Howard Chu wrote:
Michael Ströder wrote:
Howard Chu wrote:
Josh.Mullis@cox.com wrote:
..."If the client does not send a certificate, it can still connect."
Does that mean that traffic is still encrypted if a certificate is not used?
Yes. Certificates are only for authentication, not encrypting the traffic.
Howard, I'm sure that you already know this but let's be more precise with the wording to avoid confusing people:
Strictly speaking the *client cert* is only for authentication of the client. The public key in the server cert is also used for the secure key exchange for the symmetric cipher used and thus is indirectly used for encrypting the traffic (besides authenticating the server).
But certificates are not a required element for encryption of a connection - after all, TLS also supports anonymous Diffie-Hellman key exchange.
In theory, yes. But personally I don't know any real-world TLS deployment with anonymous Diffie-Hellman key exchange. I don't even know deployments with DSA-based certs.
Ciao, Michael.