Why should one include the DNS/IP of oneself in a certificate? Consider A connecting to B.
B exposes a certificate from a trusted CA to A. Now C tries to impersonate B. It easily finds B's certificate, and somehow manages to redirect or intercept the connection request from A. It responds with B's certificate, and so connection is established. HOWEVER: Since C does not have B's private key, it is unable to sign data, or decrypt data. Thus it cannot inflict damage? What am I missing? Also, do OpenSSL automatically renegotiate symmetric keys every X minutes (or Y bytes)? Regards, Jan ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]