Re: [OT] 128 bit encryption and IE
Geoffrey Young wrote: unfortunately, the client has a requirement that _only_ 128 bit be allowed. I think, though, that I may be able to use your suggestion to at least show a page saying that an upgrade to 128 is required. Another approach lies here: http://www.thawte.com/getinfo/products/supercert/contents.html - although it won't work with all browser. -Christoph S/MIME Cryptographic Signature
Re: [OT] 128 bit encryption and IE
On Mon, May 07, 2001 at 11:39:59AM -0400, Geoffrey Young wrote: Hi all... sorry for the OT, but has anyone figured out how to tell whether a browser supports 56 or 128 bit encryption? Apparently, users of IE with 56 bit, when entering a 128 bit page, get the standard Cannot Find Server error page with little in the way directions to help the EU know to upgrade. If you set your site to accept only 128 bit ciphers, this is what will happen because the browsers that are capable of upgrading from 56 to 128 bit encryption do this by first connecting at 56 and the renegotiating at 128. See also http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.GlobalID has anyone battled this and come up with an elegant solution? It would of course help a bit if you told us which server you're trying to do this on ;-) With Apache+mod_ssl it is quite simple - just configure it to allow the weak ciphers, and then limit actual access by using SSLRequire to allow only = 128 bits encryption. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall
RE: [OT] 128 bit encryption and IE
thanks - that's insightful... I'm using Raven but I imagine that they have something similar... unfortunately, the client has a requirement that _only_ 128 bit be allowed. I think, though, that I may be able to use your suggestion to at least show a page saying that an upgrade to 128 is required. thanks to all who replied... --Geoff -Original Message- From: David Harris To: Geoffrey Young; [EMAIL PROTECTED] Sent: 5/7/01 8:13 PM Subject: RE: [OT] 128 bit encryption and IE Geoffrey Young [mailto:[EMAIL PROTECTED]] wrote: Hi all... sorry for the OT, but has anyone figured out how to tell whether a browser supports 56 or 128 bit encryption? Apparently, users of IE with 56 bit, when entering a 128 bit page, get the standard Cannot Find Server error page with little in the way directions to help the EU know to upgrade. has anyone battled this and come up with an elegant solution? thanks --Geoff If you are getting a Cannot Find Server error in 56-bit browsers it is because the server and browser are not able to negotiate a cipher to use. Normally, the SSL server will simply downgrade the key size and talk appropriately with 56 bit browsers. However, in configuring your SSL server you can limit what ciphers and key sizes will be considered acceptable. Consider allowing your server to use non 128-bit ciphers. Under mod_ssl configure the SSLCipherSuite configuration directive appropriately. (Also look at the SSLRequire directive if this does not solve things.) Docs here: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9 To determine the cipher currently being used, look at the environment under mod_ssl. My server shows me this for a sample connection: SSL_CIPHER=RC4-MD5 SSL_CIPHER_ALGKEYSIZE=128 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=128 Docs here: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 I'm sure you can build whatever system you need on top of this. David
[OT] 128 bit encryption and IE
Hi all... sorry for the OT, but has anyone figured out how to tell whether a browser supports 56 or 128 bit encryption? Apparently, users of IE with 56 bit, when entering a 128 bit page, get the standard Cannot Find Server error page with little in the way directions to help the EU know to upgrade. has anyone battled this and come up with an elegant solution? thanks --Geoff
Re: [OT] 128 bit encryption and IE
