Suggestion: DHE cipher suites

1999-03-20 Thread Bodo Moeller
I'd like to suggest that future version of mod_ssl and Apache-SSL support the ephemeral Diffie-Hellman cipher suites, i.e. the ones that SSLeay/OpenSSL calls EDH-..., such as DH-RSA-DES-CBC3-SHA, which is officially known as follows: CipherSuite TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = {

Random number generator initialisation

1999-01-11 Thread Bodo Moeller
from ssleay.cnf (e.g. ~/.rnd) is used by SSLeay's "req" application. In any case, the documentation of the software packages should state where randomness is collected and, possibly, how much entropy we could hope to gain that way.

Re: Mod SSL Rewriting

1999-04-15 Thread Bodo Moeller
On Wed, Apr 14, 1999 at 09:41:34AM +0200, Ralf S. Engelschall wrote: On Tue, Apr 13, 1999, Gary Carroll wrote: I think you may find that you can only use SSL with IP-based vhosts. For name-based vhosts you need to have established the connection to read the Host: header, which for SSL means

Re: ModSSL and IE5.0 and Keepalive

1999-05-18 Thread Bodo Moeller
You can try just: SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown Why does it affect https but not http? Don't ask me: It's a problem in MSIE AFAIK. What does the shutdown sequence in Apache with mod_ssl look like? With a different SSL application, I have observed strange behaviour

Re: ModSSL Breaks Apache

1999-05-21 Thread Bodo Moeller
On Thu, May 20, 1999 at 03:57:21PM -0400, Adam D. McKenna wrote: From what I've heard even RSAREF is not legal to use inside the US for commercial purposes. However, verisign (a division of RSA) does not have a problem issuing certificates for servers running OpenSSL (SSLeay is actually

Re: ModSSL Breaks Apache

1999-05-21 Thread Bodo Moeller
On Fri, May 21, 1999 at 11:05:38AM -0400, Adam D. McKenna wrote: From: Bodo Moeller [EMAIL PROTECTED] From what I've heard even RSAREF is not legal to use inside the US for commercial purposes. However, verisign (a division of RSA) does not have a problem issuing certificates for servers

Re: SSL3_ACCEPT:bad ... weirdness

1999-05-22 Thread Bodo Moeller
On Fri, May 21, 1999 at 11:27:55PM -0700, Brian D. Kohl wrote: First of All: I created a temp certificate with my private key and the HTTPS site works (unknown CA, but works). Scenario: I got my server.crt back from Verisign. No worky. Error: My ssl_engine log gives me:

Re: MSIE clients with broken SSL close notify

1999-05-31 Thread Bodo Moeller
a link in a certain time-frame after the server closed the connection), provided that the server OS allows Apache to do a shutdown(..., SHUT_WR). Here's what I managed to find out about the MSIE behaviour: Date: Fri, 21 May 1999 19:47:00 +0200 From: Bodo Moeller [EMAIL PROTECTED] To: [EMAIL

Re: GlobalID problem

1999-12-20 Thread Bodo Moeller
On Mon, Dec 20, 1999 at 10:19:54AM +0100, Matthias Loepfe wrote: [MS-StepUp] Is there a spec for it? http://www.microsoft.com/security/tech/sgc/TechnicalDetails.asp or http://www.microsoft.com/security/tech/sgc Is there more than internal server errors (VBScript runtime errors:

Re: server configuration problem

2000-02-25 Thread Bodo Moeller
Osvaldo Brito [EMAIL PROTECTED]: $ openssl s_client -host localhost -port 443 14228:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 14228:error:04067071:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:394: