john easton <[EMAIL PROTECTED]> writes:
> I do not want to use certificates. It is my understanding that in order
> to run an encrypted site without certificates, it is necessary to use
> Diffie-Hellman key exchange. I have done this (make certificate,
> specifying 'D' at the first prompt), and I have changed my
> SSLCipherSuite directive to the following in order to allow
> Diffie-Hellman ciphers (I think!)
>
> SSLCipherSuite ALL:!RSA:DH:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
>
> Neither Netscape 4.7 nor IE5 can connect to the web server under these
> conditions, although both claim to support SSLv3 (which Diffie-Hellman
> is a part of, I believe). I know it's possible to run a secure web
> server without certificates as I have been to numerous sites which do
> so.
>
> Can anyone tell me what I'm doing wrong here?
Neither Netcape 4.7 nor IE 5 supports DH key exchange. It is not
required by SSLv3.
IE 5 under Win2K does support the TLS DSS/DH cipher suites
(as required by TLS) but it does not support anonymous DH
like you're trying to do.
It's actually not possible to run a secure web site without
certificates since it opens you to a man in the middle
attack. I don't know what you think you've seen. If you
don't care about man-in-the-middle, you can issue yourself
a self-signed RSA certificate. This would require the
client to click in some dialog to accept it, however.
Incidentally, your configuration isn't right for anonymous DH
either. You'd (at minimum) need to turn on the ADH cipher suites
using +ADH or somesuch.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
