On Fri, Nov 06, 2009 at 02:00:47AM +0000, Dirk-Willem van Gulik wrote: > What we really need is 1) a pub/priv key pair of such a cert* (or use > attached CSR) of some random domain (ideally expired and with a totally > bogus CN valye so we can post the private key publicly) and 2) obviously > a browser which support this (but that we can handle).
Rick got me an SGC-enabled test cert (thanks a lot!) - I've installed it on box which can be accessed e.g. here: https://dougal.manyfish.co.uk/cgi-bin/printenv with SSLCipherSuite tweaked to enable EXPORT ciphers; it now reads: SSLCipherSuite ALL:!ADH:EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW The box is running the RHEL 2.2.3 with the CVE-2009-3555 patch applied, so should reject any client-initiated renegotiations. Note that the cert has expired already (intentionally), but is otherwise valid. I've been trying to find a real browser to do SGC against this but have failed - help welcome here! I've tried old releases of Netscape 4.0x but they predate the Verisign root from which the cert was issued, so, prerequisite "enable SGC" trust bit in the root CA bundle isn't there. It seems like the best bet to get a working SGC-enabled browser might be Windows 2K or similar vintage with an old "export" (non-US) version of MSIE (4/5?). Can anybody dig out such a best and try loading the above page? You'd need to verify it was an export version by loading some other SSL site and checking the cipher used, and/or verifying that SGC works against one of the sites mentioned ealier: > https://www.chase.com > https://www.wellsfargo.com Regards, Joe