Re: HELP! Diffie-Hellman Key Exchange

Sun, 23 Jan 2000 18:23:42 -0800 

----- Original Message -----
From: "EKR" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Saturday, January 22, 2000 1:06 AM
Subject: Re: HELP! Diffie-Hellman Key Exchange


> john easton <[EMAIL PROTECTED]> writes:
>
> > I do not want to use certificates.  It is my understanding that in order
> > to run an encrypted site without certificates, it is necessary to use
> > Diffie-Hellman key exchange.  I have done this (make certificate,
> > specifying 'D' at the first prompt), and I have changed my
> > SSLCipherSuite directive to the following in order to allow
> > Diffie-Hellman ciphers (I think!)
> >
> > SSLCipherSuite ALL:!RSA:DH:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
> >
> > Neither Netscape 4.7 nor IE5 can connect to the web server under these
> > conditions, although both claim to support SSLv3 (which Diffie-Hellman
> > is a part of, I believe).  I know it's possible to run a secure web
> > server without certificates as I have been to numerous sites which do
> > so.
> >
> > Can anyone tell me what I'm doing wrong here?
> Neither Netcape 4.7 nor IE 5 supports DH key exchange. It is not
> required by SSLv3.
>
> IE 5 under Win2K does support the TLS DSS/DH cipher suites
> (as required by TLS) but it does not support anonymous DH
> like you're trying to do.
>
> It's actually not possible to run a secure web site without
> certificates since it opens you to a man in the middle
> attack. I don't know what you think you've seen. If you
> don't care about man-in-the-middle, you can issue yourself
> a self-signed RSA certificate. This would require the
> client to click in some dialog to accept it, however.
>
> Incidentally, your configuration isn't right for anonymous DH
> either. You'd (at minimum) need to turn on the ADH cipher suites
> using +ADH or somesuch.
>
> -Ekr
>
> --
> [Eric Rescorla                                   [EMAIL PROTECTED]]
>           PureTLS - free SSLv3/TLS software for Java
>                 http://www.rtfm.com/puretls/
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]
>


Thats not enough.  You need to rebuild OPENSSL with the correct defines (in
SSL.H).

Cheers

Lin Geng



______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to