On 2008-04-15, Allen Kistler <ackistler@oohay.moc> wrote:
>
> Why would you want to use SSL without encryption? I suppose you could
> use it for certificate-based client authentication only, without
> encryption. I don't know anyone who does, but, hey, if you want, you can.

If you're debugging a remote application that has no cleartext option,
you can use null encryption to be able to sniff the data going over the
wire without having to rewrite the app to allow a cleartext session. I
don't have a good example off the top of my head, but imagine that HTTP
didn't exist, and the only thing your httpd supported was HTTPS. Would
you want to rewrite your httpd to support plaintext HTTP, or would it be
easier to simply use null encryption?

I wonder if the SSL developers themselves use null encryption as part of
their development and testing process.

--keith


--
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information