Patch info for keylength_ktk

Author Comments

In response to:

> I'm having problems with Internet Explorer version 5.00.2614.3500 40bit.
> I am able to connect just fine Netscape, both 128-bit and 56-bit versions.
> However, connecting with the afforementioned IE produces an error (and
> this is supposedly the version shipped on the Wind98 CD):



Kristofer T. Karas writes:


The problem is that each implementation of SSL (OpenSSL, Netscape,
Microsoft, ...) comes with a different assortment of supported ciphers
for each version of the SSL protocol (2 and 3).  As it so happens,
40-bit IE only supports ciphers that use a 1024 bit key.  Remember that
the "key length" number represents the encoded length of the prime
numbers used in the public key exchange, which bears little relation to
the key length of the cipher that actually encrypts the data itself.

You can emulate this bug in Netscape by turning of SSL3 and then only
enabling the bottom two ciphers of SSL2; it too will exhibit the same
problems as 40 bit IE.   (Umm, maybe I have that backwards; it's been
awhile since I investigated.)

The bug: when OpenSSL calls back to STunnel asking for a key, stunnel
ignores the requested key length, only returning a 512 bit one.

The solution: this is patched against vanilla 3.8, but it patches
successfully against 3.8p4 too.
Have fun...
Kris

This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk.

The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.