On Tue, 20 Jun 2000 15:54:50 +0100 (BST), Luke Ross wrote:
>low-grade encryption and/or fortify'd browsers work fine here.
>
That's right but how can You know before which kind of browser
is connecting to Your server. What I mean is that when a low
encryption enabled browser tryes to connect to Your server is
kicked off with a "Network error" dialog box and nothing more.
>I've seen a few moans on openssl-users list about this - basically IIS &
>IE do a quick step-up that's actually not permitted by the SSL protocol.
>It's a hack by Microsoft to make step-up easier, and I think support can
>be added to OpenSSL, but AFAIK it's not in the main source on principle.
>Netscape does a proper step-up and so should work properly. I don't know
>the details, but even under U*ix step-up with IE tends fo fail.
>
Even Netscape International browsers (40/56 bit) do not step up.
On the counterpart it' s not an OpenSSL problem because I tryed to start
on an Win NT box :
openssl s_server -accept 443 -cert server.crt -key server.key -CAfile Gsid.crt /
-debug -state -cipher ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP -www
and all browsers connecting to that machine including IE & Netscape versions
greater than 4.0 stepped up correctly.
Of course I tryed with openssl versions from the 0.91 to the last 0.95a.
>Is it crucial that you have step-up? Whilst crackable, 40/56 bit
>encryption is usually fine for everyday use.
>
If you deal with Credit cards it' s a must on using high encryption and first
of all the use of a "Verisign signed certificate". Visa,MasterCard,Amex,Diners
state that if You don't want to get in troubles You have to equip Your Web
server with a "Verisign high encryption signed certificate".
Regards.
-------------------------------------------------------------------
"On a day not different than the one now dawning, Leonardo drew the
first strokes of the Mona Lisa, Shakespeare wrote the first words
of Hamlet, and Beethoven began work on his Ninth Symphony."
And Windows98 Crashed!
-------------------------------------------------------------------
Francesco D'Inzeo
WinTech S.r.l.
Via Lisbona 7
35127 PADOVA (Italy)
Tel. (+39)-(0)49-8703033
Fax. (+39)-(0)49-8703045
e-mail [EMAIL PROTECTED]
