On 6 Jan 2002, Eric Rescorla wrote: I would like to thank everybody who responded to my previous messages.
> This can't be done with SSL exactly the way you want to do it. The > only way that SSL knows how to carry public keys is via certificates. I would love to use certificates, but my problem with them is the following: My client installs server and client. He should be able to set them up without requesting something from 3-rd party CA. If I understand correctly, the only solution in this case would be to generate his own CA and generate certificates with it. I am not sure how much secure it would be. Also I would like to make it not too complex for end user. After installing server and client he should not perform many complex steps to make it work. Another question is: where this CA would reside: it should be stored somewhere to generate more client certificates if needed. My application is firewall management tool (www.fwbuilder.org) and daemon would run on firewall and used to configure certain aspects of it. Keeping CA there does not sound like very good idea. So I see few variants implementing this: 1. Password Server have password and keeps either whole password of MD5 of it. Clients establishes SSL connection (w/o certificates) and sends password. This is not very secure from "man-in-the-middle" attack. 2. Challenge-Response I do not know yet how to implement this. Advice appreciated. 3. Certificates After server is installed, certificate authority is generated. When using this CA, server certificate is generated. For each client, new certificate is generated using same authority. While establishing SSL connection client and server certificates are exchanged. (The question I am not completely understand yet, is how to check if they are the right ones. Probably I need to keep copy of server certificate on client side and compare one received over the connection with it?) 4. RSA keys Similar to SSH. I understand that OpenSSL protocol does not have specific support for this, so it have to be written on top of it, after SSL connection is established. I guess server have to send some token signed with its key, which client have to send back signed with its. Checking signatures would ensure identity of both. I am new to this kind of application and would really appreciate any advice. Sincerely, Vadim -- "La perfection est atteinte non quand il ne reste rien a ajouter, mais quand il ne reste rien a enlever." (Antoine de Saint-Exupery) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
