> This will probably look like a dumb question, but anyway. Is there > any provision and way, in SSL and/or HTTP, to establish a SSL link > without trying to assert anything about the server identity? Such > that a client (a web browser) would happily use the encrypted tunnel > while obviously not offer any guarantee about the real identity of > the server but not complain about it too. > > Something like a flag in a self-signed certificate that would tell > clients : "please I know I'm self-signed and I'm not trying to prove > my identity to you, just trying to establish a secure link between > both of us, so please don't make too much waves about me being self- > signed" ?
No. Such an option would destroy the HTTPS security model. If a user types in "https://site-i-trust.com"; and gets the little lock icon and no warning, he's supposed to be allowed to assume that someone he trusts has certified that he has actually reached "site-i-trust.com". If "site-i-dont-trust.com" could send a specially-crafted self-signed certificate to bypass the warning, the user would be duped into thinking his browser is certifying that he reached "site-i-trust.com". The user expects that when he enters an HTTPS URL or gets a lock icon and no warning or error, he has confirmation that he has reached the site he asked for. There may be ways to solve your outer problem. The most obvious being to either obtain a certificate signed by a trusted third party or to get users to install your certificate themself. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
