On Thu, 11 Jan 2001, Brian Densmore wrote:

> I sent an e-mail this morning, but it looks like it didn't get posted.
> 
> I have DNS, Sendmail, and Apache+SSL+PHP working on my server now. Apache is
> listening and answering on ports 80 and 443. HTTP and HTTPS are both working
> (with one minor config problem for one domain). I have created a certificate
> and signed it myself (I don' need no stinking CA, I am the CA!). Netscape
> reports that the certificate is either invalid or unknown (yeah,yeah), that
> I am using MD5 RSA v3 with 40 of 128 bits encrypted and SSL version
> TLSv1/SSLv3. 
> 
> Questions: 
> Does this mean I have an encrypted channel open between the client and the
> server? Is it safe to now transmit usernames and passwords over this htttps
> connection? Or do I have to turn on more strict verification? 

If selecting View->Page Info and/or clicking on shows that the page was
encrypted, then the page was encrypted.  I'm concerned that Netscape
reports the cert as invalid or unknown - when you opened the page the
first time, were you able to use Netscape's wizard to accept the
certificate?  When you click on the padlock icon and select
Certificates->Web Sites, is your certificate listed?

If you're really paranoid, you can use tools like ssldump
(http://www.rtfm.com/ssldump/), tcpdump, or Ethereal to verify that your
data payload isn't being sent in the clear.

> 
> I am going to turn up the encryption to 128bit and maybe a different cipher
> later, I just wanted to get it working.
> 
> Thanks,
> Brian Densmore  
> Associate 
> Computech Business Solutions 
> voice: (816) 880-0988
> fax: (816) 880-0998
> :-{)> 
> 
> 
>