If by "anonymous" SSL connection you mean that the client does not need to have a certificate, you just cut the process short. Stop right before the server sends the client the list of CAs for which it is prepared to accept user certificates.
In other words, the client authentication part of the SSL protocol can be seen as, in some sense, optional.
I admit I am nothing like an expert in this particular area and if anybody on the list feels they could do a better job of answering these questions please jump in.
David ARMOUR wrote:
Charles,
Your anwser makes things clearer to me. As my job is one of automating business processes I tend to always be working as a client. I am recently facing a job where I have to connect to an SMTP server using SSL. (Server does not allow insecure connections.) The mail server in this company is running ESMTP Mirapoint 3.4.4-GR.
Up to now I have always faced insecure connections to SMTP servers but now I have to extend my C++ Email library to perform anonymous SSL connections. I purchased a book to learn about OpenSSL ('Network Security with OpenSSL' published by O'Reilly) but I am having some difficulties. There is no example or explanation given for anonymous SSL connections as far as I can see.
(I have tested the secure connection using 'stunnel' and I can send all the emails I need from the SMTP server but I would not like to rely on stunnel to make my connection.)
Can you advise me on the procedure I need to use to set up the anonymous SSL connection with OpenSSL or point me in the direction of some example code.
Thanks, David
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles B Cranston Sent: Thursday, October 21, 2004 10:04 PM To: [EMAIL PROTECTED] Subject: Re: SSL without Key?
I don't think this is correct at all. I use OpenSSL to generate certificates that are used on Microsoft IIS servers and IBM HTTP servers and Novell eDirectory LDAP servers and IBM Directory Server LDAP servers and all sorts of servers. Now, the vendors may not make it EASY to use non-proprietary certs, and may SUGGEST in their documentation that it does not work (as well)[0,1] with them, and the salesmen certainly may SAY that it does not (really)[0,1] work ("well")[0,1] but there is no particular reason you should believe them :-)
The answer to the original question is:
"Only one side needs to have a certificate, so if the server has a certificate, the client can make up a random key (called a "session key") and encrypt it with the public key from the certificate, send it up the link to the server, then the server can DECRYPT it with its private (or "secret" key). Now both sides know the random session key and can use it in a traditional (e.g., non-public) encryption like DES or AES1."
Peter O Sigurdson wrote:
Hi David
You install a certificate for Windows IIS by using the Keymanager key generation wizard, then generate a certificate key request and then have a
CA sign the certificate and install it.
Detailed instructions are available in the Windows help system.
I'm guessing it is analogous for other Windows servers such as Outlook.
In any event, Microsoft being propritary probably has no ability to work with or use OpenSSL certificates. But then, OpenSSL can't work with Java Cryptography extension-generated KeyStores. So, your SSL artifacts (ie keys) will always be product-specific.
David ARMOUR <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 10/21/2004 09:31 AM Please respond to openssl-users
To: <[EMAIL PROTECTED]>
cc: Subject: SSL without Key?
Email clients such as Outlook can have a SSL connection to the server as an option. However when these options are selected, the user does not have
to provide a key. How does such a system create an SSL connection?
How could I use SSL to emulate such action?
Regards.
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
-- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
