Firewall Wizards mailing list archives
RE: SSL and negotiated key strength
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 11 Jul 2001 12:44:26 -0400 (EDT)
for your apache/mod-ssl issue join the modssl users list, modssl-users () modssl org, http over to modssl.org to sign up! Thanks, Ron DuFresne On Tue, 10 Jul 2001, Scott, Richard wrote:
GReetings all, Well getting apache to work is one thing... and I've still got to get it working, but the problems we are having with IIS is unreal. What I have been hearing inside of Verisign is that there is a fundamental problem with the Server Gated cryptography preventing it working on IIS. Has anyong got the step up feature to work in IIS 4 or 5? Cheers r. Hi, We recently had similar problems and fixed the encryption step up issue by ensuring that the "SSLCipherSpec" line was included and that it defined all of the required ciphers as shown in the sample virt host definition below. <VirtualHost HostIPAddressHere:443> ServerName www.hostname.com ServerAlias HostName www SSLEnable SSLClientAuth none ErrorLog /var/log/loggingplace SSLServerCert HostName SSLCipherSpec 34353A333639323130 </VirtualHost> Each of the numbers represents a different cipher that can be used when negotiating a connection, I am not sure what they all are currently but can find out if required. ----- Greetings all, I've been playing around with SSL and Certificates and have come across a problem. I'm using apache and IIS as the web servers, and for an example IE5 with 56bit capable encryption. This is what I am seeing: (1) With a global certificate, 128 bit shout be enforced, and for all browsers that do not support 128 bit, the browser is "stepped up" somehow. - With my 56bit capable browser, only 40bit encryption is negotiated, not 128bit. - With a 128bit browser, 128bit is supported. Shouldn't it be the case that 128bit be used for all browsers with Verisign's Global Certificates... ? I shouldn't have to define in apache or IIS to force 128bit, or should I? I am wondering whether the option in IIS, for example, to enforce 128bit, only permits browsers with the high crypto pack installed on the client? (2) Connecting to Fortify.com, the SSL test for a 56bit capable browser only negotiates to 40bit, why does it not use 56bit? I believe that 128bit crypto can be exported now, please correct me if I am wrong, and hence outside connections using SSL with 128bit encryption is legal? Cheers r. Richard Scott Information Security ? Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: SSL and negotiated key strength Scott, Richard (Jul 11)
- RE: SSL and negotiated key strength Kevin Steves (Jul 12)
- RE: SSL and negotiated key strength R. DuFresne (Jul 12)
- <Possible follow-ups>
- RE: SSL and negotiated key strength Scott, Richard (Jul 12)