Bodo,
Thank you very much for responding to my message. I've probed a bit deeper into the code supplied with the libraries (the conglomeration of c files that lives in the /apps directory). Of particular interest was s_server.c, where I found evidence of what you've cited below - I need to recompile the library in order to do channel encryption without certificates (even if I don't plan to use them to authenticate). I think it's a bit confusing, as the SSL specification (3.0) states that the inclusion of a certificate in the "server hello" message is optional. I don't want to generate and send certificates if I'm not going to use them to authenticate.
So I'm going to recompile the libraries using "no-rsa," and try again. It sounds like that will cause the correct information to be passed to the preprocessor.
It may very well be that I will want to use certificates to do authentication at a later date, but the step should be optional.
Thanks again for the help,
David Azari
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 12, 1999 3:49 AM
To: [EMAIL PROTECTED]
Cc: David Azari
Subject: Re: Using the OpenSSL WITHOUT doing authentication
David Azari <[EMAIL PROTECTED]>:
> I'm having extreme difficulty setting up an SSL connection between
> client and server when neither specifies a certificate and key file.
> Actually, the problem seems to be specific to the server. If I tell the
> server to use a cert and key, via the
> SSL_CTX_use_certificate_file( ) and SSL_CTX_use_PrivateKey_file( )
> methods, the connection works fine. The two communicate using DES, which is
> what I'm (currently) after. However, if I comment out the above two calls,
> there is a handshake failure.
The server's certificate and key are not only needed for
authentication, they also play (in many ciphersuites) an important
role in deriving the keys to be used for the connection. For the
standard (non-export) RSA ciphersuites, the client encrypts a secret
to the server's public key. This is different with Diffie-Hellman
ciphersuites; to enable them, the server application has to provide DH
parameters. They come in two versions: Either with certificates (RSA
or DSA) or anonymous. The latter still have to be enabled at compile
time (-DSSL_ALLOW_ADH), although this requirement does not really make
sense (if you configure the library with "no-rsa", SSL_ALLOW_ADH is
automatically set, which is a distinction that also does not make too
much sense).
