On Fri, May 30, 2003, Charles B Cranston wrote: > I'm using 2048 bit certs with IE 5 and 6 and NS 4.72, 6.0, > and 7.2 -- there is a sort of compatability problem with > export-quality browsers, which can sometimes be addressed > at the SERVER (apache, give it more randomness). This > confused me also. >
The reason for that is that none-export ciphersuites on the server side only generate the server random value which is sent in the clear and the PRNG doesn't need to be seeded. The client side needs to generate the pre-master secret so this does need a seeded PRNG. For export cipher suites the server needs to generate a temporary RSA key if the server key is above a certain size. This limit is 512 bits for some and 1024 bits for other export cipher suites. This also needs a seeded PRNG. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]