?
Solved

Requiring 128 Bit Encryption when users access web site

Posted on 2005-03-11
14
Medium Priority
?
301 Views
Last Modified: 2008-02-26
We have discovered an issue with our web server in which we are trying to validate that users who do not have 128 bit encrypted browsers are prompted to update their browser to one that is 128 bit compliant. We are doing this via the Netscape iPlanet 4.1 server. From what we are seeing, clients who access via https://www.domainname.com/ are properly redirected as they should if they are less than 128 bit, while users who access https://www.domainname.com/uri/servlet are allowed through without being checked/redirected as they should.

Is anyone aware of any issues that could cause this? I have looked at all possible options on my end and am either missing the glaringly obvious, or there is something else that is going on...

Any feedback would be greatly appreciated.
0
Comment
Question by:RevelationCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
14 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13533618
can you please post the relevant part from your obj.conf which handles the 128bit check
0
 
LVL 8

Author Comment

by:RevelationCS
ID: 13536559
PathCheck fn="ssl-check" secret-keysize="128" bong-file="/opt/netscape/server4/non128/non128-redir.html"
0
 
LVL 8

Author Comment

by:RevelationCS
ID: 13545133
bumping points up as this is becoming an urgent issue...
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 51

Expert Comment

by:ahoffmann
ID: 13545540
do you have thi in the <Object name="default"> scope ?
not shure but if it is ibn that sscope, you probaly have to define it in each <Object > scope
0
 
LVL 29

Expert Comment

by:rdivilbiss
ID: 13545596
0
 
LVL 8

Author Comment

by:RevelationCS
ID: 13546451
ahoffman,

based on what I am seeing, we have the PathCheck defined under the default object. We also have objects for servlet and jsp along with a few others listed in there. Based on what you are saying, I take it this line (PathCheck fn="ssl-check" secret-keysize="128" bong-file="/opt/netscape/server4/non128/non128-redir.html") needs to be added to EACH of the objects defined? Is this correct?

0
 
LVL 8

Author Comment

by:RevelationCS
ID: 13546701
I tried adding the PathCheck to each of the Object Names defined and was still allowed to access the site using less than 128 bit encryption... I did end up removing the ciphers from the server leaving only the following ciphers enabled:

SSL 2.0 ciphers:
    RC4 with 128 bit encryption and MD5 message authentication
    RC2 with 128 bit encryption and MD5 message authentication
    Triple DES with 168 bit encryption and MD5 message authentication

SSL 3.0 ciphers:
    RC4 with 128 bit encryption and Fortezza/SHA message authentication
    RC4 with 128 bit encryption and MD5 message authentication
    Triple DES with 168 bit encryption and SHA message authentication
    (FIPS) Triple DES with 168 bit encryption and SHA message authentication


With doing this, the site now returns an error to the user when using netscape communicator 4.6 - "Netscape and thsi server cannot communicate securely because they have no common encryption algorithm(s)."  Optimally, this is not the way that I would like to do it, however, if I am unable to get the PathCheck/bong-file line to work, then we will have to stick with this.

Ahoffman, can you expound on your response in a little more detail please?
0
 
LVL 8

Author Comment

by:RevelationCS
ID: 13546776
also, if this helps, these are the other object defs outside of the default that are in the obj.conf:

<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi"
</Object>

<Object name="servlet">
ObjectType fn="force-type" type="text/html"
Service fn="NSServletService"
</Object>

<Object name="jsp">
Service fn="NSServletService"
</Object>

<Object name="ServletByExt">
ObjectType fn="force-type" type="magnus-internal/servlet"
Service type="magnus-internal/servlet" fn="NSServletService"
</Object>

<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13546805
puuuh, need to guess 'cause I don't have experiance with such a problem.
Checked my Netscape/iPlanet docs, but they are not helpful about ssl-check, unfortunately :-(
I'll try again, please give me a ping here if I don't respond next few days ..
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13546950
no, these object do not matter, they serv your cgi, jsp, etc.
only those for specifying directories and (virtual) locations are of interrest
0
 
LVL 8

Author Comment

by:RevelationCS
ID: 13646554
ahoffmann,

any updates that you can provide to this?

thanks
0
 

Accepted Solution

by:
OzzMod earned 0 total points
ID: 13742306
Closed, 500 points refunded.
OzzMod
Community Support Moderator (Graveyard shift)
0
 
LVL 8

Author Comment

by:RevelationCS
ID: 13819700
ozz....

post was not closed out as of yet, but the points were refunded....

thanks
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question