I'm running SuSE6.0 on intel with an apache 1.3.6 server. I
built openssl-0.92, and when i do "make certificate", it
builds one of only 40-bit strength. Is there a makefile tweak
that I need to enable 128-bit certificate generation? I was
wondering where I might get the RSA include ... i understand
the import/export and licensing issues involved but can I ven
find it for ftp anywhere?
Certificates doesn't have any inherent cipher strength. The strength
of your SSL connection is determined by the configuration of your
server and the user's browser, not by the certificate. If you have an
"international" browser (go to help->about), it will normally provide
only 40 bits (Netscape 4.6 will offer 56 bits).
If you're running a Netscape browser, you can upgrade it by visiting
www.fortify.net and following the instructions.
If you want to provide 128-bit SSL connections to users with
international browsers, you need a special certificate called an SGC
(server gated cryptography) certificate, also known as a Global ID.
These are available from www.verisign.com for US companies, or for
non-US companies under certain conditions. They cost 895 USD/year. :(((
You cannot generate your own SGC certs and have them work in normal
international browsers. SGC certs have to be signed by a special
certifying authority whose certificate is pre-installed in the
browser. Only Verisign can sign widely recognized SGC certs, for now.
You can modify your browser's certificate store to accept your own SGC
certs, but if you can do that, you may as well "fortify" your browser
instead, so it gives you 128 bits without *needing* special certs.
Some more info on how SGC certificates work can be found in the
README.GlobalID file in the mod_ssl distribution (www.modssl.org).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
