[lug] apache config, TLSv1 versus SSLv2?

[D. Stimits]

...
> The problem is that even if a site offers both SSLv2 and TLSv1/SSLv3, it 
> will default to SSLv2.  Eep.

 From what I can tell, this is a server side config. It seems that by 
default Apache ships with SSLv2 enabled, along with the lower strength 
cyphers...possibly for some sort of compatibility with all the browser 
versions out in the wild. It does seem to default to trying higher 
quality cyphers first, and only lists SSLv2 late in the list:
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

Now if this really is the default, and a browser uses SSLv2, I'd think 
it means that the browser simply does not support the stronger 
cyphers/protocols...it seems that the browser is sending its list of 
abilities and the server is the one choosing among those abilities which 
to use.

I see RC4+RSA, I'm wondering how this compares to TLSv1 or SSLv3? Apache 
is setting these in front by default on fedora, so I'm guessing this 
means stronger than SSLv2. I don't see TLS listed at all though, and I 
can see in logs during my testing that mozilla uses TLS unless it is 
manually disabled, via this excerpt of a log:
127.0.0.1 TLSv1 DHE-RSA-AES256-SHA

...I got this log with my configuration as:
SSLCipherSuite !ADH:HIGH

There is apparently a separate directive SSLProtocol, which allows 
addition or removal of TLSv1, SSLv2, so on, and does not appear to be 
related to the actual cypher strength. For example:
SSLProtocol -all +SSLv2

I'm wondering if something like removing all with "-all" then addition 
of "+SSLv3 +TLSv1" would be a good idea? In part I'm wondering what 
setting will allow an updated IE to work properly?

D. Stimits, stimits AT comcast DOT net