Server's certificate is validated after credentials are sent.
vulners.com/securityvulns/securityvulns:doc:32195