'RE: [apache-ssl] Apache 1.3.12 + ssl_1.39, Verisign 128 bit, Prob'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-ssl
Subject:    RE: [apache-ssl] Apache 1.3.12 + ssl_1.39, Verisign 128 bit, Prob
From:       Kevin Trilli <KTrilli () verisign ! com>
Date:       2000-12-21 21:57:40
[Download RAW message or body]

Marek

I did some looking around for you in our support group and was able to find
the following information for you.  Please be forewarned that this is
*unofficial* information we have learned by working with a customer.

Let me know if this helps,
Kevin



I think we got around the problem (without having to 'redirect' users...) 
> 
> In our Apache webserver config ("httpd.conf")  we changed the line which 
> 'rejects' certain browser types  (Oddly enough, someone had written into 
the 
> "mod_ssl" message board, and used the 'keyword' "EXPORT56" instead of 
> "EXP56" which is provided with the initial "httpd.conf" file with Apache, 
> and by using that variation, it seems to work). 
> 
> ##SSLCipherSuite 
> ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
> SSLCipherSuite 
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
> 
> And added a line (within the 'systemwide LOCATION' section) which would 
make 
> sure that all browsers 'jump up' to the 128bit encryption level: 
> 
> SSLRequire  %{SSL_CIPHER} >= 128 
> 
> 
> The result (from reading thru the Apache SSL logs),  is that instead of 
> seeing the browser coming in as an 
> "EXP1024-RC4-SHA (56/128)" version (which Apache/Mod_SSL had a problem 
> negotiating the 128bit encryption 
> level with),  it sees it as a "EXP-RC4-MD5 (40/128)" , which though 
> apparently  a 'crappier' version,  is one that 
> Apache/Mod_SSL could deal with.... 
> 
> The secure web transactions that followed for that client appear as: 
> Protocol: SSLv3, Cipher: RC4-MD5 
> (128/128 bits)  which means that the webserver was able to force the 
browser 
> to 'jump up' to it's level of encryption... 
> 
> We're still watching to see what the overall results of the change (as 
users 
> move thru our site) is....
http://marc.theaimsgroup.com/?l=apache-modssl&m=97430424603650&amp;w=2 

-----Original Message-----
From: Stiefenhofer, Marek ECOFIS [mailto:m.stiefenhofer@ecofis.de]
Sent: Friday, December 15, 2000 8:54 AM
To: 'apache-ssl@lists.aldigital.co.uk'
Subject: [apache-ssl] Apache 1.3.12 + ssl_1.39, Verisign 128 bit,
Problems with 56bit B rowsers


After installing a Versign Server Certificate (128bit) on one of our virtual
servers everything seems to work well, except that browsers which are not
capable of 128bit encryption produce secure channel errors and can't view
the pages.
Self generated and signed 128bit certificates seem to work well even with
56bit browser versions. 

Any suggestion?


Kind Regards,

Marek Stiefenhofer
(IT Security)
ECOFIS GmbH
Tel.:   +49-(0)2 31-75 45-1 17
FAX :   +49-(0)2 31-75 45-2 22
e-mail: m.stiefenhofer@ecofis.de

----------------------------------------------------------------------------
-------
to unsubscribe, send a blank email to:
apache-ssl-unsubscribe@lists.aldigital.co.uk

-----------------------------------------------------------------------------------
to unsubscribe, send a blank email to: apache-ssl-unsubscribe@lists.aldigital.co.uk

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic