I'm using 2048 bit certs with IE 5 and 6 and NS 4.72, 6.0, and 7.2 -- there is a sort of compatability problem with export-quality browsers, which can sometimes be addressed at the SERVER (apache, give it more randomness). This confused me also.
Dr. Stephen Henson wrote:
The reason for that is that none-export ciphersuites on the server side only generate the server random value which is sent in the clear and the PRNG doesn't need to be seeded.
The client side needs to generate the pre-master secret so this does need a seeded PRNG.
For export cipher suites the server needs to generate a temporary RSA key if the server key is above a certain size. This limit is 512 bits for some and 1024 bits for other export cipher suites. This also needs a seeded PRNG.
Yes, this was our experience -- first we arranged for the PRNG on the server to be adequately seeded, and the problem went away. Later we upgraded the server OS to Solaris 2.8 with the /dev/urandom patch so the PRNG can get a good seeding without any extra effort.
The important observation is that this potentially uncontrolled
variable can easily confound experimentation to find out if 2048 bit certificates "work" or not.
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
