There's no such thing as a "secure" TCP conversation, or any other communication channel, except in the context of a threat model - and even then security only applies in relative terms, to things like risk probabililties and costs. Security is not an absolute condition.
Thus there's no way to answer your question, because we don't know what "secure" means for your application. SSL/TLS are designed to provide cryptographic security features for TCP (and now, with DTLS, UDP) communications channels. That's often described in terms of four basic feature areas: confidentiality, message integrity, authentication, and non-repudiation. What does your application require in each of those areas? What's your threat model? What classes of attacks are you looking to defend against, and what work factor for an adversary is considered an acceptable defense? It's possible that the answer to your technical question is "use cipher suites that support anonymous key exchange". This is quite likely the Wrong Thing for most real-world applications that have some perceived need for communications security. Michael Wojcik Technology Specialist, Micro Focus From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Subrata Dasgupta Sent: Friday, 23 May, 2014 08:17 To: openssl-users@openssl.org Subject: How to make a secure tcp connection without using certificate Hello Sir / Madam, I am very much new to openssl programming. I want to make a TCP connection secure using openssl. I do not want to use any certificate or keys.. Is it possible to make a TCP connection secure without using certificate or keys?? I am using openssl-0.9.7a. To make a TCP connection secure I have changed two example files of the openssl-0.9.7a source code under demo/ssl. I am attaching those changed files with this email. I changed those files to avoid certificate and keys related openssl calls.. But server and client both are giving following errors.. Please please help.. In Server ... Connection from 100007f, port 8fc0 SSL connection using (NONE) 7778:error:140EC0E5:SSL routines:SSL2_READ_INTERNAL:ssl handshake failure:s2_pkt.c:143: In Client ... 7779:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:138: 7779:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:928: 7779:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509 7779:error:1407E00B:SSL routines:SSL2_SET_CERTIFICATE:X509 lib:s2_clnt.c:1050: Below are the openssl library calls made by the server.. SSL_library_init(); SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); ssl = SSL_new (ctx); SSL_set_fd (ssl, sd); err = SSL_accept (ssl); SSL_read (ssl, buf, sizeof(buf) - 1); err = SSL_write (ssl, "I hear you.", strlen("I hear you.")); SSL_free (ssl); SSL_CTX_free (ctx); In client following calls are made... SSL_library_init(); SSLeay_add_ssl_algorithms(); meth = SSLv2_client_method(); SSL_load_error_strings(); ctx = SSL_CTX_new (meth); ssl = SSL_new (ctx); SSL_set_fd (ssl, sd); err = SSL_connect (ssl); err = SSL_write (ssl, "Hello World!", strlen("Hello World!")); CHK_SSL(err); err = SSL_read (ssl, buf, sizeof(buf) - 1); SSL_shutdown (ssl); SSL_free (ssl); SSL_CTX_free (ctx); Thanks Subrata <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> Get your own FREE website, FREE domain & FREE mobile app with Company email. <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> Know More ><http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> <http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> Click here to report this email as spam.<http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline.htm@Middle?> This message has been scanned for malware by Websense. www.websense.com
