The only way that the server would not send the certificate is if the client requests a negotiation of an Anonymous cipher. In that case no certificate would be used.
Or if the virtual host the client is connecting to does not support SSL. > Well it might not be such a good design, > but what I asked initially was only if it is possible to restrict apache from giving >the cert out, and if that somehow can stop people from connecting to the server >without having the certificate. > This is necessary since I am using a stripped SSL implementation on the client side >that does not support client authentication (The clients will be Digital-TV >set-top-boxes with OpenTV OS). > > Thanks for all your responses, > /Tobbe > > > >>> [EMAIL PROTECTED] 04/18/02 04:10PM >>> > On 18 Apr 2002, Eric Rescorla wrote: > > > Erwann ABALEA <[EMAIL PROTECTED]> writes: > > > No. The client normally performs the verification of the challenge signed > > > by the server. But it can eventually skip this verification, and go on > > > talking SSL with the server... > > No, this is incorrect most of the time (whenever you're doing static > > RSA key exchange). The client ENCRYPTS the PreMasterSecret under > > the server's public key. This necessitates knowing the public key. > > Yes, that's right. > But to me it seems that enhancing access restriction using the server cert > is not a good idea. That means the server cert is a secret known only by > the trusted users. By definition, a certificate is public, so it cannot be > a secret. > And again, that's using symetric cryptosystems techniques with asymetric > algorithms. It's a bad design (tm). > > -- > Erwann ABALEA <[EMAIL PROTECTED]> - RSA PGP Key ID: 0x2D0EABD5 > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > Jeffrey Altman * Sr.Software Designer Kermit 95 1.1.21 available now!!! The Kermit Project @ Columbia University SSH plus Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
