> Zaki Akhmad wrote: > Hi Ralf, thank you for your reply. I've done this, and it works at > https protocol. Is it what I've done, didn't encrypt the message? > Because the keylength is set to zero?
No. The keylength isn't set to zero. While the SSL Handshake some tasks are done... RSA Authentication, Diffie Hellmann key agreement, Encryption/HMAC alghoritm proposals and so on. When you set SSLCipherSuite RSA:!EXP:!NULL:+HIGH:-MEDIUM:-LOW (for mod_ssl) or SSLRequireCipher AES-SHA 3DES-SHA (or something similar for apache_ssl) in your apache ssl section only strong encryption/authentication will be allowed by your apache. Additionally some information about the encryption will be exported to the applications via environment variables. This is done by using SSLOptions +StdEnvVars Back to openca. Openca uses CGI scripts and when initCGI is loaded, this variables former exported will be evaluated and prooved. The keylength variable of mod_ssl is called SSL_CIPHER_USEKEYSIZE (initCGI requires this name) and as the value of this is less then 128 the session will fail. In your case using apache-ssl this information resides in HTTPS_SECRETKEYSIZE. SSL_CIPHER_USEKEYSIZE is thus missing and returns zero or undef -> the session fails. But this only happens due to missing information, not of bad encryption So don't have fear that your ssl session is not secure, when you set <symmetric_keylength>0</symmetric_keylength>. When you harden your apache ssl config as mentioned above, you can see the strong encryption in your browser. I hope this explanation was understandable...:-) Regards Ralf ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
