Jason Dusek wrote:
Michael Ströder michael@stroeder.com wrote:
You shouldn't use SSL in such a insecure way.
I don't use SSL for anything but encryption.
There's no proper authorization without proper authentication. In the case of SSL/TLS the encryption layer can only be securly established if the client checks the server's identity by validating the server's cert and checking the server's name.
Secure server identity is handled by my DNS setup.
It is very unlikely that you can sufficiently protect DNS information unless you use signed DNS zones with DNSSEC also on the client side. Checking the server's fully-qualified domain-name against the CN or the subjectAltName of the server's certificate is a MUST.
Maybe you could elaborate on your particular needs.
Ciao, Michael.