Hi all:
I have a TCP/IP based Client/Server application I would like to add OpenSSL. My intent is to made the connections from the server to the client "secure."
For two weeks I have read a ton and studied s_server and s_client. I still feel like I'm missing something, and hope someone can help.
I'm still not getting the ideal of what clients I can trust. In my application I have a list of trusted IP address. Once a connection is made I allow the set of IP address to connect. In a SSL world, I don't want every Client with a certificate to connect even if we are in secure mode. I keep envisioning a HHTPS server that allow everyone to connect. Beside SSL, most site need a login and password to allow a set of trusting above and beyond the SSL certificates.
I still don't get what certificates from a CA I can and can not trust.
On a second more general note. Do I really need OpenSSL to make my client application secure. I think I get what SSL gets me in the line of various attacks like "man-in-the-middle" and such. That is why I'm leaning that way instead of just using encryption. However, in my system, I control the code on both sides of the connection. Would just having encryption make the site secure. I hope I don't get flamed for this but I want to learn how to make this case.
Since everyone is in a giving mode. :)
How safe is it to have the certificate compiled into the client code. My system is a library given to companies that do not have TCP/IP background. They will link in my library and use four calls to communicate: open, close read write. I need to make this easy as possible on there end by hiding all the TCP/IP and SSL work. (also, there will be one connection per site and it will stay open unlike a HTTP connection) I don't want them getting commercial certificates, loading a certificate into the system and such. I've created a certificate in a C structure with an option with one of the certificate generation tools. Does this make my site insecure since I have all these clients out there with the same certificate in code? or, must I go through the pain of generating different binaries for each client. (The number will be below 50)?
Thanks you in advance for any help. Not being in the security realm at all, I look forward to your thoughts and insight.
Kevin Mueller
Kevin Mueller
GlobeNet Capital Corporation
<mailto:[EMAIL PROTECTED]>
(407)622-2846
