Erwann ABALEA <[EMAIL PROTECTED]> writes:
> No. The client normally performs the verification of the challenge signed
> by the server. But it can eventually skip this verification, and go on
> talking SSL with the server...
No, this is incorrect most of the time (whenever you're doing static
RSA key exchange). The client ENCRYPTS the PreMasterSecret under
the server's public key. This necessitates knowing the public key.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
Author of "SSL and TLS: Designing and Building Secure Systems"
http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
