At 05:33 PM 4/1/2005 +0200, Richard Levitte - VMS Whacker writeth: >In message <[EMAIL PROTECTED]> on Fri, 01 Apr 2005 10:10:58 -0500, Joe Flowers <[EMAIL PROTECTED]> said: > >flowers> Please help me understand what's going on. > >I think the first thing you should do is take a look at the TLS (TLS >is basically the newer version of SSL) specification, RFC 2246. It >explains th mechanisms used while communicating using SSL or TLS.
Er, Richard...I hate to say it, but not even *I* have read RFC 2246. I would wager 90-95% of the people here haven't and yet they use OpenSSL every day. I DID glance at it once and decided whatever reason I was looking at it for wasn't worth my time. RFCs are great for implementors, but hardly the stuff I'd consider as casual reading. Joe: The way I like to view it is that the OpenSSL team knows best on how to make the package secure (I know, terrible approach, but that's the 80/20 rule of thumb - 80% of the people won't care how it works as long as it works). If what you were doing were insecure in some way, I'm sure some warning/error would have been added eons ago to display a message letting you know. That said, what you described sounded like a perfectly secure anonymous connection to a server. Richard was quite right in saying you can have the server require a client certificate to connect (making it a non-anonymous client). Thomas J. Hruska [EMAIL PROTECTED] Shining Light Productions Home of the Nuclear Vision scripting language and ProtoNova web server. http://www.slproweb.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]