On Thursday 27 October 2005 07:25, M G wrote: > Hi list, > > My goal is to create mutual authentication for small business (each client > app is also a server that can share data securely), is there a way to use > SSL the "normal" way i.e., to create an X509 store, set verify function, > use certificates, etc, ... but not require usrs to sign with a CA > certificate? i.e., Everyone has self-signed certificates with fingerprints > that are shared via out-of-band methods.
As far as I know, you can put a self-signed certificate into an X509_STORE as trusted and then the connection will verify properly. In fact, all root CA certs that you usually have in the X509_STORE already are self-signed. The only difference between a normal cert and a "CA" cert is that the CA certs have extra bits in them to indicate they can sign for other certs (but you don't need this feature, nor is this feature required for a cert to be allowed inside an X509_STORE and trusted). Putting your self-signed certs into the X509_STORE would be the safest method of using SSL, because then everything really would be "normal". You'd do an SSL connection as you're supposed to, the cert would verify, and off you go. This may also be a more future-proof and compatible method, since not all SSL libraries will necessarily allow you to ignore invalid certificates (I'm told this is how J2ME works). The only trouble I can see you running into is if you don't have all the client certificates pre-traded. If each client only has a cache of fingerprints, then you will have to do some extra voodoo. Handling this in OpenSSL would be fairly easy, just compare the fingerprint of the certificate with your list of allowed fingerprints. -Justin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
