[thelist] Win IE, modSSL, form refresh prob
Andrew Forsberg
andrew at thepander.co.nz
Sat Feb 9 18:06:00 CST 2002
Hullo Evolt
Seeing as no one has either come across this, or has a solution, I
thought I'd post the work-around for Win IE's faulty implementation
of SSL 3.0. It apparently affects most builds of IE that 'support'
SSL 3 (though perhaps not patched win 2k systems).
Either the user needs to deactivate SSL 3.0 in their internet
options, or the following directive must be used to force SSL 2.0.
SSLCipherSuite ALL:!ADH:!NULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
A better solution would be to turn of SSL 3 for IE users only, but I
have no idea how to do that. It looks like the bug is a variant of
the 56 bit export MSIE bug a while back:
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49
Hope this will prevent someone else's premature hair loss.
Cheers
Andrew
>A secure page with a form is sent to the browser. If the user clicks
>refresh, clicks 'ok' to resubmit the previous page's form info, then
>fills the form out and submits it, Win IE presents a 'Service
>Unavailable' error page. If refresh is hit again on this page the
>form is processed (although form data from the previous page is lost).
>
>The setup is a Sparc Apache (with modSSL amongs other mods), PHP,
>MySQL virtual host. My first step was to get the admins to add:
>
>SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
>downgrade-1.0
>force-response-1.0
>
>to the httpd.conf file. But this hasn't fixed the problem at all.
>Does anyone have any other suggestions?
--
Andrew Forsberg
---
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/
More information about the thelist
mailing list