Re: Diffie-Hellman Key Exchange again.

Thu, 27 Jan 2000 07:46:10 -0800 

I'm not sure if you're looking into Diffie-Hellman for the same reason I was,
but here's my story anyway!  Initially I received a bunch of prompts from
Netscape in regards to the certificate when I went to my Apache+mod_ssl secured
test site.  I did not want end users to have to go through this process of
accepting the certificates all the time.

Eventually, I figured out that the reason these pop ups were appearing is
because the signer of the cert is not recognized by Netscape (or IE as the case
may be).  I found that I could post the CA certificate of my CA on a web site
and users can install the CA into the trusted list in the browser.  To avoid the
problem altogether, have the cert signed by Verisign or some other known/trusted
CA which appears in the browsers' lists by default.

I'm sure this is widely understood, but being new to this SSL stuff it took me a
while to figure it out so I thought I would offer it....

John

Kenneth Mutka wrote:

> > Neither Netcape 4.7 nor IE 5 supports DH key exchange. It is not
> > required by SSLv3.
>
> If they don't support it, what browsers does?
> I would like to run Anonymous Diffie-Hellman aswell.
>
> > Incidentally, your configuration isn't right for anonymous DH
> > either. You'd (at minimum) need to turn on the ADH cipher suites
> > using +ADH or somesuch.
>
> And exactly how would such a configuration look?
> I've tried a couple of variations of this, but none have succeeded.
> Has anybody on this list set up server for Anonymous DH? Could that person
> please assist with a snippet of the configuration needed?
> And ofcourse we would all have to configure OpenSSL with support for ADH, no
> need to point that out yet another time.
>
> Regards,
>
> Kenneth
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      [EMAIL PROTECTED]
> Automated List Manager                            [EMAIL PROTECTED]

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to