On Wed, Sep 3, 2008 at 5:03 PM, Manuel Sahm <[EMAIL PROTECTED]> wrote: >I want to make my network connection encrypted/secure using ssh.
Please note that SSH is not SSL: SSH is a protocol on top of SSL. Since you're talking about sockets there, I take it you mean SSL. > Is it possible to use a password instead of a Certification file and a > Certification Key File to make the tcp connection secure via openssl ? Assuming you're talking about 'with neither server- nor client certificates': doable by using anonymous SSL, that is by using DH (Diffie Hellman). This establishes a SSL connection which you can use to pass your data/password through. Note however that 'security' comes in several shades of grey and DH-only can be said to be much less secure then certificate-based RSA as a rule of thumb. Reality is a more complex[*] then just that, but this rule works for starters. [*]You've got the spectrum of authorization, authentication and obfuscation (readability of content), where DH takes care of obfuscation only, while a password is generally very weak single-side authentication, while RSA/DSA + a server AND client certificate does provide two-way authentication as well as obfuscation. You must still perform the authorization yourself: SSL cannot do that for you. So the correct answer is: it depends. And it depends on how secure you want your SSL connection to be. OpenSSL supports all this (though you'll have to do the password stuff on your own, because that's outside the protocol scope) but I'd say it's an 'advanced subject' anyhow. I suggest you first try SSL out on a Windows or UNIX box (with certificates), then move on to using DH (you can by using the tools/sample code that comes with OpenSSL: s_server/s_client to name 2) and when you got that working at a level that you're comfortable, move it over to the embedded box - as I expect UNIX comes with more tools/support then the embedded environment. In closing: I strongly advise using certificates instead of passwords. -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
