How can I configure SSL to use 128 bit encryption or better using mod_SSL on Apache web server?
This facility is called Server Gated Cryptography (SGC) and details you can find in the README.GlobalID document in the mod_ssl distribution. In short: The server has a Global ID server certificate, signed by a special CA certificate from Verisign which enables strong encryption in export browsers. This works as following: the browser connects with an export cipher, the server sends its Global ID certificate, the browser verifies it and subsequently upgrades the cipher suite before any HTTP communication takes place. The question now is: How can we allow this upgrade, but enforce strong encryption. Or in other words: Browsers either have to initially connect with strong encryption or have to upgrade to strong encryption, but are not allowed to keep the export ciphers. Although VTCA does not issue certificates with (SGC) but the following does the trick: httpd.conf # allow all ciphers for the initial handshake, # so export browsers can upgrade via SGC facility SSLCipherSuite ALL:!
