Re: SSL without Key?

Thu, 21 Oct 2004 07:05:39 -0700 

I don't think this is correct at all.  I use OpenSSL to
generate certificates that are used on Microsoft IIS
servers and IBM HTTP servers and Novell eDirectory LDAP
servers and IBM Directory Server LDAP servers and all
sorts of servers.  Now, the vendors may not make it EASY
to use non-proprietary certs, and may SUGGEST in their
documentation that it does not work (as well)[0,1] with
them, and the salesmen certainly may SAY that it does
not (really)[0,1] work ("well")[0,1] but there is no
particular reason you should believe them :-)

The answer to the original question is:

"Only one side needs to have a certificate, so if the
server has a certificate, the client can make up a
random key (called a "session key") and encrypt it
with the public key from the certificate, send it up
the link to the server, then the server can DECRYPT
it with its private (or "secret" key).  Now both
sides know the random session key and can use it in
a traditional (e.g., non-public) encryption like DES
or AES1."

Peter O Sigurdson wrote:

Hi David

You install a certificate for Windows IIS by using the Keymanager key generation wizard, then generate a certificate key request and then have a CA sign the certificate and install it. 

Detailed instructions are available in the Windows help system.

I'm guessing it is analogous for other Windows servers such as Outlook.

In any event, Microsoft being propritary probably has no ability to work with or use OpenSSL certificates. But then, OpenSSL can't work with Java Cryptography extension-generated KeyStores. So, your SSL artifacts (ie keys) will always be product-specific.







David ARMOUR <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
10/21/2004 09:31 AM
Please respond to openssl-users
To: <[EMAIL PROTECTED]>
cc: Subject: SSL without Key?



Email clients such as Outlook can have a SSL connection to the server as an option. However when these options are selected, the user does not have to provide a key. How does such a system create an SSL connection? 

How could I use SSL to emulate such action?


Regards.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]



--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to