"Dmitry N. Sorokin" <[EMAIL PROTECTED]> writes:
> Can anyone tell me how can I use mod_ssl+Apache without certificates,
> 'cause I need only encryption and SSL_SESSION_ID CGI environment variable!
This is a bad idea.
Having adequate security with SSL depends on being able to
authenticate the server. Although SSL does provide anonymous
cipher suites, they're vulnerable to active attack [0]. Use
certificates.
-Ekr
[0] There are techniques for working around this but they're
not the obvious ones. Essentially you need to use a shared
secret to MAC the DH shares or the Finished message.
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
