> The only time the client signs something is when the
> server requests client auth. In TLS, the client signs MD5 and/or SHA1
> hashes of the TLS handshake messages that have passed between
> the client and server at that point in the protocol.
>
> In SSLv3, it signs an MD5 and/or SHA1 HMAC-like (nested hash with pads)
> of the same handshake messages.
Thanks for the detailed reply. So the question now becomes to what extent can
the badguy control the hash, by sending fixed nonce data, silly no-op packets,
etc... Hmm.