Hi,
not really answering the initial question, but these could be some good advices
:
first of all, upgrade your library to the latest version (1.0.1g I think), the
one you're using seems a bit old and download is free ;-p
second, you should avoid SSLv2, it is not secure anymore, and since a bunch of
time
use at the very least TLSv1 (and preferably TLSv1_2) protocol
if you want to use SSLv23_server_method(), don't forget to disable SSLv2 and 3
protocols (and maybe TLSv1) with the command
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
third, you should also be cautious with which symetric cipher you use : by
default, you still have RC2 and DES activated until TLSv1.1, RC4 and 3DES in
TLSv1.2, which are either unsecure or will soon be
you could use these lines to avoid unsecure ciphers :
#define CIPHERS "HIGH:+MEDIUM:!aNULL:!eNULL:!3DES:!RC4:!RC2!DES"
SSL_CTX_set_cipher_list(ctx, CIPHERS);
Best is to use AES with GCM mode if you're really aiming for security
There are many other mistakes you can do, but with this, you should avoid the
worst.
And about your initial question, the answer is definitely not.
The fact is you can't garantee at all that no one is spying on your packets on
the network, not even that you are talking to the good computer...
To prevent the first you need to encrypt your data (and thus use a key at some
point), and to prevent the second you need a certificate (which basically
contains a public key)
Nico
PS : in fact it can be secure, only if there's absolutely nothing but a cable
between the two computers. But not even totally since it is still possible to
spy on electromagnetic noise (I'm not even joking)
----- Mail d'origine -----
De: Subrata Dasgupta <subrata_u...@rediffmail.com>
À: openssl-users@openssl.org
Envoyé: Fri, 23 May 2014 14:16:33 +0200 (CEST)
Objet: How to make a secure tcp connection without using certificate
Hello Sir / Madam,
I am very much new to openssl programming. I want to make a TCP connection
secure using openssl. I do not want to use any certificate or keys.. Is it
possible to make a TCP connection secure without using certificate or keys?? I
am using openssl-0.9.7a.
To make a TCP connection secure I have changed two example files of the
openssl-0.9.7a source code under demo/ssl. I am attaching those changed files
with this email. I changed those files to avoid certificate and keys related
openssl calls.. But server and client both are giving following errors.. Please
please help..
In Server ...
Connection from 100007f, port 8fc0
SSL connection using (NONE)
7778:error:140EC0E5:SSL routines:SSL2_READ_INTERNAL:ssl handshake
failure:s2_pkt.c:143:
In Client ...
7779:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:138:
7779:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object
header:tasn_dec.c:928:
7779:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=X509
7779:error:1407E00B:SSL routines:SSL2_SET_CERTIFICATE:X509 lib:s2_clnt.c:1050:
Below are the openssl library calls made by the server..
SSL_library_init();
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
meth = SSLv23_server_method();
ctx = SSL_CTX_new (meth);
ssl = SSL_new (ctx);
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl);
SSL_read (ssl, buf, sizeof(buf) - 1);
err = SSL_write (ssl, "I hear you.", strlen("I hear you."));
SSL_free (ssl);
SSL_CTX_free (ctx);
In client following calls are made...
SSL_library_init();
SSLeay_add_ssl_algorithms();
meth = SSLv2_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth);
ssl = SSL_new (ctx);
SSL_set_fd (ssl, sd);
err = SSL_connect (ssl);
err = SSL_write (ssl, "Hello World!", strlen("Hello World!")); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1);
SSL_shutdown (ssl);
SSL_free (ssl);
SSL_CTX_free (ctx);
Thanks
Subrata
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
