On Tue, Mar 23, 1999, Patrik Carlsson wrote:
> How does this stepup really works?
I'm surprised that the README.GlobalID document isn't detailed enough...
> The server has this special GSID certificate, but is he otherwise "modified"
> (he must be able to use strong ciphers) in some way to be able to handle the
> stepup?
The server is not modified except that he has to accept the stepup, i.e.
renegotiations forced by the client. The strong ciphers are always supported,
of course. mod_ssl and OpenSSL are not export-crippled.
> Isn't it actually just a client issue, i.e. the client sees the GSID and, in
> the Netscape case, finishes the 40 bit negotiation and then starts a new 128
> bit SSL negotiation, and in the IE case, it drops the current negotiation
> and starts a new with a stronger cipher.
Correct, it's a client issue and works exactly as you said.
> The following is from the README-GSID.GlobalID file: "First you should
> recognize that Apache+mod_ssl+SSLeay allow such renegotiations since version
> 2.1.3" What does these renegotiations look like and what changes were made
> and where?
They are just SSL renegotiations forced by the client which start a new
handshake phase where the cipher suite is changed to use stronger ciphers. The
actual changes are adjusted I/O routines, see ssl_engine_io.c for more
details.
> Is there something called session renegotiations in the SSL spec? Looking
> at http://microsoft.com/security/tech/sgc/TechnicalDetails.asp it seems like
> the client justs starts a new handshake...
Don't look at Microsoft papers when you want to understand anything, please.
Instead look inside the SSLv3 spec or the TLSv1 RFC. Yes, the stuff is called
renegotation of parameters and is nothing more than a new SSL handshake, of
course. The interesting point is just that an SSL handshake can occur at any
time and not only at startup of a new connection ;-)
> I would be really happy if someone could shed some light in the fog on this
> (interesting) topic!
I doesn't look that there is such a lot of fog around you. The whole SGC
stuff isn't complicated in general on the server-side, it's just a matter of
client forced renegotiations which the server has to accept at any stage to
support SGC.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
