On Thu, Feb 02, 2006 at 05:09:42PM +0100, Alain Damiral wrote: > > >>1) Is it possible to use SSL only for the sake of peer > >>authentication + validation and transfer un-encrypted data over this > >>channel ? > >> > >> > > > >How about; you open the sockets using your socket level > >interface. Then you attach SSL constructs to both ends, but with the > >"don't close this option". > > > >They connect, authenticate each other. You can then use the connection > >objects to get the peer certificates (you need to do this because the > >connection will succeed if the client doesn't offer a certificate, > >whereas you're after BOTH parties being authenticated). If both ends > >get a validated certificate presented, the connection is authenticated. > > > >Close the SSL layer, which will leave you with two natice connected > >sockets to talk over. > > > > > > > But with no cryptographic digest you have no guarantee that the data you > receive provides from the person who showed his certificate. I think it > would be vulnerable to a man in the middle type of attack.
Only if they can spoof the IP streams... At the point the SSL connection says "yep. Everything's OK", it's already done the challenges and responses so it's all ready to go -- this is as long as you don't include the null cipher, so the initial comms are encrypted. Closing the SSL connection means turning off the encryption later on, so it can still be used initially for the certificate verification. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
