Re: confused about RSAref

[lin geng]

-----Original Message-----
From: Alex Howansky <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, December 02, 1999 3:19 AM
Subject: confused about RSAref


>
>Hi all,
>
>I've searched the docs and mailing list archives and can't find a
definitive
>answer to my question. I hope someone can shed some light on the subject.
>
>I'm very confused about RSAref. The modssl docs say that RSAref is
mandatory
>here in the US. The openssl docs say only that "it is possible" to use
RSAref.
>Clearly though, both openssl and modssl can work fine without it. The
modssl
>docs even say that using RSAref will result in some loss of functionality.
So,
>my question is, do I really need it? Is the "mandatory" issue a legal one
or a
>technical one? What are the implications of running a commercial server in
the
>US with a modssl module that isn't linked with RSAref?
>

My understanding is that it is a legal issue.  Not an technical one.  I
removed all RSA related stuff and it still works.


>Another possibly related question -- so far, I've built modssl without
RSAref.
>I've generated a self-signed server certificate according to the modssl
docs.
>When I connect, I'm only getting 40 bit encryption. How do I get 128? Is
the
>encryption strength dependant on the certificate or the modssl settings in
>httpd.conf? Or maybe to my lack of RSAref?
>

The key length of the symetrical encryption has nothing to do with
SA( almost).  You need to look under cipher suites, what to enable and what
to disable.   It seems that you are using export grade cipher suites.  It
will be depend on the certificate if you are doing things using globaleID
certificates. Otherwise, it is not.  But if you are using a certificate with
512 bit public key algorithms and a 128 bit symmetrical encryption, it does
not make too much sense.  generally, stronger symmetrica key length goes
with longer public key length.  For instance, 1024 DH with 128 triple DES.

Cheers

Lin


>Please respond via email -- I'm not a subscriber. Thanks.
>
>--
>Alex Howansky
>[EMAIL PROTECTED]
>http://www.wankwood.com/
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>User Support Mailing List                      [EMAIL PROTECTED]
>Automated List Manager                            [EMAIL PROTECTED]
>

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]