RE: SSL (Apache) <-> Browser

["Scott, Richard" <Richard.Scott () BestBuy com>]

Inline:

Richard Scott   
* Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA
The views expressed in this email do not represent Best Buy
or any of its subsidiaries.

Hi,

Check the mod_ssl FAQ and mail list archives (I assume that you're using
some apache/openssl/mod_ssl combination). Your problem is extensively
discussed there. Resolution is in the hands of your server admin.

This is what I am trying to help.... ;-)

As a starting point:

1. Is a Global Server ID in use (a certificate that uses an intermediate CA
certificate to "Step-up" the session key for old "export" servers and
browsers)? If so you need to exclude EXPORT56 from the cipher suite in the
server config.

Yes it is, as far as I know, we have the 128bit certificate from verisign.
I have seen the forums speak of problems with this, but I can't seem to get
a config description of the server, so I have a few hole in my knowledge.
This is what the admin will try, and I will see if that helps.

2. Is the apache server configured to support an SSL session cache? It
probably needs to be.

Why is this?  Surely this just speeds up the negotiating ?

Oh, and don't bother chasing this through MS support unless you are a
masochist. 


Laughs,

I have another question I want to through out.  Using the 40bit or 128bit
certificate, what determines the key that is used for the symmetric
encryption.
That is, does the server resolve to the lowest common dominator, hence if
the client can only use 56bit, the server ill only use a 56bit key.
I can seem to find the answer in the RFC.  What I would like to see is that
if the server can use the 128bit key always, and the client can use what
ever they can cope with.

Cheers ..... Jonathan.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards