webengr has asked for the wisdom of the Perl Monks concerning the following question:

Either my search skills have really gotten bad or this is one of the best kept secrets of the internet. Anyway, I need to find a server-side means of determining a web visitor's SSL/TLS key size.

Plenty of sites do this (some way better than others), but so far I have found no description of how it is done. I believe that the https request header does not contain the key size. Since the SSL negotiation happens at a fairly low level, I'm stumped at how to get to this piece of information.

Any clues for how to do this with a Perl-CGI app? Is the availability of this sort of info server dependent? (Meaning that Apache might give access to SSL key size, but iPlanet might not.)

Thanks Monks!

PCS
  • Comment on How to detect web browser SSL cipher strength?

Replies are listed 'Best First'.
Re: How to detect web browser SSL cipher strength?
by sauoq (Abbot) on Aug 28, 2002 at 01:02 UTC

    It could be (is) server dependent. Stronghold provides it through the SSL_CLIENT_KEY_SIZE environment variable.

    Followup: You might want to look for the HTTPS_KEYSIZE and/or HTTPS_SECRETKEYSIZE variables. Which I found at this link by googling for iplanet SSL environment variable client "key size".

    -sauoq
"My two cents aren't worth a dime.";
[reply]
[d/l]
[select]
Re: How to detect web browser SSL cipher strength?
by kschwab (Vicar) on Aug 28, 2002 at 01:18 UTC
    You're right, it's server dependant. Here's a pointer to the iPlanet way. (HTTPS_SECRETKEYSIZE)
[reply]

Back to Seekers of Perl Wisdom