vijay karthik <[EMAIL PROTECTED]> writes:
> Hi !
>
> I am facing a problem while configuring Global server
> certificate - SGC support !
>
> 1> I got a verisign Global Serv ID(for SGC) : gsid.crt
> 2> specified the gsid.crt under SSLCertificateFile
> 3> specified the key file
> 4> Got the intermediate verisign CA root(gsid_ca.crt)
> and specified the same under
> SSLCertificateChainFile.
> 5> started apache: apachectl startssl
>
> I installed 4.08 netscape browser with SCG support.
> Selected the cipher - "RC4 encryption with a 128-bit
> key and an MD5 MAC (When permitted)" ! I unselected
> every other cipher from the browser.i expected a
> step-up. The browser gave an error when connecting to
> apache server.
>
> "You cannot connect to an encrypted website because
> SSL has been disabled. you can enable SSL from
> security->navigator option...etc"
>
> Whereas if i select a cipher "RC4 encryption with a
> 40-bit key and an MD5 MAC" then the connection goes
> thru fine. This means still the stepup doesnt work!
Actually, this is what's supposed to happen. To understand
why, you need to understand Step-Up.
The way that Step-Up works is that the client and server
first negotiate an SSL connection with an export cipher.
If the server has a Step-Up capable certificate,
the client then initiates a rehandshake with a strong cipher.
Thus, since you've removed all the export ciphers from the
cipher list, the first handshake fails and the whole
process doesn't work.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]