On 2/20/2018 9:34 AM, J Decker wrote:
Er... so I have my malicious MITM server serve up a certificate that the client won't accept, and then helpfully provide it with my root certificate so that it won't have any trouble talking to me? There's a reason for the client to verify the server's certificate. If the client can't verify the server's certificate, then there's no reason to believe that it's the right server and can be trusted. Any certificate updates have to be protected by the previous certificate. If you've let the certificate lapse then you need some kind of out-of-band verification. -- Jordan Brown, Oracle Solaris |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users