Configuring The Server To Use Specific Ciphers - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

Configuring the Server's Security Preferences
CAUTION
Previous US law prohibited the export of software with strong encryption, so most
browsers still in use outside of the US and Canada do not support 128-bit
encryption. Disabling all 40-bit ciphers will ensure that all connections use
higher-grade security, but will prevent access to your service to many users outside
of the US and Canada.
Note that Netscape Communicator has received retail status from the United States
Department of Commerce Bureau of Export Administration; under new
regulations, retail status makes it possible to export Communicator with the same
encryption and cryptographic features available in the US and Canada.
Prior to the retail status, international users of Netscape Communicator (with
encryption capability restricted to 40-bit encryption) could use Netscape's
International Step-Up program to step up to stronger encryption, 56-bit, 128-bit, or
168-bit. Step-up refers to the ability of export browsers to establish strong SSL
sessions with domestic SSL servers, if they have the appropriate step-up
certificates.
Because many of the features, such as issuance of dual certificates for dual key
pairs and real-time verification of certificates using the OCSP protocol, supported
in Certificate Management System require Communicator versions 4.7x or
Netscape 6x, it's recommended that you upgrade your browser. For information on
downloading the latest browser, check this site:
http://home.netscape.com/browsers

Configuring the Server to Use Specific Ciphers

You can set a number of systemwide preferences for SSL by specifying the ciphers
that Certificate Management System should recognize and use during SSL
communication; the server applies the cipher settings you choose to all the SSL
(HTTPS) ports it uses.
To change the cipher settings for a CMS instance:
Log in to the CMS window (see "Logging In to the CMS Window" on
1.
page 333).
464 Netscape Certificate Management System Installation and Setup Guide • March 2002
You might not want to check the options that say "No Encryption,
only MD5 message authentication" and "No Encryption, only
Fortezza and SHA message authentication." The reason for this is, if
no other ciphers are available on the client side, the server will use
these and no encryption will occur.