Geoffrey Young [mailto:[EMAIL PROTECTED]] wrote:
> Hi all...
>
> sorry for the OT, but has anyone figured out how to tell whether a
browser
> supports 56 or 128 bit encryption? Apparently, users of IE with 56 bit,
> when entering a 128 bit page, get the standard Cannot Find Server error
page
> with little in the way directions to help the EU know to upgrade.
>
> has anyone battled this and come up with an elegant solution?
>
> thanks
>
> --Geoff
If you are getting a "Cannot Find Server" error in 56-bit browsers it is
because the server and browser are not able to negotiate a cipher to use.
Normally, the SSL server will simply downgrade the key size and talk
appropriately with 56 bit browsers. However, in configuring your SSL server
you can limit what ciphers and key sizes will be considered acceptable.
Consider allowing your server to use non 128-bit ciphers. Under mod_ssl
configure the SSLCipherSuite configuration directive appropriately. (Also
look at the SSLRequire directive if this does not solve things.)
Docs here:
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9
To determine the cipher currently being used, look at the environment under
mod_ssl. My server shows me this for a sample connection:
SSL_CIPHER=RC4-MD5
SSL_CIPHER_ALGKEYSIZE=128
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=128
Docs here:
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25
I'm sure you can build whatever system you need on top of this.
David
