On Fri, Oct 7, 2011 at 7:40 PM, Kristen J. Webb <kw...@teradactyl.com> wrote: > > My understanding is that a TLS connection with a server cert > only identifies the server to the client. This leads to a MiTM > attack, where the mitm can impersonate the client because the server > has not verified the client.
Your understanding is flawed - while in the scenario you mention there is no binding of a client identity to a public key, SSLv3/TLS are not vulnerable to MITM - no third party can manipulate the stream without being detected. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
