On Wed December 24 2008, Edward Diener wrote: > In a client application communicating with a MySQL server, I am using > SSL to encrypt/decrypt data sent to and from the database. This requires > me to have the PEMs for the CA, client key, and client certificate > distributed as part of the application. Of course these certificates > will not work except with the corresponding server certificates on the > MySQL server to which I am communicating. > > My initial choice was to distribute the client certificates in the same > directory as the application's modules, as they are easy to find at > run-time there in order to make my SSL connection with the database. It > has been suggested to me that this is inherently insecure. Nonetheless I > must distribute them somewhere since the certificates have to exist in > the file system when I make the call at run-time to create a SSL > connection to the server. > > What are the best strategies to distribute these client certificates on > the end-user's machine ? Should I be pre-encrypting these certificates, > then decrypting them in memory before writing them to a temporary > location, and then destroying the decrypted certificates from that > temporary location after the connection is made, or is this overkill and > a simpler/better way of distributing the client certificates as part of > my application is possible ? > > Any suggestions, help, pointers would be much appreciated. >
It is a hard question to answer without some knowledge of your risk model. What are the risks that you are trying to minimize? What harm is done if the files are accessable to the people who already have your application? Is this even a concern? Should it be? Mike > Finally the client application runs on Windows and not LInux so if there > are OS specific arguments as to how to distribute these client > certificates you will know to what OS the application is targeted. > > Thanks ! > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
