Apache SSL v2 and v3

Hi,

I've configured apache to use SSL, i tested it using IE5, and 5.5

The browsers that support 40bit and 128bit work ok if i enable only SSLv2. When SSLv3 is enabled the 40bit browser will not work correctly.

This isnt too much of a problem however it means i can only use sslv2. Which means the 56bit browsers will downgrade themselves to 40bit on connection.

Is there a way to get 40, 56 and 128 bits working?

Here is the conf setting i needed to use to get the 40 bit browsers working.

SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

SSLLog logs/SSL.log
SSLLogLevel info

<VirtualHost emeraldwebsite.freeserve.co.uk:443>
SSLEngine On
SSLCertificateFile conf/ssl/my-server.cert
SSLCertificateKeyFile conf/ssl/my-server.key

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLProtocol all -SSLv3

SSLVerifyClient none
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

</VirtualHost>


If i change SSLProtocol to just all, and add +SSLv3 into SSLCipherSuite the 56bit will connect and work at 56, and so will the 128bit, but the 40bit browser wont connect and throws up loads of errors in the ssl.log.

I can post detailed ones if ppl want, but basically they say

[24/Apr/2001 11:10:35 -353879] [info] Connection to child 48 established (server emeraldwebsite.freeserve.co.uk:443, client 62.137.132.41)

[24/Apr/2001 11:10:35 -353879] [info] Seeding PRNG with 0 bytes of entropy

[24/Apr/2001 11:10:35 -353879] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]


Anyone help me out?? I will use the SSLv2 for now and force 56bit to handshake down to 40bit, and recommend that people upgrade their browsers to 128bit.

However what does the SSLv3 protocol include since I cannot use this and still support the 40bit IE browsers. Am i missing out on anything ? Or causing any security holes by using the older SSLv2??

Thanks in advance to those that help

bb.