>Both Verisign and Thawte supply certificates which enable 128-bit SSL
>for international (40-bit) clients for the duration of that session.
>These certificates are sold only to banks, etc.
>Does anyone know of a way of generating these "temporary upgrading"
>certificates using SSLeay? Or indeed any other freeware CA stuff? Or
>even have any technical details on what's involved in unlocking
>the 'strong' encryption?
There is a little bit of info about this in the mod_ssl documentation
(www.modssl.org). What you're asking basically can't be done. The
ability to sign SGC (server-gated cryptography or step-up)
certificates is controlled by an OID in the issuing certificate that's
pre-installed in the browsers. Verisign's public root cert has the
OID in Netscape and IE 4.0 and higher browsers, and Thawte's has it in
Netscape 4.7 and IE 5.01 and higher. It does not seem possible to
install new roots in the browsers in the usual way with the OID enabled.
There is a program floating around that modifies the Netscape
browser's certificate store by direct manipulation, to enable the
OID. That is useful for testing purposes since it lets you use
SGC certificates that you generated yourself, but of course they
only work in the specific browser instance whose cert store you
have modified. It's not too useful to do this if all you want
is to get 128-bit cryptography from a 40-bit browser. It's
easier and more general to simply upgrade the browser (www.fortify.net,
for example).
by