Firewall Wizards mailing list archives
RE: SSL and negotiated key strength
From: Graeme Rider <Graeme.Rider () colesmyer com au>
Date: Fri, 11 May 2001 08:31:41 +1000
the global certificates use Server Gated Cryptrography (which l think was developed by Microsoft - so there is part of the problem)...this allows the customers browser to be upgraded to 128bit.. the problem with your configuration is, as is with mine, you use Apache. Apparently because it is open source, there are many versions of it and Verisign (l use Esign certs which is the Aust. subsidiary of Verisign)do not gaurantee that these certs will work. You can get them to work but this requires determining which part of the Apache configuration is not understanding SGC. l have an added problem as we use Stronghold as well...l had to drop down to standard certs to get it to work as it wouldn't work at all with 56 bit... regards graeme rider technical security analyst ColesMyer -----Original Message----- From: Scott, Richard [mailto:Richard.Scott () BestBuy com] Sent: Thursday, 10 May 2001 2:39 To: firewall-wizards () nfr com Subject: [fw-wiz] SSL and negotiated key strength Greetings all, I've been playing around with SSL and Certificates and have come across a problem. I'm using apache and IIS as the web servers, and for an example IE5 with 56bit capable encryption. This is what I am seeing: (1) With a global certificate, 128 bit shout be enforced, and for all browsers that do not support 128 bit, the browser is "stepped up" somehow. - With my 56bit capable browser, only 40bit encryption is negotiated, not 128bit. - With a 128bit browser, 128bit is supported. Shouldn't it be the case that 128bit be used for all browsers with Verisign's Global Certificates... ? I shouldn't have to define in apache or IIS to force 128bit, or should I? I am wondering whether the option in IIS, for example, to enforce 128bit, only permits browsers with the high crypto pack installed on the client? (2) Connecting to Fortify.com, the SSL test for a 56bit capable browser only negotiates to 40bit, why does it not use 56bit? I believe that 128bit crypto can be exported now, please correct me if I am wrong, and hence outside connections using SSL with 128bit encryption is legal? Cheers r. Richard Scott Information Security ? Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Attachment:
InterScan_Disclaimer.txt
Description:
Current thread:
- SSL and negotiated key strength Scott, Richard (May 10)
- Re: SSL and negotiated key strength Rich Wilson (May 11)
- <Possible follow-ups>
- RE: SSL and negotiated key strength Graeme Rider (May 11)
- RE: SSL and negotiated key strength Scott, Richard (May 21)
- RE: SSL and negotiated key strength Graeme Rider (May 22)