Thanks Victor for your detailed reply. I'm still to fully understand the specifics.
However, one question: > On all servers that don't require client certificates > (can't ask for client certs when using an anonymous ciphersuite) > enable anonymous ciphers, Is it possible to both - in the sense you can check the peer's certificate IF they're using one. In my world - those who care about security will want to validate client certs (if possible). Though they still might want to communicate with those without certs. Therefore is it possible to do something like: try and negotiate a secure connection: if client does not present a cert: drop back and use an anon cipher (but take note of this, and flag somewhere that this client isn't super secure) (i.e. it can still communicate using the anon cypher, but it wants to know when this happens) OK so for the clients/servers that 'dont care' - they can just use the anon cypher from the start. Thanks again, N ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org