David Azari <[EMAIL PROTECTED]>:
> I'm having extreme difficulty setting up an SSL connection between
> client and server when neither specifies a certificate and key file.
> Actually, the problem seems to be specific to the server. If I tell the
> server to use a cert and key, via the
> SSL_CTX_use_certificate_file( ) and SSL_CTX_use_PrivateKey_file( )
> methods, the connection works fine. The two communicate using DES, which is
> what I'm (currently) after. However, if I comment out the above two calls,
> there is a handshake failure.
The server's certificate and key are not only needed for
authentication, they also play (in many ciphersuites) an important
role in deriving the keys to be used for the connection. For the
standard (non-export) RSA ciphersuites, the client encrypts a secret
to the server's public key. This is different with Diffie-Hellman
ciphersuites; to enable them, the server application has to provide DH
parameters. They come in two versions: Either with certificates (RSA
or DSA) or anonymous. The latter still have to be enabled at compile
time (-DSSL_ALLOW_ADH), although this requirement does not really make
sense (if you configure the library with "no-rsa", SSL_ALLOW_ADH is
automatically set, which is a distinction that also does not make too
much sense).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
