Chris Cleeland [EMAIL PROTECTED] writes:
On Wed, 15 May 2002, John Jones wrote:
Please help me get my facts straight on what this is all about.
What I want to do:
Send an XML string from a non-browser client to a server, but securely, because it
will contain credit card information and other personal junk.
It has to be on the Mac and Windows platforms at least.
Steps I see:
Use OpenSSL because I can get that for OS X and also for Windows.
OK, after that, I'm fuzzy.
Step 2: purchase Eric Rescorla's excellent book.
Thanks for the kind words :)
You should also check out my article Introduction to OpenSSL Programming,
available at http://www.rtfm.com/openssl-examples
which is an expanded version of the programming chapter of my book,
targeted towards Linux. You should be able to adapt the programs to
OpenSSL and Windows relatively easily.
Steps I vaguely see, please help me if you can:
2) I need to use the command line utility that comes with OSSL to make
uh..what? A private key? A certificate? The user will never see
this stuff, hopefully.
Yes, and Eric's book doesn't really address these issues much. I haven't
really found any book that does in a clear and concise way.
Yeah, I don't address this at all, really. John Viega's new book
Network Security With OpenSSL should cover this, but it's not
available yet. For the moment, you'll have to read the OpenSSL docs.
3) I need to put a copy of the private key on the server and the client,
and somehow that gets used to to encrypt the private information
the client sends.
If memory serves well, I believe that Eric's book does address these sorts of
issues.
Yes this is covered in my book.
Ignoring the details of how this happens in SSL, here is the short
version of what you have to do:
You don't need a private key on the client, just on the server.
The client needs to either:
(1) Have a copy of the server's certificate.
(2) Trust the CA who signed the server's certificate.
(3) Just accept the server's public key/certificate without verifying
it. This is fine for testing but lousy for security.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]