Netscape Certificate Management System Administrator's Guide:

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Appendix G SSL Strength Tool

SSL Strength Tool is a command-line tool that connects to an SSL server and reports back the encryption cipher and strength used for the connection.

This appendix has the following sections:

Availability Syntax

Usage

Examples

Availability

SSL Strength Tool is available on the following platforms:

Solaris 2.5.1

Windows NT 4.0

AIX 4.1

sslstrength hostname[:port] 

				[ciphers=ciphercode(s)] 

				[verbose]

				[policy=export|domestic]

This form of the command returns a list of enabled ciphers on the client, then attempts to connect to the named SSL host, on the specified port. If the connection is successful, it returns information about the negotiated encryption strength.

sslstrength ciphers

This form of the command returns a list of the possible ciphers. A letter in the first column of the output is the code used by the ciphers= option. Pass any number of cipher codes to the ciphers= argument to identify the cipher preferences.

Options and Arguments

The SSL Strength Tool command options and their arguments are defined as follows:
Table 25.3
Options and Arguments

hostname
Required. Identifies the SSL server to which to connect.

port
Optional. Identifies a specific port on the specified SSL server to which to connect. If not specified, defaults to the standard HTTPS port, 443.

ciphers=
Optional. Turns on the cipher preferences corresponding to the specified cipher codes, and turns off all other cipher preferences.

To obtain the list of cipher character codes, execute the special form of the command:
sslstrength ciphers.

verbose
Optional. Turns on the verbose form of command output, which provides additional information about the progress of the connection.

policy=
Optional. Sets your policy regarding which ciphers can be permitted. Restricts the available ciphers to the same set used by Netscape Communicator for domestic or export versions (to comply with federal export restrictions).

The value can be export or domestic. If not specified, defaults to domestic.

During an SSL handshake, the client sends the server a list of the ciphers it can use. The server chooses one of the ciphers based on its cipher policies, and notifies the client of which one to use.

When you issue the sslstrength command, the tool first prints the list of ciphers enabled on the client. It then connects to an SSL server and reports back the following information:

The bulk encryption algorithm selected

The key size selected

The secret key size

Information about the SSL server certificate, including:

The issuer subject name

The certificate subject name

The validity period

Restricting Ciphers

You can selectively enable or disable specific ciphers on the client, to determine what strength of connection is used for those ciphers. Use the policy= or ciphers= option to restrict which ciphers are available.

To restrict the available ciphers to the same set used by Communicator for exportable or domestic versions, set the policy= option to either domestic or export. In an exportable client, only those ciphers that are valid for export are enabled.

To further restrict the ciphers available, use the ciphers= option. The argument to this option is a string of characters, where each single character represents a cipher. For example, ciphers=bfi turns on the cipher preferences corresponding to the codes b, f ,and i. It turns off all other cipher preferences.

To obtain the list of cipher character codes, execute this command:

	sslstrength ciphers

Export Policy and Step-up

Some institutions, such as banks, may be qualified to obtain a special "step-up" certificate (also know as a "global server ID") that allows the server to override export policy. When this certificate is installed in the server, it allows an export client that has step-up capability to renegotiate the SSL cipher and use domestic-strength encryption.

A connection that steps up starts out with 40-bit encryption, then, upon encountering a change-cipher-spec handshake, changes to 128-bit encryption. To check whether a client has stepped up correctly upon encountering a step-up certificate, check that it is using export policy, and that the secret key size is 128 bits.

The following examples show the output from various sslstrength commands.

