Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SSL and negotiated key strength

From: Tristan Geering <Tristan.Geering () asx com au>
Date: Sat, 9 Jun 2001 12:32:25 +1000 
Hi,

We recently had similar problems and fixed the encryption step up issue by
ensuring that the "SSLCipherSpec" line was included and that it defined all
of the required ciphers as shown in the sample virt host definition below.

<VirtualHost HostIPAddressHere:443>
ServerName www.hostname.com
ServerAlias HostName www
SSLEnable
SSLClientAuth none
ErrorLog /var/log/loggingplace
SSLServerCert HostName
SSLCipherSpec 34353A333639323130
</VirtualHost>

Each of the numbers represents a different cipher that can be used when
negotiating a connection, I am not sure what they all are currently but can
find out if required.

Thanks for the great list Marcus.

Cheers,

Tristan Geering


-----Original Message-----
From: Scott, Richard [mailto:Richard.Scott () BestBuy com]
Sent: Thursday, 10 May 2001 2:39 AM
To: firewall-wizards () nfr com
Subject: [fw-wiz] SSL and negotiated key strength


Greetings all,

I've been playing around with SSL and Certificates and have come across a
problem.  I'm using apache and IIS as the web servers, and for an example
IE5 with 56bit capable encryption.

This is what I am seeing:

(1) With a global certificate, 128 bit shout be enforced, and for all
browsers that do not support 128 bit, the browser is "stepped up" somehow.

- With my 56bit capable browser, only 40bit encryption is negotiated, not
128bit.
- With a 128bit browser, 128bit is supported.

Shouldn't it be the case that 128bit be used for all browsers with
Verisign's Global Certificates... ?  I shouldn't have to define in apache or
IIS to force 128bit, or should I? I am wondering whether the option in IIS,
for example, to enforce 128bit, only permits browsers with the high crypto
pack installed on the client?


(2) Connecting to Fortify.com, the SSL test for a 56bit capable browser only
negotiates to 40bit, why does it not use 56bit?


I believe that 128bit crypto can be exported now, please correct me if I am
wrong, and hence outside connections using SSL with 128bit encryption is
legal?

Cheers
r.


Richard Scott   
Information Security
? Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA
The views expressed in this email do not represent Best Buy
or any of its subsidiaries.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: