Addressed to: [EMAIL PROTECTED]
[EMAIL PROTECTED]
** Reply to note from Dominik Seitz <[EMAIL PROTECTED]> Tue, 4 Apr 2000 11:59:42
+0200
>
> It seems that during the normal SSL handshake the client certificate
> will be sent to the server unencrypted.
>
> My question: is there some way to make the browsers send the client
> certificates encrypted?
>
> It seems that this happens if there is already an SSL session in place
> not requiring a client certificate and the browser enters a directory
> where authentication with a client certificate is needed. During the
> renegotiation the client certificate is sent over an already encrypted
> channel.
>
I believe that is the correct way for it to work. The certificate is
the public key, the one you can give to anyone. There is no reason to
keep it secret. All it does is give someone the ability to communicate
with your server. Your server has the final authority who it will talk
to.
The data you must keep secret is the private key. (the .key file) With
that information someone can impersonate you.
As far as sending the certificate encrypted, it might be possible once a
secure channel has been setup, but there is no way you could start to
communicate with someone without giving them your certificate in the
clear before you start. The certificate and the public key it contains
are required for the key negitiation that must happen before you close
the lock.
Rick Widmer
http://www.developersdesk.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
