In article <[EMAIL PROTECTED]> you wrote:
> Has anyone done any work on adding support for SGC/StepUp to SSLeay/OpenSSL?
> We would like to add this facility to the browser we use - as otherwise there
> is no way we can export strong crypto out of the UK. So not withstanding the
> aesthetic/ethical complaints people might have about it I'd like to see it
> included.
> Or is it the case that it is not something that belongs in the SSL library
> but needs to be handled outside it in the driving code?
Yes, that's something which doesn't belong to the SSL library itself. It's
just a matter of using special server and CA certificates and browsers which
to the step-up when they recognize such certificates. The only thing the SSL
library on the server side has to do is to support a way for the server to
accept the SSL renegotiation. And this is already done inside OpenSSL in the
background when you for instance call SSL_read(). On the client side all you
have to do is to reconfigure the SSL parameters and force a renegotiation.
I've written down the stuff for mod_ssl as a little document.
You can find it under the URL:
http://www.engelschall.com/sw/mod_ssl/distrib/mod_ssl-SNAP/README.GlobalID
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]