Noel Jones:
> Victor Duchovni wrote:
> > On Fri, Aug 21, 2009 at 06:09:52AM -0500, Noel Jones wrote:
> >
> >> Ralf Hildebrandt wrote:
> >>>> Aug 20 22:49:01 server postfix/smtpd[7724]: connect from
> >>>> unknown[XXX.YYY.ZZZ.KKK]
> >>>> Aug 20 22:49:02 server postfix/smtpd[7724]: setting up TLS connection
> >>>> from unknown[XXX.YYY.ZZZ.KKK]
> >>>> Aug 20 22:49:02 server postfix/smtpd[7724]: Anonymous TLS connection
> >>>> established from unknown[XXX.YYY.ZZZ.KKK]: TLSv1 with cipher
> >>>> AES128-SHA (128/128 bits)
> >>>>
> >>>> Why does it say "Anonymous TLS connection"?
> >>> Because the TLS certificate is not signed by a trusted CA.
> >> No, it's because an anonymous cipher is used when there is no client
> >> certificate. If it was a certificate trust problem, the connection would
> >> be labeled "Untrusted".
> >
> > No, it is because the client did not provide a certificate. The cipher
> > AES128-SHA is not an "anonymous" cipher, the server did provide a
> > certificate to the client, but the converse was false.
> >
> > Don't confuse anonymous ciphers, with anonymous clients using a cipher
> > that (if the client bothers, ...) authenticates the server.
>
> Bah! I always mess that up, maybe next time I'll get it
> right. Thanks for the clarification and glad to have you back.
I looked up TLS_README, and it would not hurt to have a short
sentence here and there to define terminology.
Wietse
