Nagaraj Bagepalli wrote:
>
> >
> >
> >
> > Matt Walsh wrote:
> > >
> > > Hi All (esp SSL protocol experts). Please help me to understand
> > > something!
> > >
> > > In short
> > > --------
> > > What triggers the key exchange during an SSL transaction?
> > >
> > [SKE example deleted]
> >
> > Well your example is probably related to US export versions of browsers.
> > The old export regs restricted the size of RSA keys that could be used
> > for key exchange to 512 bits. So if the certified server key (i.e. the
> > one in the certificate) is larger then 512 bits and the client only
> > supports export ciphers then a temporary RSA key is used which is signed
> > by the server private key (the regs had no restrictions on signing with
> > larger keys).
> >
> > Later versions of the regulations allowed use of 1024 bit keys in 56 bit
> > ciphersuites. Now of course there's no restriction.
> >
> > So the clients in question are probably old export versions, newer
> > versions shouldn't have this problem.
>
> Does this mean newer clients won't even send the SSL_RSA_EXPORT_*
> in the ClientHello handshake message?
>
They will still send them but the strong ciphersuites will be included
and have a higher preference so if the server supports the strong
ciphersuite (as in the case of an OpenSSL based server) it should never
use the older export ciphersuite.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
