On Fri, Dec 30, 2005, Kyle Hamilton wrote: > > Now, I am aware that a "man-in-the-middle" attack exists, whereby a > malicious third party (Mallory) could accept a connection and > negotiate an unauthenticated-but-encrypted channel, and receive the > certificate information that I don't want to be eavesdroppable. > However, accepting a connection and negotiating a UbE channel require > action on Mallory's part, and that means an active attempt to > fraudulently obtain information that the protocol is attempting to > protect. >
If you don't want the server's certificate to be eavesdroppable that's tricky because an attacker could simply connect to the server using (in this example) anon-DH and drop the connection after it has received the server's certificate during the renegotiation. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