Hello, GYsorry for the OT, but has anyone figured out how to tell whether a browser GYsupports 56 or 128 bit encryption? Apparently, users of IE with 56 bit, GYwhen entering a 128 bit page, get the standard Cannot Find Server error page GYwith little in the way directions to help the EU know to upgrade. GY GYhas anyone battled this and come up with an elegant solution? Mainly, this just sucks. One possibility is that on any page the user is supposed to hit BEFORE going SSL, to have a warning if the browser sniffs to be a recent IE. I would just add the warning for any IE browser. It's harder if your entire site is SSL. I'm hoping someone will answer with a better solution than dumbing down encryption altogether. Humbly, Andrew -- Andrew Ho http://www.tellme.com/ [EMAIL PROTECTED] Engineer [EMAIL PROTECTED] Voice 650-930-9062 Tellme Networks, Inc. 1-800-555-TELLFax 650-930-9101 --
Re: [OT] 128 bit encryption and IE
Another thing you might consider if Verisign will sell them is to get a Global Server certificate. They are designed for banks. It used to be that if you were a financial institution you could get this special server certificate for SSL which would trigger a 'step up' in cripplied netscape and IE to 128 bit encryption. Now, with strong encryption walls having been broken down in the US, maybe global certs no longer qualify you to have to be a bank? At 10:36 AM 5/7/01 -0700, Andrew Ho wrote: Hello, GYsorry for the OT, but has anyone figured out how to tell whether a browser GYsupports 56 or 128 bit encryption? Apparently, users of IE with 56 bit, GYwhen entering a 128 bit page, get the standard Cannot Find Server error page GYwith little in the way directions to help the EU know to upgrade. GY GYhas anyone battled this and come up with an elegant solution? Mainly, this just sucks. One possibility is that on any page the user is supposed to hit BEFORE going SSL, to have a warning if the browser sniffs to be a recent IE. I would just add the warning for any IE browser. It's harder if your entire site is SSL. I'm hoping someone will answer with a better solution than dumbing down encryption altogether. Humbly, Andrew -- Andrew Ho http://www.tellme.com/ [EMAIL PROTECTED] Engineer [EMAIL PROTECTED] Voice 650-930-9062 Tellme Networks, Inc. 1-800-555-TELLFax 650-930-9101 -- __ Gunther Birznieks ([EMAIL PROTECTED]) eXtropia - The Open Web Technology Company http://www.eXtropia.com/
RE: [OT] 128 bit encryption and IE
Gunther Birznieks [mailto:[EMAIL PROTECTED]] wrote: Now, with strong encryption walls having been broken down in the US, maybe global certs no longer qualify you to have to be a bank? Thawte calls these SuperCerts and you don't have to be a bank: }} Who can get a SuperCert? }} The new US encryption export regulations took effect on }} 14 January 2000. In terms of the new regulations, Thawte }} may now export SuperCerts to any non-government entity }} and to any commercial government-owned entity (except }} those that produce munitions), in any country except }} Afghanistan (Taliban-controlled areas), Cuba, Iran, Iraq, }} Libya, North Korea, Serbia (except Kosovo), Sudan and }} Syria. See: http://www.thawte.com/certs/server/128bit/contents.html David
RE: [OT] 128 bit encryption and IE
Geoffrey Young [mailto:[EMAIL PROTECTED]] wrote: Hi all... sorry for the OT, but has anyone figured out how to tell whether a browser supports 56 or 128 bit encryption? Apparently, users of IE with 56 bit, when entering a 128 bit page, get the standard Cannot Find Server error page with little in the way directions to help the EU know to upgrade. has anyone battled this and come up with an elegant solution? thanks --Geoff If you are getting a Cannot Find Server error in 56-bit browsers it is because the server and browser are not able to negotiate a cipher to use. Normally, the SSL server will simply downgrade the key size and talk appropriately with 56 bit browsers. However, in configuring your SSL server you can limit what ciphers and key sizes will be considered acceptable. Consider allowing your server to use non 128-bit ciphers. Under mod_ssl configure the SSLCipherSuite configuration directive appropriately. (Also look at the SSLRequire directive if this does not solve things.) Docs here: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9 To determine the cipher currently being used, look at the environment under mod_ssl. My server shows me this for a sample connection: SSL_CIPHER=RC4-MD5 SSL_CIPHER_ALGKEYSIZE=128 SSL_CIPHER_EXPORT=false SSL_CIPHER_USEKEYSIZE=128 Docs here: http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 I'm sure you can build whatever system you need on top of this. David