Darío Mariani wrote:
>
> Hello:
> I'm still learning SSL. I still do no understand how does or if
> SSL/TSL prevents from a "man in the middle" attack. If the certificates
> are good, no problem. But, how does a client, or what must I do for a
> client to check the validity of a certificate, even a signed one from a
> trusted CA?
1) verify the signature on the cert to be sure it's a valid
binding of the public key to the entity;
2) (optionally) check the latest CRL from the issuer to see
if the cert has been revoked -- alternatively, use OCSP or
Valicert for this; otherwise, assume (as browsers do) that
the cert is valid if it is within the validity period.
3) a man in the middle can't provide POP (proof of possession
of the private key), nor can he produce a valid MAC/signature
for any message.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]