This isn't really purely modssl related but I thought I'd give it a try here.
The SSL v.3 protocol has an optional client_verify where the client signs
the handshake
messages with it's secret key thus verifying it not only has a client
certificate but knows the
certificates secret key.
There seems to be no corresponding handshake message where the server signs
the handshake
and thus proves it knows the servers secret key which matches the server
certificate it presented.
Now either I'm missing something here or this seems to be an omission -
surely the client
would like to make sure it is talking to a server that knows it's own
secret key ?
thanks for any help,
Rory Chisholm
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
