Question on OpenSSL encryption
Hi, I am new to OpenSSL and am trying to prepare some illustrative documentation on how it works. AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a private key which is never communicated to any other host, and the other is a public key which is transmitted to the peer (the other party). The client uses the public key of the server (contained in the server's certificate) to encrypt its communication, which can only be decrypted with the server's private key. Please correct me if I am wrong. Now the question is : when the server sends data to the client, what key does it use for encryption ? Does the client communicate its public key to the server (at some initial stage) which the server uses for encryption ? If yes, what if the client does not have a pair of public/private keys ? The question arises because it does not seem logical that the server would its private key for encrypting data to be sent to the client. Else, snoopers who might have picked the public key could decrypt the data too. Any help on clearing up the above points would be greatly appreciated. Thank you Regards Manish Jain invalid.poin...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question on OpenSSL encryption
Hello Michael/Anyone Else, Can you be kind enough to please point me to some place/URL where I can get a bit more information about how the key is negotiated upon ? I have gone through a a couple of write-ups on OpenSSL which throw light upon everything else except for this vital piece of information. Thanks Regards Manish Jain On 07-Jan-12 19:23, Michael S. Zick wrote: On Sat January 7 2012, Manish Jain wrote: Hi, I am new to OpenSSL and am trying to prepare some illustrative documentation on how it works. AFAIK, OpenSSL uses the concept of a pair of keys per host : one is a private key which is never communicated to any other host, and the other is a public key which is transmitted to the peer (the other party). The client uses the public key of the server (contained in the server's certificate) to encrypt its communication, which can only be decrypted with the server's private key. Please correct me if I am wrong. That is the essence of what happens and by that the client knows that it is communicating with the server it intended to reach (authentication). Now the question is : when the server sends data to the client, what key does it use for encryption ? The general answer is: The client and server establish a shared key for that propose early in the protocol. Does the client communicate its public key to the server (at some initial stage) which the server uses for encryption ? If the communications set up between the two requires client authentication. In many cases the client remains a stranger to the server (un-authenticated). If yes, what if the client does not have a pair of public/private keys ? The usual case for public web browsing using https and some other protocols. The client remains a stranger to the server. The question arises because it does not seem logical that the server would its private key for encrypting data to be sent to the client. Else, snoopers who might have picked the public key could decrypt the data too. There is an early stage in nearly all protocols, called: key agreement where the client and server agree on a key without exchanging any of the 'private' information that it is based on. Any help on clearing up the above points would be greatly appreciated. My comments above are at a very general level. If the process was as simple as my answers, OpenSSL would not be as large a body of code as it is. ;-) Mike Thank you Regards Manish Jain invalid.poin...@gmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Same SSL_CTX for tls client and tls server
Hi, My application will act as tls server and tls client. Whether I can use same SSL_CTX object for both client and server. Whether 1) it is thread safe? 2) how to configure different verify_callback for client and server 3) any known issues in using same SSL_CTX for tls client and server Another query (different context) When acting as a tls server, I have chain of certificates which should be sent to clients connecting to my server. Additionally, I also have build a chain to verify client certificates. How I can build these two different chains on single SSL_CTX object? Best Regards, Manish Jain GlobalLogic Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS12_parse - additional certificates
Hi, int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); If PKCS12_parse() is successful, the private key will be written to *pkey, the corresponding certificate to *cert and any additional certificates to *ca. 1. What is the use of additional certificates? 2. Whether they should be used as root CA certificates for that domain? If yes, then whether we should add them using SSL_CTX_load_verify_locations() OR SSL_CTX_set_cert_store(). 3. Whether they have any relationship with retrieved private key? Best Regards, Manish Jain GlobalLogic Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL interface for PKCS12
Hi, Which SSL API will be used to load PKCS certificate in SSL_CTX? OR (in other words) What is the alternative for SSL_CTX_use_certificate_file() in case of PKCS12? Best Regards, Manish Jain __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl support TLS 1.0 (RFC 2246) and TLS 1.1 (RFC 4346) ?
Hi, With reference to openssl's README, it supports TLS v1; does it mean that it supports TLS 1.0 (RFC 2246) and TLS 1.1 (RFC 4346) ? Best Regards, Manish Jain __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl support TLS 1.0 (RFC 2246) and TLS 1.1 (RFC 4346) ?
Hi, With reference to openssl's README, it supports TLS v1; does it mean that it supports TLS 1.0 (RFC 2246) and TLS 1.1 (RFC 4346) ? Best Regards, Manish Jain __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]