In message <[EMAIL PROTECTED]> on Fri, 01 Apr 2005 10:10:58 -0500, Joe Flowers <[EMAIL PROTECTED]> said:
flowers> Please help me understand what's going on. I think the first thing you should do is take a look at the TLS (TLS is basically the newer version of SSL) specification, RFC 2246. It explains th mechanisms used while communicating using SSL or TLS. flowers> I've successfully used OpenSSL (latest released version - flowers> 0.9.7f) to communicate with a https:// site. (See my flowers> pseudo-code at the bottom of this message.) However, nowhere flowers> in my code is a public key for the https:// site specified. That is correct. Ever used SSH? It basically works using the same principles. Roughly speaking, the principle is as follows: - the server is sending it's public key to the client (your program), plus a challenge (some random data, usually). - the client (your program) then computes a response to the challenge, encrypts it using the received public key and sends the result back to the server. - the server decrypts the received message using it's own private key, and checks that the contents is what it expects. - both client and server compute a session key using the challenge and response that were just passed back and forth. - both client and server sets up encryption on the communication channel, using the session key as encryption key. If I missed something, I'm sure someone will hit me over the head with a bat. That's OK, as long as it's a nerf bat :-). flowers> If this is so, then I assume my OpenSSL client could, at flowers> that point, try to do some checks on that public key to see flowers> if it's a regular, valid SSL certificate as given by flowers> Verisign, et. al.? yes. flowers> If this current setup is "weak" or "insecure", what can be flowers> done at the server-side to tell my client to "grow up or get flowers> lost"? Yes, require that the client present a client certificate. That's up to the server. Cheers, Richard ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
