Eric Murray wrote:
>
> On Sat, Dec 02, 2000 at 01:28:02AM +0800, Ng Pheng Siong wrote:
> > On Thu, Nov 30, 2000 at 01:16:31PM -0800, Eric Murray wrote:
> > > Either don't connect from a non-SSL client, or connect and negotiate
> > > when to start SSL. The former is prefered.
> >
> > Eh? I'd imagine "the latter is preferred"?
>
> My reasoning is that an active attacker could change the bytes in
> the insecure protocol to silently prevent it from negotiating to SSL.
> If your protocol only works under SSL, then that's not possible.
The IETF doesn't agree.
Also, the way to address this is to configure the server to refuse to do
stuff that should be secured over an insecure connection.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
