Ssl – What does “128 / 256 bit SSL and 2048 bit CSR encryption” mean in practical terms

sslssl-certificate

One of the SSL certificates mentioned here says "128 / 256 bit SSL and 2048 bit CSR encryption". Does that mean that the generating the certificate is very secure but the communications handled by the certificate are not?

Or is "CSR encryption"?!? used to enhance the standard SSL?

Are all 2048 bit certificates as above or are there others which are 2048 bit CSR and 2048 bit SSL?

In short, if I want a very secure certificate, what exactly am I looking for?

Best Answer

SSL uses several encrypt algorithmic at different points.

Typically it will use a asymmetric cryptography authenticate the hosts and establish trust between the client and server. Then a random key will be generated and shared between the hosts and a symmetric cryptography algorthim will be used for the actual payload.

Typically the asymmetric key will be RSA with key sizes of 1024, 2048, or 4096. The key size doesn't really affect the symmetric that is used for the payload. These days most certificate vendors will sign a 2048 or 4096 certificate request, key sizes of 1024 are pretty weak. While most CA keys are 2048 bits, many will sign larger keys, so you don't have to limit your private key to 2048 bits.

The symmetric algorithim that is used will depend on the client and server. The client and server will select the most secure option available. If you are using apache then you use the SSLCipherSuite to select which symmetric ciphers you will permit.

Asymmetric cryptography is has the large sizes of the keys(2048,4096), and it is very slow. That is why it is only used during the initial phase. Once the connection is established, communication happens over the relatively fast symmetric cryptography which uses the smaller key sizes (128,256).

Related Solutions

Ssl – Multiple SSL domains on the same IP address and same port

For the most up-to-date information on Apache and SNI, including additional HTTP-Specific RFCs, please refer to the Apache Wiki

FYsI: "Multiple (different) SSL certificates on one IP" is brought to you by the magic of TLS Upgrading. It works with newer Apache servers (2.2.x) and reasonably recent browsers (don't know versions off the top of my head).

RFC 2817 (upgrading to TLS within HTTP/1.1) has the gory details, but basically it works for a lot of people (if not the majority).
You can reproduce the old funky behavior with openssl's s_client command (or any "old enough" browser) though.

Edit to add: apparently curl can show you what's happening here better than openssl:

SSLv3

mikeg@flexo% curl -v -v -v -3 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=wq8O9mhOSp9fY9JcmaJUrFNWWrANURzJ; C=CA; 
              O=staging.bossystem.org; OU=GT07932874;
              OU=See www.rapidssl.com/resources/cps (c)10;
              OU=Domain Control Validated - RapidSSL(R);
              CN=staging.bossystem.org
*    start date: 2010-02-03 18:53:53 GMT
*    expire date: 2011-02-06 13:21:08 GMT
* SSL: certificate subject name 'staging.bossystem.org'
       does not match target host name 'www.yummyskin.com'
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'staging.bossystem.org'
does not match target host name 'www.yummyskin.com'

TLSv1

mikeg@flexo% curl -v -v -v -1 https://www.yummyskin.com
* About to connect() to www.yummyskin.com port 443 (#0)
*   Trying 69.164.214.79... connected
* Connected to www.yummyskin.com (69.164.214.79) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: C=CA; O=www.yummyskin.com; OU=GT13670640;
              OU=See www.rapidssl.com/resources/cps (c)09;
              OU=Domain Control Validated - RapidSSL(R);
              CN=www.yummyskin.com
*    start date: 2009-04-24 15:48:15 GMT
*    expire date: 2010-04-25 15:48:15 GMT
*    common name: www.yummyskin.com (matched)
*    issuer: C=US; O=Equifax Secure Inc.; CN=Equifax Secure Global eBusiness CA-1
*    SSL certificate verify ok.

Ssl – IIS requesting certificates even though set to ignore

It is possible your port was configured using netsh and configured to accept client certificates. use "netsh http show sslcert" in cmd prompt to see if that is the case.

See here for more info: How to configure a port with an ssl certificate

I know this is a super old post, but leaving this answer here since it took us a long time and a Microsoft engineer to figure out why our server was doing the same thing.

Best Answer

Related Solutions

Ssl – Multiple SSL domains on the same IP address and same port

Ssl – IIS requesting certificates even though set to ignore

Related Topic