On Fri, Aug 11, 2000 at 10:19:05AM -0600, dreamwvr wrote:
> hi,
> have a https server that is doing RSA as well as ok encyption but wanted
> to change it so it could offer the strongest encryption available using
> openssl on the pervasive browsers or at least support that if the browser
> does.. then drop down to a lower grade when that is all that the browser
> supports.
That's what's supposed to happen automatically--
the server is supposed to choose the strongest ciphersuite that's
common with the list of ciphersuites sent by the client.
If your server supports say (in decreasing order of strength)
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_Export1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
and the client sends
TLS_RSA_Export1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
the server should choose TLS_RSA_Export1024_WITH_DES_CBC_SHA.
If the client sent TLS_RSA_WITH_3DES_EDE_CBC_SHA, that
should be chosen.
So you need to configure your server to support the strong
ciphersuites. You can test it using the server strength checker
I have at http://www.lne.com/ericm/papers/check_server.html
> can't remember how one does that using the 'openssl enc *' IIRC
> anyone recall?
"Openssl enc" just does bulk symmetric encryption, not SSL.
Thus there's no ciphersuite negotiation.
--
Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
