Re: OPENSSL

To: debian-security@lists.debian.org
Subject: Re: OPENSSL
From: "Stefan Neufeind" <stefan@neufeind.net>
Date: Tue, 10 Jun 2003 17:40:17 +0200
Message-id: <[🔎] 3EE61801.32640.600BA7A@localhost>
In-reply-to: <[🔎] 3EE5C5E5.7090304@ozemail.com.au>
References: <[🔎] 96C102324EF9D411A49500306E06C8D102B13E56@eketsv02.cubis.de>

I'm using a 128-bit-cert. But browsers that support less encryption 
(e.g. IE that comes with WinNT4) can't access my SSL-pages because 
the encryption doesn't allow degration. Is there any way to solve 
this prob? Using Apache with an official SSL-cert.

PS: This just came to my mind when you said "step-up" - cause in my 
case it would be a "step-down", right?

On 10 Jun 2003 at 21:49, Berin Lautenbach wrote:

> Reckhard, Tobias wrote:
> > There are web browsers that will negotiate 128 bits only if the
> > certificate presented by the web server is a "step-up certificate".
> > I'm not sure what makes a certificate a step-up certificate,
> > however, nor if this restriction still applies to current browsers.
> 
> The step up involved the browser checking the signer was a legitimate
> CA to sign a step-up cert and then performing the re-negotiation. The
> restriction disapeared when the crypto export laws were all relaxed.
> You have to go a fair way back (few years) to get a browser that still
> only supports 128bit symmetric in SGC mode.

Reply to:

References:
- RE: OPENSSL
  - From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
- Re: OPENSSL
  - From: Berin Lautenbach <berin@ozemail.com.au>

Prev by Date: Re: Default Apache install not fit for multiple domains/users
Next by Date: re: strange broadcast packets
Previous by thread: Re: OPENSSL
Next by thread: RE: OPENSSL
Index(es):
- Date
- Thread