Thanx Dr Stephen,
Your advice is precious to us for designing the SSL socket interface for out
project.
Since we have decided BlowFish, DH and MD5 just for to get rid of patent thing. But
as you suggested that BlowFish cannt be used because it is not a standard one. Now
we have to decide again for the cipher. Here is some other queries which will help
me in taking the decision..
1-Is there any work done to proide wrapper over the socket incorporated SSL so that
secure communication could occur?? I am sure our requirement is not new.
2- In case of DH. generated the DH param using gendh. It gives me a DH param file.
Now how to use this file to generate the private key and certificate ??
In case of RSA,
req -new -x509 -nodes -keyout cert.pem -out cert.pem.
After that I got cert.pem file which contains private as well as public key and
successfully used that in demo/ssl/client and server program.
But in case of DH how things work??
3-Since in this protocol server selects one of the cipher from clinet cipher lists.
So if we want to use some particular cipher suit where should I specify that. Where
should I specify in the server to select particular cipher from cipher lists? What
I understand it is certificate signatiure which tells the server to use some
particular cipher?? I am struggling with this..
please give me advice ..
-regards
amit
Dr Stephen Henson wrote:
> amit nigam wrote:
> >
> > Thanx Henson,
> > I have to develop secure socket communication for our application. We have
> > decided to use SSL as an intreface for secore communication. We have to write
> > some wrapper functions to use SSL for general client and server
> > communication. But as I was going thru the SSL from last couple of weeks, it
> > seems I have lost somewhere..
> > 1- Is certificate necessary for communication ?
>
> Without a server certificates (or some alternative authentication) your
> server is vulnerable to man in the middle attacks so yes. But this
> doesn't mean you have to buy one from a CA.
>
> Client certificates aren't essential unless you want to authenticate the
> client using it.
>
> > 2- Since we are using SSL internal client-server communication, so we have
> > decided to use DH for public algo, BlowFish for symmetric key and MD5 for
> > Aunthentication. I want to use three mechanism for some demo program in SSL.
> > demo/ssl/client as well as server program. But I am stuck.
> > I dont know how to incorporate DH parameters in the certificate ?
> > Dont know how to specify the BlowFish Algo?
> > Please shread some light
>
> You can't use DH as the sole public key algorithm because OpenSSL
> doesn't support the fixed DH modes (and almost nothing else does
> either). You would need to use DSA for authentication and DH for key
> agreement if you want to avoid RSA.
>
> You also can't use Blowfish for the symmetric algorithm because there is
> no standard for its use in SSL. This involves little more than getting a
> spec done and getting everyone to agree on some numbers but such a thing
> doesn't exist at present.
>
> If you look at the output of:
>
> openssl ciphers -v
>
> it will list the supported cipher suites.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
