On Wed, Jul 18, 2007 at 11:38:57AM -0700, Soner Sevin? wrote:

> Hi, a question about the SSL:
> In SSL, the server certificate is checked by the
> client as to whether the server actually holds the
> private key of it. This is done by client sending the
> session key signed by server's public key.

Every server passes this test given possession by the server of any
matching private/public key pair.

> So, why there is a need for a check of domain name in
> the server certificate? Shouldn't the above check be
> enough?

Because one wants to authenticate key exchange with a *specific* peer,
not just any peer which provides valid but not necessarily the expected
"proof of identity".

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org