[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: AW: [iaik-ssl] iSaSiLk w/o RSA talking to SSL web server



You are right in that you can only use a particular ciphersuite if you
have the appropriate certificate, but the algorithm is first negotiated
and NOT chosen automatically based on the certificate. If you look at the
ciphersuite definitions (e.g. in our CipherSuite class) you see names
like SSL_asym_WITH_sym_hash, e.g. SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
which uses DHE_DSS for key agreement/ authentication, TripleDES in CBC
for encryption and SHA for the MAC. In the handshake client and server
first agree on a ciphersuite and then continue as defined for that
ciphersuite.

Anyway, you really asked about your Netscape SSL server and I am sorry to
tell you that it does not support and non RSA ciphersuites. The same is
true for Netscape browsers and Microsoft software, although the reason is
somewhat beyond me. Your best shot would be some OpenSSL/SSLeay based
software, for example Apache with mod_ssl.

BTW, you can test the server supported ciphersuites using a servlet
available at http://jcewww.iaik.at/Browser/server-t.htm . Note that all
no-RSA suites also need an additional certificate that is not installed
on most servers that you might test.

Regards,

 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.tu-graz.ac.at


-----Ursprüngliche Nachricht-----
Von: Spencer W. Thomas <spencer@umich.edu>
An: Peter Lipp <Peter.Lipp@iaik.at>
Cc: Thomas Dorris <twd@ismd.ups.com>; <iaik-ssl@iaik.tu-graz.ac.at>
Gesendet: Donnerstag, 11. November 1999 06:24
Betreff: Re: AW: AW: [iaik-ssl] iSaSiLk w/o RSA talking to SSL web server


> Peter Lipp wrote:
>
> >
> > > CipherSuite.SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
> > Now here we have DH_anon as the asymmetric one and I doubt that
Netscape
> > supports that.
>
> Unless I'm missing something (not unlikely!) doesn't the asymmetric
cipher that
> you use depend on how your server certificate(s) is signed?  I.e., if
you have
> only an RSA-signed certificate, you have to use the RSA asymmetric
cipher?
>
> =Spencer Thomas, University of Michigan
>
>
> --
> Mailinglist-archive at
http://jcewww.iaik.tu-graz.ac.at/mailarchive/iaik-ssl/maillist.html
>
> To unsubscribe send an email to listserv@iaik.tu-graz.ac.at with the
folowing content: UNSUBSCRIBE iaik-ssl
>
>
>


smime.p7s