Certificateless SSL

Thu, 30 Nov 2006 19:09:04 -0800

I am a complete SSL noob, so please pardon me if my questions are silly... :-) I've seen similar questions in the archive, but nothing that really spelled it out.
We need an encrypted connection to a 3-rd party application, but we don't need validation. The data being transmitted is validation enough for us. However, the application we are sending to (running on Windows under IIS) is requiring a certificate. 


I know it is possible to use SSL without requiring a certificate, as the 
test application at the bottom of the HttpClient SSL Guide works for 
Verisign, but not for our application.



I see two possible ways of getting around this, and I'd just like some 
validation that these would work the way I want (not requiring our users to 
mess with certificates).



1) Use an Authenticating Proxy Server. We should be able to set up one of 
these that accepts SSL connections without requiring a certificate, and 
configure the connection between it and our 3-rd party application using a 
certificate just for the proxy server, and not for each individual client.



2) Modify the IIS configuration of our 3-rd party application so that it 
doesn't require client certificates, as the data being sent contains the 
real authentication information. I"m not sure this is really an option, as I 
don't know IIS at all. We DO have access to the server, though.



Do both of these methods work, and encrypt our data? If so, is the 
encryption in the second case just as strong as if we used client 
certificates, or is it weaker because there is only a server certificate? Is 
there any other method I missed?



The application we are accessing initially provides a login page, and we 
just provide a MethodPost with the needed data, so the SSL Connection itself 
isn't initially authenticated. What I don't really understand is how a 
generic web browser certificate is any better than no certificate at all. 
Why is a personal certificate required via HttpClient and not via a web 
browser?


_________________________________________________________________

Get FREE company branded e-mail accounts and business Web site from 
Microsoft Office Live 
http://clk.atdmt.com/MRT/go/mcrssaub0050001411mrt/direct/01/



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to