1) Is it possible to use SSL only for the sake of peer
authentication + validation and transfer un-encrypted data over this
channel ?
How about; you open the sockets using your socket level
interface. Then you attach SSL constructs to both ends, but with the
"don't close this option".
They connect, authenticate each other. You can then use the connection
objects to get the peer certificates (you need to do this because the
connection will succeed if the client doesn't offer a certificate,
whereas you're after BOTH parties being authenticated). If both ends
get a validated certificate presented, the connection is authenticated.
Close the SSL layer, which will leave you with two natice connected
sockets to talk over.
But with no cryptographic digest you have no guarantee that the data you
receive provides from the person who showed his certificate. I think it
would be vulnerable to a man in the middle type of attack.
I suppose a digest is still included when using the null cipher with
OpenSSL... ?
--
Alain Damiral
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
