Hello, thank you, could you please help me setting up small my programm. I lokked at the files s_server.c and s_client.c. They are too complicated. What about the files in /demos/bio Could you please explain me the meaning of the BIO functions in contrast to the SSL functions ? What about the files in /ssl/ -> serv.cpp and cli.cpp This seems to be clear, because all the necessary SSL functions are included (SSL_library_init, SSL_CTX_new, SSL_new, SSL_set_fd, SSL_accept, SSL_connect, SSL_read, SSL_write, SSL_shutdown) But I donĀ“t know how to handle, or build certificates or keys ?! Maybe you could find the right option of security: ------------------------------------------------------------- I want a key on the server side, and the same key on the client side. The key on the server side should be changeable.(so the key on the client side should be changeable too) The lifetime of the key on the server and client side should be unlimited. Thank you Manuel Sahm
>>> "Ger Hobbelt" <[EMAIL PROTECTED]> 03.09.2008 17:46 >>> On Wed, Sep 3, 2008 at 5:03 PM, Manuel Sahm <[EMAIL PROTECTED]> wrote: >I want to make my network connection encrypted/secure using ssh. Please note that SSH is not SSL: SSH is a protocol on top of SSL. Since you're talking about sockets there, I take it you mean SSL. > Is it possible to use a password instead of a Certification file and a > Certification Key File to make the tcp connection secure via openssl ? Assuming you're talking about 'with neither server- nor client certificates': doable by using anonymous SSL, that is by using DH (Diffie Hellman). This establishes a SSL connection which you can use to pass your data/password through. Note however that 'security' comes in several shades of grey and DH-only can be said to be much less secure then certificate-based RSA as a rule of thumb. Reality is a more complex[*] then just that, but this rule works for starters. [*]You've got the spectrum of authorization, authentication and obfuscation (readability of content), where DH takes care of obfuscation only, while a password is generally very weak single-side authentication, while RSA/DSA + a server AND client certificate does provide two-way authentication as well as obfuscation. You must still perform the authorization yourself: SSL cannot do that for you. So the correct answer is: it depends. And it depends on how secure you want your SSL connection to be. OpenSSL supports all this (though you'll have to do the password stuff on your own, because that's outside the protocol scope) but I'd say it's an 'advanced subject' anyhow. I suggest you first try SSL out on a Windows or UNIX box (with certificates), then move on to using DH (you can by using the tools/sample code that comes with OpenSSL: s_server/s_client to name 2) and when you got that working at a level that you're comfortable, move it over to the embedded box - as I expect UNIX comes with more tools/support then the embedded environment. In closing: I strongly advise using certificates instead of passwords. -- Met vriendelijke groeten / Best regards, Ger Hobbelt -------------------------------------------------- web: http://www.hobbelt.com/ http://www.hebbut.net/ mail: [EMAIL PROTECTED] mobile: +31-6-11 120 978 -------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
