[PYTHON-CRYPTO] M2Cypto SSL and IE5's 56bit bug
Richard Jones
richard at bizarsoftware.com.au
Wed Jul 4 12:07:59 CEST 2001
On Wed, 4 Jul 2001 19:52, Michael Ströder wrote:
> Richard Jones wrote:
> > On Wed, 4 Jul 2001 17:08, Richard Jones wrote:
> > > Here's a workaround for ZServerSSL for the 56bit SSL cipher bug in IE
> > > 5. The bug is described in the following pages:
> >
> > A clarification - this only occurs with the Thawte SuperCerts or
> > Verisign`s "Global Site Services". Specifically, we have a Thawte
> > SuperCert.
>
> Note that some versions of MS IE have a buggy step-up (switch from
> export grade cipher to strong cipher) procedure. If I remember
> correctly this was discussed several times on the mod_ssl mailing
> list. There were proposed solutions like this setting (taken from my
> httpd.conf shipped with SuSE Linux):
>
> SSLCipherSuite
> ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> It's up to you to compare that in detail to the cipher list you
> suggested.
I can get m2crypto to have the SSL Connection have the cipher list as above,
that's not a problem. That removes all the 56-bit chipers. Well, that's what
ssl_conn.get_ciphers() tells me... Problem is, unlike Apache, something must
still need configuring in m2crypto because it still doesn't work...
I've talked to Thawte about it, and am going with the $50 re-issue of the
cert. No SGC extension. Guaranteed to work - just like the test cert that
comes with m2crypto.
Richard
ps. "some versions" ... read: all the browsers installed on windows 2000
without service pack 1!!!
--
Richard Jones
richard at bizarsoftware.com.au
Senior Software Developer, Bizar Software (www.bizarsoftware.com.au)
More information about the python-crypto
mailing list