[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: SSL: how to tell client what certificate to expect?

Thor Simon tls@coyotepoint.com
Tue, 2 Nov 2010 01:25:48 GMT

On Mon, Nov 01, 2010 at 11:41:26PM +0000, Bryan Stansell wrote:
> Well, if you provide the certificate, it needs to succeed it's
> authenticity check.  If you don't provide one at all, it falls back to
> an anonymous cipher (so, it's encrypted, but not authenticated and
> subject to man-in-the-middle).

But anyone can man-in-the-middle the client by pretending to be a server
with no certificate, no?