Re: GSID, mod_ssl and Apache...

[Patrik Carlsson]

Ralf S. Engelschall wrote:

 Then this is a client problem! The server cannot do anything here. At least
 Netscape is very smart and remembers that he is reconnecting to a server with
 a GlobalID cert and then _immediately_ starts with a strong cipher and never
 does the stepup again (at least not until it's restarted or the server cert
 changes). But I've not tried this with IE. But its Microsoft, what have you
 expected...

Yes I know, it's a client problem.
...and Microsoft... nothing more to say about them...

Thanks for your replies, it's always good to hear someone else explain what
you already suspects.

--Patrik



__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: GSID, mod_ssl and Apache...

[Ralf S. Engelschall]

On Tue, Mar 23, 1999, Patrik Carlsson wrote:

 How does this stepup really works?

I'm surprised that the README.GlobalID document isn't detailed enough...
 
 The server has this special GSID certificate, but is he otherwise "modified"
 (he must be able to use strong ciphers) in some way to be able to handle the
 stepup?

The server is not modified except that he has to accept the stepup, i.e.
renegotiations forced by the client. The strong ciphers are always supported,
of course.  mod_ssl and OpenSSL are not export-crippled. 

 Isn't it actually just a client issue, i.e. the client sees the GSID and, in
 the Netscape case, finishes the 40 bit negotiation and then starts a new 128
 bit SSL negotiation, and in the IE case, it drops the current negotiation
 and starts a new with a stronger cipher.

Correct, it's a client issue and works exactly as you said.

 The following is from the README-GSID.GlobalID file: "First you should
 recognize that Apache+mod_ssl+SSLeay allow such renegotiations since version
 2.1.3" What does these renegotiations look like and what changes were made
 and where?

They are just SSL renegotiations forced by the client which start a new
handshake phase where the cipher suite is changed to use stronger ciphers. The
actual changes are adjusted I/O routines, see ssl_engine_io.c for more
details.

 Is there something called session renegotiations in the SSL spec?  Looking
 at http://microsoft.com/security/tech/sgc/TechnicalDetails.asp it seems like
 the client justs starts a new handshake...

Don't look at Microsoft papers when you want to understand anything, please.
Instead look inside the SSLv3 spec or the TLSv1 RFC.  Yes, the stuff is called
renegotation of parameters and is nothing more than a new SSL handshake, of
course. The interesting point is just that an SSL handshake can occur at any
time and not only at startup of a new connection ;-)

 I would be really happy if someone could shed some light in the fog on this
 (interesting) topic!

I doesn't look that there is such a lot of fog around you.  The whole SGC
stuff isn't complicated in general on the server-side, it's just a matter of
client forced renegotiations which the server has to accept at any stage to
support SGC.
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: GSID, mod_ssl and Apache...

[Patrik Carlsson]

Ralf S. Engelschall wrote:

 Don't look at Microsoft papers when you want to understand anything, please.
 Instead look inside the SSLv3 spec or the TLSv1 RFC.  Yes, the stuff is called
 renegotation of parameters and is nothing more than a new SSL handshake, of
 course. The interesting point is just that an SSL handshake can occur at any
 time and not only at startup of a new connection ;-)


I've some experience with another web server and IE clients. IE seems to
renegotiate
very often which is, maybe good when looking at security, but performance suffers
and if you plan to use the SSL session id for logging or just tracking sessions,
you can
just forget it... ;-(

A couple of weeks ago I managed to tag my CA certificate according to your
instructions in the README.GlobalID document - which is really a very good
and well written document! But it didn't work when I put the pieces together using

Apache/1.3.4 and mod_ssl/2.1.8. It went quite fast and I should try it again this
easter, but do you (or any one else) have any other tips/experiences which isn't
mentioned in the documents?

--Patrik


__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]