hello,
i have a somewhat unusual question about ssl that i hope someone
here will be able to answer.
i'm working on an embedded device with an imap client in it. we'd
like to be able to authenticate to the imap server without revealing
the password to eavesdroppers. the only form of security for imap
supported by the server we use is ssl. we think that our device
doesn't have the horsepower to do full ssl at the datarates we need.
by poking around in the ssl rfc, i found that ssl has commands to
change the encryption algorithm dynamically.
so my idea was this: establish a connection, turn on full-strength
encryption, and then send the login command. once i'm logged in, i
can then negotiate back down to no encryption. that way, the
user's password, at least, is hidden, even if nothing else is.
is this possible? will the server allow it? what openssl function
would i use to turn off encryption after i've logged in?
thanks in advance.
--caleb
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]