sfs8 pt1
Peter Fairbrother
ukcrypto at chiark.greenend.org.uk
Sat, 04 Oct 2008 14:03:57 +0100
Dave Howe wrote:
> Peter Fairbrother wrote:
>> Dave Howe wrote:
>>> Charles Lindsey wrote:
>>>> On Thu, 02 Oct 2008 08:19:18 +0100, Dave Howe
>>>> <DaveHowe@gmx.co.uk> wrote:
>>>>
>>>>>> Either way, if you remove all entries from the browser's list
>>>>>> and then reload them in an order of your choosing, you should
>>>>>> be able to achieve what you want.
>>>>> Fair advice - now, how do I do that in Internet Exploiter?
>>>> Use Firefox :-)
>>> Firefox doesn't have this problem - just IE.
>> Eh?
>>
>> Seems to me Firefox offers non-DHE options.
>
> yes, it does - but the list that came from Firefox had the DHE options
> listed first, so apache chose the first of those it could support. This
> was not true of IE, so it got the non-DHE flavour of SSL, which is
> recoverable in wireshark.
>
>
That's if the server chooses a DHE option. For real security all non-DHE
options should be eliminated from both servers and browsers.
-- Peter Fairbrother