[imp] IE "page cannot be displayed"

[Eric Rostetter]

Quoting Lord Apollyon <implist at paypc.com>:

> > To make it work with all versions, I've had to also add:
> >
> >    SSLProtocol all -SSLv3
>
> NO NO NO NO NO NO.

I guess you feel strongly about that?

> I don't know who originated this (terrible) advice, but

In my case, it was me.  I was having trouble with a critical system (about
3 years ago) getting it to work with all clients (e.g. Mac running IE,
AOL, etc).  And this fixed the remaining problems I was seeing.  Nothing
else fixed it.  No one gave me this advice, I found it via trial and error.

> you're basically throwing out the best crypto for EVERYONE and needlessly at
> that.

Yes, we are throwing out the best crypto, but it wasn't needlessly, or at
least we could not find another work around or solution.  So for us it
was needed to throw it out.

Please note I don't do this on my Horde/IMP install, I do it on another
system that is more critical.

I realize that this is drastic.  But, the person said they tried the other
stuff, and was still having problems.  I'm simply saying: yes, I had the
same experience, and this fixed it.

> You just need to disable the broken ciphers for TLS/SSLv3 which are lame
> anyway.

Have not found which ones that might be.  And apparently you have not either,
based on this posting, as your settings are the same as mine and do not work.

> I've been using the following for years without incident - the few

Great for you.  But that doesn't mean it works for everyone.  I've got
28,000 students from all over the work using a system.  They use just about
every OS, language, browser, firewall, proxy, filter, etc.  I have to try
to support them all, even the sites that block my e-mail without an attachment
as containing an attachment! (Now how annoying is that?)  I can't take the
liberty of saying "too bad it doesn't work for your student, just fail him
for the course."  The students take a dim view of that.

> # Disable the export TLS/SSLv3 ciphers (56-bit SGC's)
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

Already have that (read my post).

> # and then disable keepalives and http/1.1 responses for MSIE
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0

Been there, done that.  Sometimes I make two rules (for old IE and newer
IE), sometimes just use one, but always have the above for at least the old
ones).

> # Activate an SSL session cache
> SSLSessionCache shm:/your/pathname/to/somewhere/writeable(512000)

Done that (and set a SSLSessionCacheTimeout).

> =Apollyon=

Okay, so you've said: Use the settings which are causing us problems, and
you'll have no problems.  Does that really make sense?

--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!