On 2/2/06, Katie Lucas <[EMAIL PROTECTED]> wrote: > On Tue, Jan 24, 2006 at 06:44:30PM +0530, Urjit Gokhale wrote: > > Hi all, > > > > > I am planning to use SSL for the communication between my client and > >server. The idea is to use SSL *mainly* for peer authentication and > >validation (Both server and client authentication by means of > >certificates). Regarding the data encryption, I would like to have it > >as an optional feature.
This is already possible with the NULL cipher suite. > > 1) Is it possible to use SSL only for the sake of peer > >authentication + validation and transfer un-encrypted data over this > >channel ? Yes. Remember that SSL/TLS also provides an integrity check to ensure that a session hasn't been hijacked. If this is important to your application, don't shut down the SSL layer as Ms. Lucas suggests. > > How about; you open the sockets using your socket level > interface. Then you attach SSL constructs to both ends, but with the > "don't close this option". > > They connect, authenticate each other. You can then use the connection > objects to get the peer certificates (you need to do this because the > connection will succeed if the client doesn't offer a certificate, > whereas you're after BOTH parties being authenticated). If both ends > get a validated certificate presented, the connection is authenticated. > > Close the SSL layer, which will leave you with two natice connected > sockets to talk over. > > > 2) Would sacrificing on encryption *really* improve the performance ? > > We're sending video data, so your mileage may vary, but SSL's > symmetric encryption is far faster than the network can move the data > and the overhead of TLS is non-noticable for those volumes of > data. > > Yes, it'll remove some strain from your machine, but next year's CPUs > will remove that strain from notice. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]