[imp] IE "page cannot be displayed"

[Lord Apollyon]

> To make it work with all versions, I've had to also add:
> 
>    SSLProtocol all -SSLv3

NO NO NO NO NO NO.  I don't know who originated this (terrible) advice, but
you're basically throwing out the best crypto for EVERYONE and needlessly at
that.

You just need to disable the broken ciphers for TLS/SSLv3 which are lame
anyway.  I've been using the following for years without incident - the few
times I've encountered "issues" they've been memory/cpu-time exhaustions in
scripts.

Assuming mod_ssl syntax:

# Disable the export TLS/SSLv3 ciphers (56-bit SGC's)
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# and then disable keepalives and http/1.1 responses for MSIE
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Activate an SSL session cache
SSLSessionCache shm:/your/pathname/to/somewhere/writeable(512000)

(or whichever method of SSL session caching you wish to use - some platforms
have lots of intestinal gas with shared memory and interprocess locking -
DBM seems to work flawlessly on all, and you can put that onto your
"tmpfs"/backing-store RAM-disk filesystem)

Apache-SSL seems dead now - there's no Apache-SSL for the latest release of
Apache 1.3.  If you're using Apache-SSL, you need to use the following
directive instead of the cleaner mod_ssl SSLCipherSuite:

SSLRequiredCiphers DH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:\
DES-CBC3-SHA:DES-CBC3-MD5:DHE-DSS-RC4-SHA:\
IDEA-CBC-SHA:RC4-SHA:RC4-MD5:IDEA-CBC-MD5:\
RC2-CBC-MD5:RC4-MD5:RC4-64-MD5:EDH-RSA-DES-CBC-SHA:\
EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:\
EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:\
EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:\
EXP-RC2-CBC-MD5:EXP-RC4-MD5

*NOTE* The directive "SSLRequiredCipher" (note the lack of -s at the end)
refers to something entirely different.  Make sure you're using the correct
directive.

=Apollyon=