| Web Server Management: Securing Access to Web Servers | ||
|---|---|---|
| Prev | Chapter 4. Configuring Apache to support TLS | Next |
Some browsers (Internet Explorer again) have bugs which prevent them from working correctly with some aspects of the TLS protocols. The situation is better with current browsers, but many old browsers can be a problem. We can work around this by adding the following directives to the HTTPS virtual host.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
These directives do two things: they alter some aspects of the HTTP and TLS protocols for MSIE, and they restrict the cryptographic primitives that will be used to those with widespread browser support. This latter is an unfortunate necessity, since it will prevent all browsers (not just MSIE) from using some useful strong ciphers.