Hi, John. I haven't (yet) gotten Eric Rescorla's book that others have recommended, but understand it's very good. Although somewhat dated, _Applied_Cryptography_ by Bruce Schneier (ISBN 0-471-11709-9) has a lot of useful background on the protocols and has been helpful to me. However, I found _Cryptography_Decrypted_ by H.X. Mel and Doris Baker (ISBN 0-201-61647-5) really good at quickly explaining how cryptography in general and SSL in particular (since that's what I needed) in a very accessible fashion. (The diagrams and descriptions are very useful for explaining these relatively difficult concepts in a less jargon-intense way.) Between those books, the OpenSSL docs and mailing list and the Stunnel docs and mailing list I've been able to cobble together the beginnings of comprehension.
I'm not sure what exactly you need to do, but it sounds like you have (or plan to create) a non-browser client application to deliver XML-encoded data via an IIS server using HTTP or HTTPS (which is HTTP inside an SSL/TLS wrapper). [TLS 1.0 is essentially SSL 3.1 and an official standard whereas SSL 2.0 and 3.0 are earlier "de facto" standards created by Netscape.] I think then that you "simply" need HTTPS client code and IIS can handle the HTTPS server side code. If so, you might be able to use an off-the-shelf solution like Stunnel (which uses OpenSSL to provide the underlying encryption) to provide SSL encryption as a wrapper around TCP/IP connections (from the client and/or server end) and potentially accomplish your encrypted connection without having to write any additional code. More info on Stunnel is available at: http://www.stunnel.org (which I can't seem to access at the moment) http://stunnel.mirt.net (the author's website) P.S. I *completely* appreciate and agree with the ER analogy! :) -- Jeff Woods [EMAIL PROTECTED] Quintessential School Systems -----Original Message----- From: John Jones [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 11:41 AM To: [EMAIL PROTECTED] Subject: I'm confused on the big picture. Help?-------=========--------}}}}}}}} Please help me get my facts straight on what this is all about. What I want to do: Send an XML string from a non-browser client to a server, but securely, because it will contain credit card information and other personal junk. It has to be on the Mac and Windows platforms at least. Steps I see: Use OpenSSL because I can get that for OS X and also for Windows. OK, after that, I'm fuzzy. Steps I vaguely see, please help me if you can: 1) We have a Win2K server. What do I do to get it to see and talk to SSL connections coming from the client? Do I need to install OpenSSL there, or will OSSL talk to whatever existing SSL things MS has built into IIS on Win2K? Is there a setting I need to tweak, or will IIS do this out of the box? 2) I need to use the command line utility that comes with OSSL to make uh..what? A private key? A certificate? The user will never see this stuff, hopefully. 3) I need to put a copy of the private key on the server and the client, and somehow that gets used to encrypt the private information the client sends. 4) I use the OSSL libraries (or possibly call the command line utility from a program) to set up and SSL link and send my information to the server. 5) Do I need to write server code that is looking for this link, this information, and then decodes it? I'm sorry to be so confused and thick headed. I didn't think about SSL at all before about a couple of weeks ago, and I'm trying to understand the big picture. If anybody feels compassion and has the time to step through this with me, I'd be very grateful. It's been good just reading through the list, although it's like being in the ER right after a big explosion down town. john ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
