Neff Robert A <[EMAIL PROTECTED]> writes:
> Rick,
> Actually, the retardedness is due to the netscape browser
> not terminating the network connection while waiting for
> the user's input. Micro$oft IE implements that behaviour
> properly by terminating the connection, waiting for the
> user to accept the cert, then will reconnect once accepted.
> Chalk one up for Microsoft for server friendliness...
Actually, MS's behavior is widely believed to be inferior because the
server has no way of knowing what went wrong: the client just shut down
the connection. By contrast, if you reject the certificate Netscape
will send a bad_certificate alert.
Worse yet, the client fails to send a close_notify before sending a
TCP FIN. A truly compliant SSL server (which most are not) would
discard the session, thus forcing a complete rehandshake when the
client connects. This doubles the compute cost to the server. Whether
sockets or CPU time is more precious to the server depends on
the server.
-Ekr
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
