Re: How server selects the ciphers

Thu, 11 May 2000 17:02:50 -0700 

amit nigam wrote:
> 
> Thanx Henson,
> I have to develop secure socket communication for our application. We have
> decided to use SSL as an intreface for secore communication. We have to write
> some wrapper functions to use SSL for general client and server
> communication. But as I was going thru the SSL from last couple of weeks, it
> seems I have lost somewhere..
> 1- Is certificate necessary for communication ?

Without a server certificates (or some alternative authentication) your
server is vulnerable to man in the middle attacks so yes. But this
doesn't mean you have to buy one from a CA.

Client certificates aren't essential unless you want to authenticate the
client using it.

> 2- Since we are using SSL internal client-server communication, so we have
> decided to use DH for public algo, BlowFish for symmetric key and MD5 for
> Aunthentication. I want to use three mechanism for some demo program in SSL.
> demo/ssl/client as well as server program. But I am stuck.
> I dont know how to incorporate DH parameters in the certificate ?
> Dont know how to specify the BlowFish Algo?
> Please shread some light

You can't use DH as the sole public key algorithm because OpenSSL
doesn't support the fixed DH modes (and almost nothing else does
either). You would need to use DSA for authentication and DH for key
agreement if you want to avoid RSA.

You also can't use Blowfish for the symmetric algorithm because there is
no standard for its use in SSL. This involves little more than getting a
spec done and getting everyone to agree on some numbers but such a thing
doesn't exist at present.

If you look at the output of:

openssl ciphers -v

it will list the supported cipher suites.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to