The Apache - OpenSSL - Internet Explorer 5 problem

I am using mod_ssl with openssl 0.9.7c and I am using the workaround in
my ssl.conf that permits the buggy Internet Explorer 5.x browsers to
access my https pages. The problem has been around for a while and is
detailed here:

http://www.modssl.org/docs/2.6/ssl_faq.html#io-ie

The workaround is now part of the default configuration of Apache 2 and
uses this line in ssl.conf:

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:
+EXP:+eNULL

I am finding this workaround is not 100% successful. Any visitor who
uses MSIE 5.00 cannot use my https pages as the workaround disables
56bit ciphers. This browser version only supports 56bit and these
visitors get the "This page cannot be displayed" error message. This
includes all visitors in my logs using:

Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)

Which is the sixth most popular browser version in my log files. ok, it
only accounts for 0.02% of all my visitors, but this is still a chunk of
visitors who can't shop on my site. Is there something I can do to make
my https pages accessible to these MSIE 5.0 users without making
something else worse?

R Tunnel <no_mail_please RemoveThis @this_address.net> wrote:
 > Is there something I can do to make
 > my https pages accessible to these MSIE 5.0 users without making
 > something else worse?

Yes, put a clear sign on your website: If you are using the bugged
IE 5, please update your SSL support to 128 bit or get an upgrade
to IE 6.

Besides, they get the upgrade anyway if they use Microsoft Update.

_DO_NOT_ struggle to fix someone else bugs. It's a lost war.

Davide

--
| Windows NT source code now available... download WIN2000.BAS now!
| -- From a Slashdot.org post<!-- ~MESSAGE_AFTER~ -->