Hi I have to interface with a client running TLS_RSA_WITH_3DES_EDE_CBC_SHA1. For me, it means:
1) Authentification with RSA 2) Key exchange RSA 3) Encrytion 3DES_EDE_CBC 4) Digest SHA1 My question is how do they get Key exchange if they not using DH ?? Another thought is that: 1)Client will send Random number in ClientHello. 2)Server will response with another Random in ServerHello. 3) Client send PreMaster Secret encrypt with Server's public key. 4) This PreMaster Secret is used to encrypt data Please very my thought is correctly . DH is not involved at all ??? I always think that DH have to be involved when using symmetric key. Thank You TD -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Monday, March 12, 2007 14:24 To: openssl-users@openssl.org Subject: RE: Root Certificates dir Hello, > I have basic question for Client-Sever using SSL. Both Client/Server > have to use SL_CTX_load_verify_locations to load "Trust Root". Yes. > But Client will load its own private/public key, does not need to load > "server" cert at all . Yes, client loads its private key (which has public part too) and client certificate. When server needs to authenticate client than server sends to client "CertificateRequest" handshake message and client send its own certificate in "Certificate" handshake message. > Server will load its own private/public key, does not need to load > "client" cert at all. Yes, server loads its private key (which has public part too) and server certificate. Depending on negotiated cipher parameters this certificate is used to key-exchange or server authentication, but in any case it is send to client in "Certificate" handshake message. > The "peer" cert will exchange at "Handshake" time. IS this true?? Yes. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
