Configuring the Server’s Security Preferences464 Netscape Certificate Management System Installation and Setup Guide • May 2002Previous US law prohibited the export of software with strong encryption, so mostbrowsers still in use outside of the US and Canada do not support 128-bitencryption. Disabling all 40-bit ciphers will ensure that all connections usehigher-grade security, but will prevent access to your service to many users outsideof the US and Canada.Note that Netscape Communicator has received retail status from the United StatesDepartment of Commerce Bureau of Export Administration; under newregulations, retail status makes it possible to export Communicator with the sameencryption and cryptographic features available in the US and Canada.Prior to the retail status, international users of Netscape Communicator (withencryption capability restricted to 40-bit encryption) could use Netscape’sInternational Step-Up program to step up to stronger encryption, 56-bit, 128-bit, or168-bit. Step-up refers to the ability of export browsers to establish strong SSLsessions with domestic SSL servers, if they have the appropriate step-upcertificates.Because many of the features, such as issuance of dual certificates for dual keypairs and real-time verification of certificates using the OCSP protocol, supportedin Certificate Management System require Communicator versions 4.7x orNetscape 6x, it’s recommended that you upgrade your browser. For information ondownloading the latest browser, check this site:http://home.netscape.com/browsersConfiguring the Server to Use Specific CiphersYou can set a number of systemwide preferences for SSL by specifying the ciphersthat Certificate Management System should recognize and use during SSLcommunication; the server applies the cipher settings you choose to all the SSL(HTTPS) ports it uses.To change the cipher settings for a CMS instance:1. Log in to the CMS window (see “Logging In to the CMS Window” onpage 333).CAUTION You might not want to check the options that say “No Encryption,only MD5 message authentication” and “No Encryption, onlyFortezza and SHA message authentication.” The reason for this is, ifno other ciphers are available on the client side, the server will usethese and no encryption will occur.