Addressed to: [EMAIL PROTECTED]
Tim Niemueller <[EMAIL PROTECTED]>
** Reply to note from Tim Niemueller <[EMAIL PROTECTED]> Mon, 22 May 2000 23:36:42
+0200
>
> Hi mod_ssl users,
>
> I have a question about the behavior of mod_ssl:
>
> Someone connects to a secured website. Let's give it the name
> secured.com. The browsers have no certificate they can provide so
> they must authenticate through basic auth. Now my question: You have
> to enter the auth data if you call the server. Will the first
> authentication be secured by SSL or will there be first the
> authenticaten and then the SSL encryption or will the server first
> establish the SSL connection and then authenticate?
Yes the first authentication is encrypted. The SSL handshake is the
first thing that happens when you make a https:// connection. Most
browsers don't reflect that in the indicator, but it is true. You
don't have to worry about the password being sniffed in transit, even
on the first transaction.
Rick Widmer
http://www.developersdesk.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
