Thanks again.
Another question:
Why woudn't a browser complain about a certificate with "*" as CN?
Aren't they supposed to compare the CN with the server's name?
Eric Rescorla wrote:
>There are two main approaches:
>1. Use the CONNECT method, as you suggest. You tell the browser that
>it is to do it's SSL through a proxy. Netscape calls this a "security
>proxy". Basically, it will do a CONNECT as described in RFC 2817. At
>this point it expects to make an SSL connection to the remote machine.
>You man-in-the-middle attack the connection and then form whatever
>kind of connection you like to the remote machine. In order for this to
>work properly, you'll need a certificate with "*" in the CN. Obviously,
>no CA will issue you such a cert so you'll need to make your own CA
>that does this and then add it to the CA list. C2 Net's SafePassage
>SSL proxy used to do this.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
