amit nigam wrote:
>
> Thanx Dr Stephen,
> Your advice is precious to us for designing the SSL socket interface for out
> project.
> Since we have decided BlowFish, DH and MD5 just for to get rid of patent thing. But
> as you suggested that BlowFish cannt be used because it is not a standard one. Now
> we have to decide again for the cipher. Here is some other queries which will help
> me in taking the decision..
If you want to avoid all patent stuff that means no RSA (until after
September) and no IDEA either.
If you want to be ultra cautious about trademark stuff (though
apparently this isn't a problem) then avoid things like RC2 and RC4.
If you want a strong encryption this rules out 56 bit DES.
I you want to avoid man in the middle attacks you need authentication,
this rules out anonymous DH modes.
Add all this together and you get one possible cipher suite:
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
This doesn't give you a lot of choice...
> 1-Is there any work done to proide wrapper over the socket incorporated SSL so that
> secure communication could occur?? I am sure our requirement is not new.
I'm not sure what you mean by that. The OpenSSL code provides a socket
wrapper and you make calls to various OpenSSL API functions that then
use SSL on the underlying socket.
> 2- In case of DH. generated the DH param using gendh. It gives me a DH param file.
> Now how to use this file to generate the private key and certificate ??
> In case of RSA,
> req -new -x509 -nodes -keyout cert.pem -out cert.pem.
> After that I got cert.pem file which contains private as well as public key and
> successfully used that in demo/ssl/client and server program.
> But in case of DH how things work??
As I said OpenSSL doesn't support DH certificates. You create the
parameters and pass them to the server.
You also need to create a DSA CA and server certificate. This technique
is described in the CA.pl manual page.
> 3-Since in this protocol server selects one of the cipher from clinet cipher lists.
> So if we want to use some particular cipher suit where should I specify that. Where
> should I specify in the server to select particular cipher from cipher lists? What
> I understand it is certificate signatiure which tells the server to use some
> particular cipher?? I am struggling with this..
Depends on the server. There's normally some way to specify a cipher
list. s_server has a -cipher command line option for this. The precise
syntax is described in the ciphers manual page. However in your case you
can just specify the one cipher suite that is suitable as the cipher
list: EDH-DSS-DES-CBC3-SHA
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
