Hello, if we do SSL/TSL client authentication, the current OpenSSL 1.0.0d verifies the client certificate upon reception of the Client Certificate message.
Let's consider I want to find out whether the server trusts a certain CA I as an attacker am planning to compromise. I would send some certificate signed by that CA and then, it is possible to find out if the server trusts that certificate by interpreting the alert being returned. If the CA is trusted, the server will complain about the Certificate Verify message being wrong, otherwise it will inform me that the CA is untrusted. 1. Couldn't this be considered as a weakness? 2. Wouldn't it be better to send a less revealing alert in this case? 3. Or is this no risk at all and I am overlooking something important? Thanks in advance, Martin Bosslet ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
