I would like to use the code if people have tested it. Our cert has Netscape
SGC extension, not MS SGC extension. So, we are not able to test it. Please
publish the testing result if anyone has.
Just for clarification, IE4/5 behaves differently when it receives a cert
with
Netscape SGC extension and MS SGC extension.
Thanks.
--Yunhong
-----Original Message-----
From: Adrian Peck [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 21, 1999 9:24 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: SGC support in OpenSSL
Having found that the Microsoft SGC extensions to SSL were not implemented
in openssl-0.9.4, I made some changes myself. However as you can see the
changes are very hacky due to my wish to keep the changes as simple as
possible.
The basic problem is that IE4 or 5 will issue a client hello message
immediately after receiving the server hello and server certificate if it
finds that this certificate was a Server Gated Crypto ( SGC ) certificate.
The 'point' of this is to change the cipher suites that are offered to the
server without starting a new SSL session. My code peeks at the client
message to check for a client hello and resets the SSL state to
SSL_ST_ACCEPT if it spots one. The code is only visited if the SSL mode
SSL_MODE_NCIPHER_SGC_HACK is set.
I have supplied the 2 files which I have modified for your attention.
Inorder to test any solution you will need to obtain an SGC certificate
from Verisign with the CORRECT common name for the server it is running on.
You will need an export version of IE version >= 4.
I hope this is of interest
Bertie
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
