"Larry Ellis" <[EMAIL PROTECTED]> writes:
> I am trying to evaluate whether SSL (specifically openssl), would be a suitable
>choice in securing my application. I am having trouble finding the best combination
>of algorithms and parameters that will serve my needs. Here are the rules:
>
> 1. I'd like to have a key-pair only on the server.
No problem, provided you don't care about the client's identity
(or you're going to authenticate the client some other way).
> 2. There is no authentication of either party (yes, I know this is not good).
OpenSSL can do this but it's a terrible idea because it leaves you open
to active attack.
> 3. Physical connections can be initiated either by the either side,
> but, once again, only the server has a key pair.
This is no problem PROVIDED that you don't care about authentication.
> 4. I want to avoid all certificates if possible, but, at minimum,
> restrict their usage to the server.
If you're not going to authenticate your server then there's no
need for certificates on either end.
> It occurred to me that part of my problem could reduced if the SSL_connect could be
>connection (one said connection is established). Is this true?
This sentence is unparseable.
What are you trying to accoplish here?
-Ekr
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
