If I made the server create a self-signed cert would the attack still be
possible ?
What about making the server create a CA and then signing himself a server
cert which he would use with the connections ... would that work ? (I'm not
sure if it is the same as the self-signed scenario).

If I've said anything outrageously stupid, please forgive me... I'm still
learning SSL... and I'm a tired after a hard day's work ..

Anyway, thanks for the input so far everyone.

Marco Cunha

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Patrick G. Moore
Sent: quinta-feira, 11 de Janeiro de 2001 17:06
To: [EMAIL PROTECTED]
Subject: Re: On-the-fly self generated certs for network application



Of course, be aware that a man-in-the-middle attack is
possible.  A man in the middle could impersonate the
server at any time.

Cheers
Pat

[EMAIL PROTECTED] wrote:
>
> Just use Anonymous Diffie-Hellman if you don't need certificates.  All you
need
> to do is change the cipher set.
>
> G.
>
> "Marco Cunha" <[EMAIL PROTECTED]> on 11/01/2001 11:51:54
>
> Please respond to [EMAIL PROTECTED]
>
> To:   [EMAIL PROTECTED]
> cc:    (bcc: George Shaw/EMEA/Viewlocity)
>
> Subject:  RE: On-the-fly self generated certs for network application
>
> Hi Michael,
>      I think I understand what you mean :). If my answer doesn't make any
sense
> then I've obviously missed your point, so please explain it further.
>
> When I said "we can't have our clients" I meant the people who buy the
> software, although through out the rest of that (and this) email when I
say
> "client" I meant the client side of the network layer I'm writing.
>
> Now then, with that bit out of the way... I'm not authenticating the
client
> in any way. Well at least not in the sense that I require the client to
have
> a cert installed. I'll try and write a little workflow table in ASCII :
>
> Client                  Server
> -----------------------------------------------------
>                     Create self-signed cert
> Connect
>                     Accept
> SSL Handshake
>                     SSL Handshake
> Get serv cert
> Validate cert fields
> Start talking
>                     Blah Blah
> SSL Shutdown
>                     SSL Shutdown
> Connection Shutdown
>                     Connection shutdown
>
> This is what I'd like to do. I don't mind not being able to tell who is on
> the other side for sure, I only require encryption  and not
authentication.
> (Not secure authentication at least.). The client will never have a cert.
>
> I don't take care of the "talking" bit. I just make sure they get a secure
> channel and can exchange messages through whatever network protocols are
> available. It's someone else's trouble to implement the protocol(s) that
> will run over this.
>
> This is kind of like HTTPS with no client cert but here the server makes
him
> own cert instead of requiring the installation of a cert.
>
> Marco Cunha
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Michael Stroder
> Sent: quinta-feira, 11 de Janeiro de 2001 10:53
> To: [EMAIL PROTECTED]
> Subject: Re: On-the-fly self generated certs for network application
>
> [cut]
>
> There's no authorization without proper authentication.
>
> Ciao, Michael.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to