RE: OPENSSL

To: debian-security@lists.debian.org
Subject: RE: OPENSSL
From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
Date: Wed, 11 Jun 2003 06:59:35 +0200
Message-id: <[🔎] 96C102324EF9D411A49500306E06C8D102B13EA9@eketsv02.cubis.de>

On Tue, Jun 10, Stefan Neufeind wrote:
> I'm using a 128-bit-cert.

You're using an X.509 certificate. The grade of symmetric encryption
negotiated between browser and web server is (at least in theory)
independent of the certificate.

> But browsers that support less encryption 
> (e.g. IE that comes with WinNT4) can't access my SSL-pages because 
> the encryption doesn't allow degration.

The original NT shipped with IE2. Are you sure you want people to still use
that?

> Is there any way to solve 
> this prob? Using Apache with an official SSL-cert.
> 
> PS: This just came to my mind when you said "step-up" - cause in my 
> case it would be a "step-down", right?

I could imagine that IE2 has numerous problems with SSL. It could well be
one of the browsers that need to see step-up certificates before they
perform 128-bit symmetric cryptography. But I don't know.

Make sure you've allowed your Apache to use small key sizes first. I
wouldn't use them, but you should be sure that it's not your server that's
refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to apply the
latest service pack and preferrably install IE6SP1 plus the Hotfixes that
have been released since.

And then they should install a better browser and use that instead. ;->

Cheers,
Tobias

Reply to:

Follow-Ups:
- RE: OPENSSL
  - From: "Stefan Neufeind" <stefan@neufeind.net>

Prev by Date: Re: cronjob stuck
Next by Date: Re: a weird script worm uploaded via php with debian 3.0 ?
Previous by thread: Re: OPENSSL
Next by thread: RE: OPENSSL
Index(es):
- Date
- Thread