On Wed, Aug 11, 2004, [EMAIL PROTECTED] wrote: > > The anonymous DH ciphersuites (disabled by default) can perform SSL/TLS > > without using certificates. To use these you need to set appropriate DH > > parameters on the server side and enable the ciphersuites using an appropriate > > cipher string. > > > However without some form of authentication the connection is vulnerable to > > man in the middle attacks. > > > Steve. > > Well, currently i am using certificates that don't have been signed by anyone > so they could be generated by anybody. Wouldn't that make them senseless? > The certificates i am using for client and server side are generated by openssl(1) > and simply exchanged when the client and server handshake. > Because neither of the two is signed by a CA, it would enable everybody > to create a certificate and masquerade as my server (or client), no? >
Yes if you are trusting any certificate then you might as well use anon DH. Normally, for certificates, this is resolved by using a mutually acceptable certificate or CA certificate which have been exchanged by some secure means. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]