SSL problem
Robert Segall <roseg(at)apsis.ch> |
2004-08-06 15:07:15 |
[ FULL ]
|
On Friday 06 August 2004 14.51, Chris Gamache wrote:[...]
ALL CAPS IS THE SOLUTION!!!!
[...]
Try removing the ! from EXPORT56 as I suggested in an earlier message.
[...]
I'd like to see the log messages for the connection attempts, or, even better,
perhaps extra debugging from the handshake - try removing the comment around
line 593 in http.c after the call to BIO_do_handshake().[...]
|
|
|
Re: REPOST: IE 5.0 + SSL problem
Chris Gamache <cgg007(at)yahoo.com> |
2004-08-06 16:29:49 |
[ FULL ]
|
I THOUGHT THAT ALL CAPS WAS RUDE!!!!!!!! :)
Thank you for the quick reply.
Made the changes you suggested:
ALL:!ADH:EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
and modified the soruce code; recompiled:
Aug 6 09:40:38 balance1 pound: starting...
Aug 6 09:40:49 balance1 pound: BIO_do_handshake with 192.168.168.21 failed:
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Interesting, eh? I don't know enough about OpenSSL to /intelligently/ rewrite
that cipher line. "man ciphers" describes this line as:
* all ciphers suites except the eNULL ciphers which must be explicitly enabled.
* NO anonymous DH cipher suites.
* 56 bit export encryption algorithms.
* cipher suites using RC4.
* cipher suites using RSA key exchange.
* "high" encryption cipher suites. This currently means those with key lengths
larger than 128 bits.
* "medium" encryption cipher suites, currently those using 128 bit encryption.
* "low" encryption cipher suites, currently those using 64 or 56 bit encryption
algorithms but excluding export cipher suites.
* SSL v2.0 cipher suites
* export encryption algorithms. Including 40 and 56 bits algorithms.
* ENABLED "NULL" ciphers (offering no encryption).
IE5.0 insists on using SSLv3 (which would be fine if OpenSSL would be able to
converse with its botched implimentation, yes?) ... On a whim I tried half a
dozen different cipher strings, which yielded the same effect. It seems like
the cipher string is being ignored.
I'm stumped!
--- Robert Segall <roseg(at)apsis.ch> wrote:
[...]
[...]
|
|
|
Re: REPOST: IE 5.0 + SSL problem
Robert Segall <roseg(at)apsis.ch> |
2004-08-06 17:14:51 |
[ FULL ]
|
On Friday 06 August 2004 16.29, Chris Gamache wrote:[...]
OK - I got it: this is an artifact of the great memory leak hunt. As part of
that we had temporarily eliminated the temporary RSA key generation, thus
probably breaking IE. I'll put it back in by Monday and put up a new
-current.
Thanks for the heads-up.[...]
|
|
|
Re: REPOST: IE 5.0 + SSL problem
Robert Segall <roseg(at)apsis.ch> |
2004-08-07 18:13:46 |
[ FULL ]
|
As promised, a new -current is available. It has (again) support for RSA
ephemeral keys, and should solve the IE problem.
As always - please tell us all how it works.[...]
|
|
|
Re: REPOST: IE 5.0 + SSL problem
"Simon Matter" <simon.matter(at)ch.sauter-bc.com> |
2004-08-08 02:02:34 |
[ FULL ]
|
> As promised, a new -current is available. It has (again) support for
RSA[...]
My feedback is positive. I just tested the new current on IE 5.0 + SSL on
Win95 and it seems to work well. This has not worked with the version
before.
Thanks,
Simon
|
|
|
|
