[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: SSL: how to tell client what certificate to expect?

Thor Simon tls@coyotepoint.com
Tue, 2 Nov 2010 15:12:40 GMT


On Tue, Nov 02, 2010 at 02:41:40AM +0000, Bryan Stansell wrote:
> On Mon, Nov 01, 2010 at 09:25:41PM -0400, Thor Simon wrote:
> > On Mon, Nov 01, 2010 at 11:41:26PM +0000, Bryan Stansell wrote:
> > > 
> > > Well, if you provide the certificate, it needs to succeed it's
> > > authenticity check.  If you don't provide one at all, it falls back to
> > > an anonymous cipher (so, it's encrypted, but not authenticated and
> > > subject to man-in-the-middle).
> > 
> > But anyone can man-in-the-middle the client by pretending to be a server
> > with no certificate, no?
> 
> Isn't that what I said?  ;-)

Well, not exactly.  I can provide a certificate on the server side and
still be subject to a man-in-the-middle attack by an adversary who has
no certificate at all!  That's not how I read what you wrote before, at
least.

Thor