Be careful - verification needs to be integrated within the rest of the cryptographic system. If you open up an encrypted connection and *then* do verification your verification will probably be susceptible to man-in-the-middle attack (basically, the man-in-the middle can intercept and modify certificates). (I had a long argument by private email (as me myself, from my own account, not me as employee from this account) with people on the peerpress list who seemed to think they could piece together different algorithms willy-nilly - that's not the case if you want to avoid man-in-the middle attack. It is much safer to use an accepted, well-studied protocol like SSL than inventing your own from scratch). Andrew P.S. The reply below seems to think OpenSSL is an optional extension to SSLeay or something. It's better to think of it as a replacement. SSleay is obsolete. Use OpenSSL. Krishnam Raju wrote: > > If u just need a secure transfer of data, u may do some thing like this: > Go for a DH Key exchange and arrive at a shared secret key b'ween client > and server and do the DES encryption with that. All this functionality is > available in SSLeay. u need not hv to use OpenSSL in that case. Ofcourse > DH Key exvhange is vulnerable to man-in-middle attack. again there are > ways to circumvent this. i belive this helps. > > Krishnam Raju > Sr. Software Eng. > Internet Commerce Div., > Verifone india Ltd., > > Greg Herlein wrote: > > > Please forgive my ignorance... but I've read all I can get my > > hands on and I can't grok an answer. So here I am, hat in > > hand... > > > > I am designing a client-server application that I'd like to have > > converse in a secure fashion. Of course, I look at OpenSSL. I > > am writing both ends of the application and neither end is web > > based (no Apache, no web browsers). I just need the link to be > > secure. > > > > I'm not a crypto expert, but as I understand it, a certificate is > > needed to authenticate to the client that the server is who they > > say they are. Yes? I note that in the programmer docs it says: > > > > --- > > 5.7 Register Certificates > > > > The server must have a certificate. The client can (and probably > > should) have a certificate. > > --- > > > > Really? Isn't there a way that I can just encrypt the channel > > and not do any authentication? I've looked at several SSL > > packages source code, and have not seen a way to do this... > > though trying to see a generic method in the midst of the complex > > code of a full app is not the easiest thing for me. > > > > If anyone can point me at an answer or a sample app I'd be most > > appreciative. > > > > Greg > > > > /******************************************************************** > > Greg Herlein Quicknet Technologies, Inc. > > Director, Super-Secret Project (yes, it really is secret) > > [EMAIL PROTECTED] http://www.quicknet.net > > *********************************************************************/ > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
