I'm working on a client-server system which now with the gnu/linux-port gained tcp/ip sockets all over the services which are not secured against unauthorized access yet. the system can be deployed in a distributed configuration where of course it is vital to secure access to the services. with named pipes in the older windows version of the service framework code I just put DACLs on the named pipes to prevent access from anyone besides local admins and that was a pretty good measure to protect access.
first I wanted to use SRP-6 but then after discussing it I have been convinced (somewhat) that there's no performance reason to use SRP-6 for auth because TLS would be slower. with SRP-6 or DH (SRP-6 more secure than DH according to their docs). with the tcp/ip-listening services it will allow us to make use of TLS in EDH mode but what is the best way when one for performance reasons wants no encryption: e1) DH with a shared secret? e2) just tell admins to make sure they do not allow any connections from outside the distributed system and possibly use a VLAN? e3) I'm still reading Eric Rescorla's book but beforehand, is there a TLS mode which does authentication only and for performance reason use a NULL cipher for the traffic? moreover I'd like to know if I have to secure saved sessions explicitly when I come to the conclusion that session saving is needed just because the connection overhead with TLS is too much? --- thanks in advance for your time ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
