WebSpider wrote:
How can I make the new node (A) send an encrypted request to the already existing node (B) while node A does not have any public key/certificate information about the already existing node (B), and still make sure that I am actually talking to B, and not some Man-In-The-Middle ?
Take everything I saw with a huge grain of salt, but as you said the expects may be occupied at this time of year.
(A) encrypted communications isn't a problem. The certs are used for authentication ("How do I know 'Bob' is really Bob?"), not key exchange. Each party can offer a cert, it's up to the other party to decide whether to ignore it, log it, or verify it.
(B) authentication, and hence avoiding man-in-the-middle, requires either prior knowledge of the trusted certificate or the entire certificate chain back to a trusted root. You would use the CRL to verify that a valid certificate hasn't been subsequently revoked. (You should also check the expiration time.)
I don't use OpenSSl enough to recall how to do each, but you could probably find information on the first by looking up 'anonymous' sessions.
HTH Bear ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
