Thomas, this is exactly what I thought originally. The disabling and enabling weak ciphers I thought were done on the server itself.
Then someone informed me that the cert generation was involved, I could have been misinformed.
Thanks for your input.. I'm looking into the IIS config, I'll let you know if I find anything.
-----Original Message-----
From: Thomas Reinke
To: '[EMAIL PROTECTED]'
Sent: 4/11/02 6:41 PM
Subject: Re: Generating a Key Pair and CSR with weak ciphers disabled
I hope I'm not completely out to lunch, but I was under the
impression that cipher strength and certificate keys are
two different beasts. To put it more exactly, one can disable
weak ciphers, because it is a function of the SSL software on
the server side of things, NOT a function of the signed public
key.
For example (where my expertise lies) - openssl used within
Apache specifically allows one to specify the ciphers to be
allowed within a connection.
For reference (again with openssl),
# openssl s_server -? (and check the '-ciphers' arg)
# openssl ciphers (to see the ciphers list).
What I can't tell you is whether or not the various servers
allow you to explicitly disable weak ciphers.
For Apache servers with mod_ssl (the most popular), a config
file directive called "SSLCipherSuite" allows one to explicitly
specify which ciphers the client is allowed to negotiate, again,
independent of the certificate presented.
I seem to recall (from 3-4 years ago) that Netscape Enterprise
server allowed one to specify whether or not to enable/disable
export/domestic grade security (cipher strength). I'd be amazed
if IIS doesn't have the exact same capability.
Thomas
> Troy Perkins wrote:
>
> I have spoken with verisign in regards to generating CSR without weak
> ciphers enabled ( resolution: disable weak ciphers in nessus reports
> ).
>
> All they could tell me was:
> http://www.verisign.com/support/csr/index.html
>
> choosing 40/128 ???
>
> To be more specific, what I'm trying to figure out how to do is
> disable these weak ciphers that are supposidly enabled by IIS 4.0 CSR
> genration before they are sent to an authority for signing.
>
> I know that the weak ciphers are a low security risk, but governments
> and financial institutions don't see it that way.
>
> Feed back is very welcome - Thanks
