Re: Newbie : is it possible to use SSL on multiple targets with just IP addresses ?

Thu, 07 Aug 2008 04:56:27 -0700 

Hi,
If I understand what you want to do, the answer is yes, it can be done. You can create a generic certificate with a given CN to be used in the embedded web server. 


The next question is... who will use this web server? If it's a program, 
 so your system is used as an update server (for instance, although in 
this case identification would be critical), you can deactivate the CN 
checking, so that even if your CN does not correspond to the host name 
used in the URL the program will not complain.



If you want a user to connect via a browser, the problem is that he will 
get a warning every time he connects (I'm not sure if this can be 
avoided just by accepting the certificate in the browser, as this is a 
CN problem, and not that the certificate is self-signed), although maybe 
this is not a problem for you.... depends on your application and who 
will use it.



Well, any way the answer to your question is yes, a generic certificate 
can be used to create an SSL connection if you don't care about 
authentication.


Best regards,

   Ion Larrañaga



Mark Jackson(e)k dio:

We are designing a new embedded system which runs its own web server.


When installed in the field, the majority of the units will *not* have a 
domain-name, just a local IP address, since they will be mostly be used 
on company intranets (and so could be *any* ip address I guess).



Most units will not have static IP addresses, but will rely on zeroconf 
or dhcp for address allocation.



I guess some companies may wish to expose units to the internet and 
probably will have some form of domain name setup for each one (e.g. 
unit1.foobar.com, unit2.foobar.com, etc)


So my question is this ...


Can SSL + Certs be used / generated to work on such a dynamic type of 
network setup ?



TBH, all we are requiring is to obtain a "secure" connection to the web 
server, rather than certifying that the embedded units are who they say 
they are.  Is there some other way of doing this (either via SSL or some 
other web technology) ?



I apologise if this is too open a question, but I've not managed to find 
a suitable Google search phrase that comes anywhere near to answering my 
question(s).


Thank in advance
Mark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to