Dr Stephen Henson wrote:
>
> Dr Stephen Henson wrote:
> >
> > Adrian Peck wrote:
> > >
> > > The basic problem is that IE4 or 5 will issue a client hello message
> > > immediately after receiving the server hello and server certificate if it
> > > finds that this certificate was a Server Gated Crypto ( SGC ) certificate.
> > > The 'point' of this is to change the cipher suites that are offered to the
> > > server without starting a new SSL session. My code peeks at the client
> > > message to check for a client hello and resets the SSL state to
> > > SSL_ST_ACCEPT if it spots one. The code is only visited if the SSL mode
> > > SSL_MODE_NCIPHER_SGC_HACK is set.
> > >
> >
> >
> > I'm not sure what the MSIE logic of not starting a new session is
> > though. At this point no cryptographic operations have been performed so
> > there isn't much overhead.
> >
>
> Ah I see the point now. The server doesn't have to generate the RSA
> temporary key and more importantly sign it with the certified key: this
> is likely to be an expensive operation.
>
> The next problem is how can the server in general determine whether to
> expect the second client hello?
Eh? Surely it should just do the appropriate thing if it gets it, rather
than "expecting" it?
Cheers,
Ben.
--
SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
