Friday September 03, 2004

Here's my little tale about Mac OS X/MSIE versus Apache/mod_ssl.

Some gripes about a self-signed certificate and compatibility with MSIE on Mac OS X for SSL access jumped to the foreground again recently. At first the assertion was that the name mismatch between the certificate's hostname and the actual hostname was flummoxing MSIE. So I generated a new certificate with a matching name. Still would bomb out with a "protocol error." Then I tried adding the site to MSIE's "trusted zone." bzzzzt! "protocol error" again!

Then it hit me: this code has languished at Microsoft for years. It's low-level protocol stuff could just be waaaay behind the times. So I changed the Apache configuration to include this directive

SSLProtocol all -SSLv3

ding ding ding ding!

So now I can accept the self signed certificate and move along. Does this mean that sites with CA-signed certificates can't use SSLv3 or does MSIE only require dumbing down the protocol when the certificate is self signed? Maybe this is a long standing FAQ but I'm kinda new to Mac OS X and haven't had to chase this down before.