The standard browsers, IE and Nescape, do not have DH-DSS-... ciphers. It
won't be able to talk to your web server if you diable RSA. ADH stuff is
only useful if your app is talking to your server. A simple way to check is
to start openssl s_server -nocert and use openssl s_client to talk to that
server. Looking into the ssl.h file will give you a good feel on whats
going on. Once you disable RSA (define NO_RSA) , you are enabling
SSL_ALLOW_ADH.
Cheers
-----Original Message-----
From: Dick Porter <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, June 10, 1999 9:04 AM
Subject: Re: Encryption with no certificate
>On Wed, Jun 09, 1999 at 09:54:38PM -0400, Lin Geng wrote:
>> >From: Dick Porter <[EMAIL PROTECTED]>
>> >
>> >I'm trying to set up a mod_ssl server, but I only want link encryption
and
>> >no authentication.
>> >
>> >A self-signed certificate isn't really the answer because I want to run
>> this
>> >on an embedded system which can change host and domain name at any time.
>> (Apart
>> >from having to go through Netscape's long-winded certificate dialog).
>> >
>> >Is there any way of configuring mod_ssl for this? If I just don't give
it
>> >a server certificate, it reports fatal errors.
>> >
>> >- Dick
>>
>> The simplest way is to use the no-rsa option. It seems the deafult
>> (openssl) is that if you have RSA on, you want authentication. If you
>> disable RSA, ADH will kicks in automatically.
>
>OpenSSL v0.9.3 (0.9.3a and SNAP-19990609 too):
>
>gcc -o
openssl -DMONOLITH -I../include -DTHREADS -D_REENTRANT -DNO_RSA -DL_ENDIAN -
DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_A
SM openssl.o verify.o asn1pars.o req.o dgst.o dh.o enc.o gendh.o errstr.o
ca.o pkcs7.o crl2p7.o crl.o rsa.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o
s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o version.o
sess_id.o ciphers.o nseq.o
pkcs12.o -L. -L.. -L../.. -L../../.. -L.. -lssl -L.. -lcrypto
>../libssl.so: undefined reference to `ssl2_generate_key_material'
>../libssl.so: undefined reference to `ssl2_clear'
>../libssl.so: undefined reference to `ssl2_new'
>../libssl.so: undefined reference to `ssl2_get_cipher'
>../libssl.so: undefined reference to `ssl2_get_cipher_by_char'
>../libssl.so: undefined reference to `ssl2_write_error'
>../libssl.so: undefined reference to `ssl2_return_error'
>../libssl.so: undefined reference to `SSLv2_client_method'
>../libssl.so: undefined reference to `ssl2_num_ciphers'
>../libssl.so: undefined reference to `SSLv2_server_method'
>make[1]: *** [openssl] Error 1
>make[1]: Leaving directory `/home/dick/redhat/BUILD/openssl-0.9.3/apps'
>
>All of the functions referred to have their definitions surrounded by
>#ifndef NO_RSA/#endif, but the calls seem to be scattered all around the
ssl
>directory.
>
>At first glance, it appears that disabling RSA effectively disables SSLv2.
>Will standard browsers (ie netscape communicator) still connect to a
>mod_ssl server that doesnt talk ssl v2?
>
>- Dick
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
