On Mon, Jul 28, 2008 at 12:16:29PM -0400, Joe Guan wrote:
> Thanks Viktor for the prompt reply!
>
> Our clients are not certified if they don't verify the server cert.
The server can't be verify this during the handshake. If you control the
client software, then perhaps you can be confident that the software in
question always verifies the server cert.
> Though
> impersonate is an issue, our security folks are also concerned about the
> privacy of existing sessions and newly created sessions -- which I don't
> think valid in our case.
Server cert verification is sufficient for this, the client does not need
a client cert for this, so disclosure of any such cert does not break MITM
resistance.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
