> I was looking through the openssl-users archive and found that
> someone succeeded in something I'm trying to do - create a secure
> channel with no certs or authentication. Only thing is, I can't get
> it to work. I see that it works between s_server (with nocert
> option) and s_client. I'm using openssl v0.9.4.
ADH cipher suites cannot provide you a secure channel. If you use
ADH then you must perform some kind of authentication after the
connection is established that verifies that there is no man in the
middle attack. This can be done using the client and server finished
messages, but those messages are not available to applications in
0.9.4.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
