I must admit I know *few* about ssl and all those cryptographic issues.
But what I know, is that with a server setup by nearly following all the
defaults and just correctly updating the certificates, I get a server which
accepts low and high encryption browsers.
Visa, mastercard and all we take do *not* impose us any 128 bits technology.
If the browser is 128 bits capable, it connects that way.
If not it connects with what it can.
My server certificate is issued by BelSign/GlobalSign.
When you know that Mastercard/Visa and all accepts transactions done over
the phone by customers who give their credit card number (over phone or fax)
and then the merchant copies it on the slip for processing (with *no*
customer signature anywhere) and that those transactions are accepted (for a
commission fee slightly higher, yes), then I'm sure they do not, today,
*require* to only accept 128 bits connections from customers.
Verisign also has a policy of raising the prices of certificates.
My BelSign/GlobalSign certificate only cost the price of a 56 bit
certificate with VeriSign.
[Sorry about this slightly off-topic discussion.]
I understand and agree on what you're requirements can be Francesco.
I simply said those requirements are not necessarily those of everybody.
The regulations imposed by the cards company may even be higher in Italy
than in Belgium, after all.
Yours,
---------------------------------------------------------------------
Olivier Mascia T.I.P. Group SA
[EMAIL PROTECTED] www.tipgroup.com
Director, Chief Software Architect +32 65 401111
----- Original Message -----
From: "Francesco D'Inzeo" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 20, 2000 5:33 PM
Subject: Re: 1.0.0 woohoo
> On Tue, 20 Jun 2000 15:54:50 +0100 (BST), Luke Ross wrote:
>
> >low-grade encryption and/or fortify'd browsers work fine here.
> >
> That's right but how can You know before which kind of browser
> is connecting to Your server. What I mean is that when a low
> encryption enabled browser tryes to connect to Your server is
> kicked off with a "Network error" dialog box and nothing more.
>
> >I've seen a few moans on openssl-users list about this - basically IIS &
> >IE do a quick step-up that's actually not permitted by the SSL protocol.
> >It's a hack by Microsoft to make step-up easier, and I think support can
> >be added to OpenSSL, but AFAIK it's not in the main source on principle.
> >Netscape does a proper step-up and so should work properly. I don't know
> >the details, but even under U*ix step-up with IE tends fo fail.
> >
> Even Netscape International browsers (40/56 bit) do not step up.
> On the counterpart it' s not an OpenSSL problem because I tryed to start
> on an Win NT box :
>
> openssl s_server -accept 443 -cert server.crt -key server.key -CAfile
Gsid.crt /
> -debug -state -cipher ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP -www
>
> and all browsers connecting to that machine including IE & Netscape
versions
> greater than 4.0 stepped up correctly.
>
> Of course I tryed with openssl versions from the 0.91 to the last 0.95a.
>
> >Is it crucial that you have step-up? Whilst crackable, 40/56 bit
> >encryption is usually fine for everyday use.
> >
> If you deal with Credit cards it' s a must on using high encryption and
first
> of all the use of a "Verisign signed certificate".
Visa,MasterCard,Amex,Diners
> state that if You don't want to get in troubles You have to equip Your Web
> server with a "Verisign high encryption signed certificate".
>
> Regards.
>
>
> -------------------------------------------------------------------
> "On a day not different than the one now dawning, Leonardo drew the
> first strokes of the Mona Lisa, Shakespeare wrote the first words
> of Hamlet, and Beethoven began work on his Ninth Symphony."
> And Windows98 Crashed!
> -------------------------------------------------------------------
> Francesco D'Inzeo
> WinTech S.r.l.
> Via Lisbona 7
> 35127 PADOVA (Italy)
> Tel. (+39)-(0)49-8703033
> Fax. (+39)-(0)49-8703045
> e-mail [EMAIL PROTECTED]
>
>
