Ok, now we're getting somewhere. It's a misunderstanding of what the values
mean (I'm going to over simplify some to make the points clearer).
When an SSL connection is 40-bit, it means that the negotiated key size is
40-bits.
When you ask to generate an X-bit certificate, that refers to the length of
the RSA modulus, anything less than 768-bits is considered insecure.

The bit-ness of the certificate has no official bearing on the SSL keys.
What does have a very significant effect is the browser (which you said was
128-bit), and the web server (which you only mentioned it being apache, I
assume with an SSL addon). Either the browser or the server is limiting the
choices to 40-bit symmetric keys.
                        Joe

smime.p7s

Reply via email to