Please help me understand what's going on.
I've successfully used OpenSSL (latest released version - 0.9.7f) to communicate with a https:// site. (See my pseudo-code at the bottom of this message.) However, nowhere in my code is a public key for the https:// site specified.
But, when I look at the converstations with a packet sniffer, it "looks" like the communication is indeed encrypted?
Is it using some sort of defaults known (in advance) by both OpenSSL and the https:// server - like a default public key for the initial SSL connection and then a default symmetric encryption algorithm for the rest of the conversation?
Is the https:// server sending my OpenSSL client it's public key to help establish the initial connection?
If this is so, then I assume my OpenSSL client could, at that point, try to do some checks on that public key to see if it's a regular, valid SSL certificate as given by Verisign, et. al.? And, how is the symmetric encrytion algorithm chosen to finish the communications?
Among the infinite things I do not understand, I don't undertstand how this is working without the public key of the https:// site.
Why isn't the https:// site telling me to "buggar off"?
And, since it is working, how is it doing the apparent encryption and deciding which encryption algorithms to use? Is this considered "secure"? (I know that's a relative term.)
Where are the security weaknesses and strengths in this?
If this was to be done better, more secure, what would be the next features to add?
I assume requiring the public key of the https:// server be used by the client and maybe doing some sort of CRL check on the client side would be a couple of the suggestions?
And, if so, can someone give me pointers to the functions that I'd need to use, please?
If this current setup is "weak" or "insecure", what can be done at the server-side to tell my client to "grow up or get lost"?
Thanks a ton for teaching me this!
Joe
P.S. OpenSSL rocks! You guys are incredibly awesome!
//-------------------------------------------------------------------------- sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
ret=connect(sock, (struct sockaddr *) &ServAddr, sizeof(ServAddr));
SSL_library_init();
SSL_load_error_strings();
RAND_seed(buffer, MaxBufferSize);
ctx=SSL_CTX_new(SSLv2_client_method());
ssl=SSL_new(ctx); ret=SSL_set_fd(ssl, sock);
ret=SSL_connect(ssl); //ret=1=no error
ret=SSL_write(ssl, buffer, ret2);
ret=SSL_read(ssl, &buffer[numread], sizeof(&buffer[numread])-1);
SSL_shutdown(ssl); SSL_free(ssl); SSL_CTX_free(ctx); ERR_free_strings(); shutdown(sock, 2); closesocket(sock); //--------------------------------------------------------------------------
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