This example shows output from a command that allows all options to default.

sslstrength  myhost.netscape.com

Using domestic policy

Connecting to myhost.netscape.com:443 

Using all ciphersuites usually found in client 

Your Cipher preference: 

id    CipherName                                     Domestic     Export 

a     SSL_EN_RC4_128_WITH_MD5              (ssl2)    Yes          No 

b     SSL_EN_RC2_128_CBC_WITH_MD5          (ssl2)    Yes          No 

c     SSL_EN_DES_192_EDE3_CBC_WITH_MD5     (ssl2)    Yes          No 

d     SSL_EN_DES_64_CBC_WITH_MD5           (ssl2)    Yes          No 

e     SSL_EN_RC4_128_EXPORT40_WITH_MD5     (ssl2)    Yes          Yes 

f     SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)    Yes          Yes 

i     SSL_RSA_WITH_RC4_128_MD5             (ssl3)    Yes Step-up only 

j     SSL_RSA_WITH_3DES_EDE_CBC_SHA        (ssl3)    Yes Step-up only 

k     SSL_RSA_WITH_DES_CBC_SHA             (ssl3)    Yes          No 

l     SSL_RSA_EXPORT_WITH_RC4_40_MD5       (ssl3)    Yes          Yes

m     SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5   (ssl3)    Yes          Yes 

o     SSL_RSA_WITH_NULL_MD5                (ssl3)    Yes          Yes 

p     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA   (ssl3)    Yes          No 

q     SSL_RSA_FIPS_WITH_DES_CBC_SHA        (ssl3)    Yes          No 

SSL Connection Status 

Cipher:          RC4 

Key Size:        128 

Secret Key Size: 128 

Issuer:          OU=Secure Server Certification Authority, O="RSA Data 
Security, Inc.", C=US 

Subject:         CN=myhost.netscape.com, OU=E-Store Merchant Server, 
O=Netscape Communications Corp., L=Mountain View, ST=California, C=US 

Valid:           from Fri Oct 02, 1998 to Sat Oct 02, 1999

This example shows output from a command that limits the client to three ciphers.

sslstrength  myhost.netscape.com  ciphers=jkl

Using domestic policy 

Connecting to myhost.netscape.com:443 

Your Cipher preference: 

id    CipherName                                     Domestic     Export 

j     SSL_RSA_WITH_3DES_EDE_CBC_SHA        (ssl3)    Yes Step-up only

k     SSL_RSA_WITH_DES_CBC_SHA             (ssl3)    Yes          No 

l     SSL_RSA_EXPORT_WITH_RC4_40_MD5       (ssl3)    Yes          Yes 

SSL Connection Status 

Cipher:          3DES-EDE-CBC 

Key Size:        168 

Secret Key Size: 168 

Issuer:          OU=Secure Server Certification Authority, O="RSA Data 
Security, Inc.", C=US 

Subject:         CN=myhost.netscape.com, OU=E-Store Merchant Server, 
O=Netscape Communications Corp., L=Mountain View, ST=California, C=US 

Valid:           from Fri Oct 02, 1998 to Sat Oct 02, 1999

This example shows output from a command that sets the client's policy to enable standard export ciphers.

sslstrength  myhost.netscape.com  policy=export

Using export policy 

Connecting to myhost.netscape.com:443

Using all ciphersuites usually found in client 

Your Cipher preference: 

id    CipherName                                     Domestic     Export 

e     SSL_EN_RC4_128_EXPORT40_WITH_MD5     (ssl2)    Yes          Yes 

f     SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)    Yes          Yes 

i     SSL_RSA_WITH_RC4_128_MD5             (ssl3)    Yes Step-up only 

j     SSL_RSA_WITH_3DES_EDE_CBC_SHA        (ssl3)    Yes Step-up only 

l     SSL_RSA_EXPORT_WITH_RC4_40_MD5       (ssl3)    Yes          Yes 

m     SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5   (ssl3)    Yes          Yes 

o     SSL_RSA_WITH_NULL_MD5                (ssl3)    Yes          Yes 

SSL Connection Status 

Cipher:          RC4-40 

Key Size:        128 

Secret Key Size: 40 

Issuer:          OU=Secure Server Certification Authority, O="RSA Data 
Security, Inc.", C=US 

Subject:         CN=myhost.netscape.com, OU=E-Store Merchant Server, 
O=Netscape Communications Corp., L=Mountain View, ST=California, C=US 

Valid:           from Fri Oct 02, 1998 to Sat Oct 02, 1999

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.