Urjit, To answer your 2nd question, just immediately after SSL_accept and SSL_connect on the server and client side respectively, you can use the functions: SSL_get_cipher (ssl), SSL_get_cipher_version (ssl)
These will give you the cipher and SSL version. A sample output can be: SSL connection cipher:[EDH-RSA-DES-CBC3-SHA],version:[TLSv1/SSLv3] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Urjit Gokhale Sent: Wednesday, February 08, 2006 11:07 AM To: openssl-users@openssl.org Subject: Re: Can I have SSL for peer authentication only? (and not for data encryption) Hi all, Thanks for all those mails. I now understand that I can use NULL cipher suite to exchange data without encryption. I understand that on specifying NULL cipher suite, ssl will use RSA authentication. I believe that I will have to call SSL_CTX_set_cipher_list with second argument as "NULL" SSL_CTX_set_cipher_list(ctx, "NULL"); And then the application should be able to communicate using SSL_read() and SSL_write(). Please correct me if I am wrong. Now I have a source for a server application. The server goes through the following function sequence: =========== SSL_context = SSL_CTX_new(SSLv23_method()); SSL_CTX_use_certificate_file(SSL_context, fnbuf, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM); SSL_CTX_check_private_key(SSL_context); port->ssl = SSL_new(SSL_context); SSL_set_fd(port->ssl, port->sock); SSL_accept(port->ssl); SSL_read(port->ssl, pkt->ptr, pkt->nrtodo); =========== Now the questions I have here is: 1) Is the server using NULL cipher ? 2) If not, then which authentication and which cipher would it be using ? 3) If I want to force NULL cipher, do I give a call to SSL_CTX_set_cipher_list() before I call SSL_new ? If you want any more information in order to answer the above questions, please do ask me. Thanks, ~ Urjit ----- Original Message ----- From: "Kyle Hamilton" <[EMAIL PROTECTED]> To: <openssl-users@openssl.org> Sent: Thursday, February 02, 2006 9:37 PM Subject: Re: Can I have SSL for peer authentication only? (and not for data encryption) On 2/2/06, Katie Lucas <[EMAIL PROTECTED]> wrote: > On Tue, Jan 24, 2006 at 06:44:30PM +0530, Urjit Gokhale wrote: > > Hi all, > > > > > I am planning to use SSL for the communication between my client and > >server. The idea is to use SSL *mainly* for peer authentication and > >validation (Both server and client authentication by means of > >certificates). Regarding the data encryption, I would like to have it > >as an optional feature. This is already possible with the NULL cipher suite. > > 1) Is it possible to use SSL only for the sake of peer > >authentication + validation and transfer un-encrypted data over this > >channel ? Yes. Remember that SSL/TLS also provides an integrity check to ensure that a session hasn't been hijacked. If this is important to your application, don't shut down the SSL layer as Ms. Lucas suggests. > > How about; you open the sockets using your socket level > interface. Then you attach SSL constructs to both ends, but with the > "don't close this option". > > They connect, authenticate each other. You can then use the connection > objects to get the peer certificates (you need to do this because the > connection will succeed if the client doesn't offer a certificate, > whereas you're after BOTH parties being authenticated). If both ends > get a validated certificate presented, the connection is authenticated. > > Close the SSL layer, which will leave you with two natice connected > sockets to talk over. > > > 2) Would sacrificing on encryption *really* improve the performance ? > > We're sending video data, so your mileage may vary, but SSL's > symmetric encryption is far faster than the network can move the data > and the overhead of TLS is non-noticable for those volumes of > data. > > Yes, it'll remove some strain from your machine, but next year's CPUs > will remove that strain from notice. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
