RE: OPENSSL

To: debian-security@lists.debian.org
Subject: RE: OPENSSL
From: "Stefan Neufeind" <stefan@neufeind.net>
Date: Wed, 11 Jun 2003 10:40:28 +0200
Message-id: <[🔎] 3EE7071C.19139.9A6BA9B@localhost>
In-reply-to: <[🔎] 96C102324EF9D411A49500306E06C8D102B13EA9@eketsv02.cubis.de>

On 11 Jun 2003 at 6:59, Reckhard, Tobias wrote:

> On Tue, Jun 10, Stefan Neufeind wrote:
> > I'm using a 128-bit-cert.
> 
> You're using an X.509 certificate. The grade of symmetric encryption
> negotiated between browser and web server is (at least in theory)
> independent of the certificate.
> 
> > But browsers that support less encryption 
> > (e.g. IE that comes with WinNT4) can't access my SSL-pages because
> > the encryption doesn't allow degration.
> 
> The original NT shipped with IE2. Are you sure you want people to
> still use that?

Well, some people here still use it. Mainly for reading emails via 
webmail ... Users with original NT4 or some version of Mac OS are 
currently having problems accessing the webmail-interface. But I 
don't want to drop to http-without-SSL for webmail. And I can't 
install new browser versions on those machines since I don't 
administrate them. So for now these users can't view there emails 
from that machines.

> > Is there any way to solve 
> > this prob? Using Apache with an official SSL-cert.
> > 
> > PS: This just came to my mind when you said "step-up" - cause in my
> > case it would be a "step-down", right?
> 
> I could imagine that IE2 has numerous problems with SSL. It could well
> be one of the browsers that need to see step-up certificates before
> they perform 128-bit symmetric cryptography. But I don't know.
> 
> Make sure you've allowed your Apache to use small key sizes first. I
> wouldn't use them, but you should be sure that it's not your server
> that's refusing to do e.g. 40-bit RC4. Then I'd urge the NT users to
> apply the latest service pack and preferrably install IE6SP1 plus the
> Hotfixes that have been released since.

Will have a look at that. Funny thing: Users can view the first page 
(login-page) but afterwards can't login. Maybe it has got something 
to do with keepalives or anything?!?

> And then they should install a better browser and use that instead.
> ;->

Read statement above. Would REALLY like to do that if I could.

Reply to:

References:
- RE: OPENSSL
  - From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>

Prev by Date: Re: a weird script worm uploaded via php with debian 3.0 ?
Next by Date: Re: a weird script worm uploaded via php with debian 3.0 ?
Previous by thread: RE: OPENSSL
Next by thread: Default Apache install not fit for multiple domains/users
Index(es):
- Date
- Thread