Re: Bug in SSL 3 Key Exchange ?

Mon, 10 Jul 2000 06:00:26 -0700 

Hi Steve,

Thank you for your replies and help.

I installed the MSIE 128 bit security patch, I  connect to my SSL server and
get a "page can not be displayed error" and if I press "enter" on the
browser again 
I can connect successfully.
So the patch doesn't fully cure the problem. 
I have some questions related to your last reply: Could you explain about
SGC with more details ? This is the first time I hear about this feature.
Also, could you explain how do I disable the 56 bit ciphers and what are the
consequences of this action  ?

Thanks in advance,
Itai Levy.

Itai Levy,
Software Developer R&D
Algorithmic Research Ltd. ( Data Security Across the Enterprise )
10 Nevatim st., Kiryat Matalon
Petah Tikva 49561
Israel

Tel: +972-3-9279514
e-mail:[EMAIL PROTECTED]
http://www.arx.com

 




Levy itai wrote:
> 
> Hi Guys,
> 
> I send this mail to the dev mailing list also because it seems that there
is
> a bug in the OpenSSL key exchange mechanism.
> Anyway, I've been debugging this problem for the past 2 weeks without any
> success and need urgent help.
> 

It is not a bug in OpenSSL. It is a bug in MSIE related to its use of
SGC and 56 bit ciphers. Your behaviour is expected: if the server name
doesn't match that in the certificate MSIE wont use SGC so you wont see
the problem. You can install the MSIE 128 bit security patch (then it
wont use SGC), fix MSIE or disable 56 bit ciphers in the server by
setting the cipherlist to something like

DEFAULT:!EXPORT56

or if by putting !EXPORT56 on the end of an already existing cipher
list. The bug is mentioned at:

http://www.microsoft.com/windows/ie/security/schannel.asp

For more details check the archives: a similar discussion has arisen
recently.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]


Itai Levy,
Software Developer R&D
Algorithmic Research Ltd. ( Data Security Across the Enterprise )
10 Nevatim st., Kiryat Matalon
Petah Tikva 49561
Israel

Tel: +972-3-9279514
e-mail:[EMAIL PROTECTED]
http://www.arx.com


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to