I hope I'm not completely out to lunch, but I was under the impression that cipher strength and certificate keys are two different beasts. To put it more exactly, one can disable weak ciphers, because it is a function of the SSL software on the server side of things, NOT a function of the signed public key.
For example (where my expertise lies) - openssl used within Apache specifically allows one to specify the ciphers to be allowed within a connection. For reference (again with openssl), # openssl s_server -? (and check the '-ciphers' arg) # openssl ciphers (to see the ciphers list). What I can't tell you is whether or not the various servers allow you to explicitly disable weak ciphers. For Apache servers with mod_ssl (the most popular), a config file directive called "SSLCipherSuite" allows one to explicitly specify which ciphers the client is allowed to negotiate, again, independent of the certificate presented. I seem to recall (from 3-4 years ago) that Netscape Enterprise server allowed one to specify whether or not to enable/disable export/domestic grade security (cipher strength). I'd be amazed if IIS doesn't have the exact same capability. Thomas > Troy Perkins wrote: > > I have spoken with verisign in regards to generating CSR without weak > ciphers enabled ( resolution: disable weak ciphers in nessus reports > ). > > All they could tell me was: > http://www.verisign.com/support/csr/index.html > > choosing 40/128 ??? > > To be more specific, what I'm trying to figure out how to do is > disable these weak ciphers that are supposidly enabled by IIS 4.0 CSR > genration before they are sent to an authority for signing. > > I know that the weak ciphers are a low security risk, but governments > and financial institutions don't see it that way. > > Feed back is very welcome - Thanks
