On Tue, Oct 02, 2007 at 08:01:25PM +0200, Andreas Hellstr?m wrote: > David, thank you for answering. I really appreciate it as a newbie in > the SSL arena. > > As for the need of encryption, I didn't want the username/password to > be sent in clear.
Because you are concerned about the network not being secure, in which case you should likely also be concerned about clients reaching not the server, but an impostor using "dsniff", poisoning DNS caches, ... And so you need to authenticate not just encrypt. If the only realistic attacks on your network are packet capture and not active attacks, then encryption suffices. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]