[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: tlsverifyclient security implications



Michael Ströder wrote:
Howard Chu wrote:
Josh.Mullis@cox.com wrote:

..."If the client does not send a certificate, it can still connect."


Does that mean that traffic is still encrypted if a certificate is not
used?

Yes. Certificates are only for authentication, not encrypting the
traffic.

Howard, I'm sure that you already know this but let's be more precise with the
wording to avoid confusing people:

Strictly speaking the *client cert* is only for authentication of the client.
The public key in the server cert is also used for the secure key exchange for
the symmetric cipher used and thus is indirectly used for encrypting the
traffic (besides authenticating the server).

But certificates are not a required element for encryption of a connection - after all, TLS also supports anonymous Diffie-Hellman key exchange.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/