thanks - that's insightful... I'm using Raven but I imagine that they have
something similar...
unfortunately, the client has a requirement that _only_ 128 bit be allowed.
I think, though, that I may be able to use your suggestion to at least show
a page saying that an upgrade to 128 is required.
thanks to all who replied...
--Geoff
-----Original Message-----
From: David Harris
To: Geoffrey Young; [EMAIL PROTECTED]
Sent: 5/7/01 8:13 PM
Subject: RE: [OT] 128 bit encryption and IE
Geoffrey Young [mailto:[EMAIL PROTECTED]] wrote:
> Hi all...
>
> sorry for the OT, but has anyone figured out how to tell whether a
browser
> supports 56 or 128 bit encryption? Apparently, users of IE with 56
bit,
> when entering a 128 bit page, get the standard Cannot Find Server
error
page
> with little in the way directions to help the EU know to upgrade.
>
> has anyone battled this and come up with an elegant solution?
>
> thanks
>
> --Geoff
If you are getting a "Cannot Find Server" error in 56-bit browsers it is
because the server and browser are not able to negotiate a cipher to
use.
Normally, the SSL server will simply downgrade the key size and talk
appropriately with 56 bit browsers. However, in configuring your SSL
server
you can limit what ciphers and key sizes will be considered acceptable.
Consider allowing your server to use non 128-bit ciphers. Under mod_ssl
configure the SSLCipherSuite configuration directive appropriately.
(Also
look at the SSLRequire directive if this does not solve things.)
Docs here:
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9
To determine the cipher currently being used, look at the environment
under
mod_ssl. My server shows me this for a sample connection:
SSL_CIPHER=RC4-MD5
SSL_CIPHER_ALGKEYSIZE=128
SSL_CIPHER_EXPORT=false
SSL_CIPHER_USEKEYSIZE=128
Docs here:
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25
I'm sure you can build whatever system you need on top of this.
David
