vijay karthik <[EMAIL PROTECTED]> writes:

> Hi !
> 
> I am facing a problem while configuring Global server
> certificate - SGC support !
> 
> 1> I got a verisign Global Serv ID(for SGC) : gsid.crt
> 2> specified the gsid.crt under SSLCertificateFile
> 3> specified the key file
> 4> Got the intermediate verisign CA root(gsid_ca.crt) 
>   and specified the same under
> SSLCertificateChainFile.
> 5> started apache: apachectl startssl
> 
> I installed 4.08 netscape browser with SCG support.
> Selected the cipher - "RC4 encryption with a 128-bit
> key and an MD5 MAC (When permitted)" ! I unselected
> every other cipher from the browser.i expected a
> step-up. The browser gave an error when connecting to
> apache server.
> 
> "You cannot connect to an encrypted website because
> SSL has  been disabled. you can enable SSL from
> security->navigator option...etc"
> 
> Whereas if i select a cipher "RC4 encryption with a
> 40-bit key and an MD5 MAC" then the connection goes
> thru fine. This means still the stepup doesnt work!
Actually, this is what's supposed to happen. To understand
why, you need to understand Step-Up.

The way that Step-Up works is that the client and server
first negotiate an SSL connection with an export cipher.
If the server has a Step-Up capable certificate, 
the client then initiates a rehandshake with a strong cipher.

Thus, since you've removed all the export ciphers from the
cipher list, the first handshake fails and the whole
process doesn't work.

-Ekr

-- 
[Eric Rescorla                                   [EMAIL PROTECTED]]
          PureTLS - free SSLv3/TLS software for Java
                http://www.rtfm.com/puretls/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to