Mathieu Arnold wrote: > > > I know that it should be possible because certificates are just a way to > > > authenticate the server, not to establish the crypto. > > > > No, the server certificate is also important and required for the secure > > exchange of the crytography parameters of SSL/TLS. Without this, the > > client and server would not be able to securely exchange the necessary > > symmetric encryption parameters. > > well, that's right, but, if I don't really care about that much security > and would just like some crippled http to get rid of young kiddies ?
Read Ralf's reply again - the certificate actually *contains* the server's public key. The browser uses this to encrypt a session-key and send this back to the server. Thereafter, the browser and server use this common session key to communicate throughout the rest of the session. Without a certificate, the browser can *never* establish communication with the server. It's like opening a locked door without a key. Read some of the docs for more details. If you don't care about authentication (or rather, if you believe your clients don't care about authentication) then make a self-signed certificate as described in the mod_ssl docs (see the website). This will provide the free certificate you need to get SSL working. Rgds, Owen Boyle. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
