Re: On-the-fly self generated certs for network application
Marco Cunha wrote: we can't have our clients going around creating, signing installing new certificates every once in a while so I was thinking about doing the following : Look into openssl.c and friends and figure out a way of making the server generate a CA cert and server cert on the fly (no questions asked) [..] Are there any obvious obstacles or flaws in my reasoning that I'm not seeing ? There's no authorization without proper authentication. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: On-the-fly self generated certs for network application
Hi Michael, I think I understand what you mean :). If my answer doesn't make any sense then I've obviously missed your point, so please explain it further. When I said "we can't have our clients" I meant the people who buy the software, although through out the rest of that (and this) email when I say "client" I meant the client side of the network layer I'm writing. Now then, with that bit out of the way... I'm not authenticating the client in any way. Well at least not in the sense that I require the client to have a cert installed. I'll try and write a little workflow table in ASCII : Client Server - Create self-signed cert Connect Accept SSL Handshake SSL Handshake Get serv cert Validate cert fields Start talking Blah Blah SSL Shutdown SSL Shutdown Connection Shutdown Connection shutdown This is what I'd like to do. I don't mind not being able to tell who is on the other side for sure, I only require encryption and not authentication. (Not secure authentication at least.). The client will never have a cert. I don't take care of the "talking" bit. I just make sure they get a secure channel and can exchange messages through whatever network protocols are available. It's someone else's trouble to implement the protocol(s) that will run over this. This is kind of like HTTPS with no client cert but here the server makes him own cert instead of requiring the installation of a cert. Marco Cunha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Stroder Sent: quinta-feira, 11 de Janeiro de 2001 10:53 To: [EMAIL PROTECTED] Subject: Re: On-the-fly self generated certs for network application [cut] There's no authorization without proper authentication. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: On-the-fly self generated certs for network application
Just use Anonymous Diffie-Hellman if you don't need certificates. All you need to do is change the cipher set. G. "Marco Cunha" [EMAIL PROTECTED] on 11/01/2001 11:51:54 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: George Shaw/EMEA/Viewlocity) Subject: RE: On-the-fly self generated certs for network application Hi Michael, I think I understand what you mean :). If my answer doesn't make any sense then I've obviously missed your point, so please explain it further. When I said "we can't have our clients" I meant the people who buy the software, although through out the rest of that (and this) email when I say "client" I meant the client side of the network layer I'm writing. Now then, with that bit out of the way... I'm not authenticating the client in any way. Well at least not in the sense that I require the client to have a cert installed. I'll try and write a little workflow table in ASCII : Client Server - Create self-signed cert Connect Accept SSL Handshake SSL Handshake Get serv cert Validate cert fields Start talking Blah Blah SSL Shutdown SSL Shutdown Connection Shutdown Connection shutdown This is what I'd like to do. I don't mind not being able to tell who is on the other side for sure, I only require encryption and not authentication. (Not secure authentication at least.). The client will never have a cert. I don't take care of the "talking" bit. I just make sure they get a secure channel and can exchange messages through whatever network protocols are available. It's someone else's trouble to implement the protocol(s) that will run over this. This is kind of like HTTPS with no client cert but here the server makes him own cert instead of requiring the installation of a cert. Marco Cunha -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Stroder Sent: quinta-feira, 11 de Janeiro de 2001 10:53 To: [EMAIL PROTECTED] Subject: Re: On-the-fly self generated certs for network application [cut] There's no authorization without proper authentication. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]