On Tue, Oct 02, 2007 at 08:17:23PM +0200, Andreas Hellstr?m wrote:
> > Why do you need SSL anyway? If your network is secure, why encrypt?
> > If traffic can be diverted, why not authenticate?
>
> Viktor, out network is secure, but clients outside our network will
> access it over the internet. I'm concerned about the client sending
> his username/password in clear text over the internet, and thought SSL
> would do the encryption trick with ease, using a self-signed
> certificate.
"Your network" in this case includes the entire Internet all the way from
the client to your servers. This is the network carrying the traffic you
need to protect, and active attacks are quite possible anywhere between
the client and your servers. Sounds very much like you need both encryption
and authentication.
Unless you ship a trusted CA cert with your own client application
(rather than relying on existing client apps talking standard protocols
to your servers), you need to pay the trusted public CA tax.
If you have the luxury of providing your own client, you can use your
own private-label CA, configure the clients to trust your root CA,
sign a bunch of server certs, and off you go. If it is easy to upgrade
the fielded applications or at least their trusted CA cert list, you
can deploy a new root CA periodically for good measure. First get all
clients to trust the old and the new root, then deploy certs with new
root, then decomission the old root.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
