Bill Stewart <[EMAIL PROTECTED]> writes:
> At 04:35 PM 10/6/99 , Phillip Hallam-Baker wrote:
> >>This is a problem with SSL 2.0 first discovered by Simon Spero then at EIT.
> >>It was fixed in SSL 3.0, that must be almost three years ago.
> >>The server certificate now binds the public key to a specific Web server
> >>address.
>
> That means that you can only succeed against web-users whose browsers
> still accept SSL2.0, which is most Netscape users by default;
Actually, this really isn't an SSL version issue. Rather it's
an issue about how the browser checks the cert chain. I don't
know for certain, but I believe that Netscape and IE both check
the chain correctly both for SSLv2 and v3.
--
[Eric Rescorla [EMAIL PROTECTED]]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
