- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: SSL help requierd
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2006 06:51 PM
тАО05-11-2006 06:51 PM
SSL help requierd
I m implementing a client server communication maechanism using openssl.
Here I having a server certificate but I dont have any client certificate
My question is ,if some third party writes ssl client program using open ssl and if he connect to my server port my server will accept the connection or not ?
I guess the server will accept the request since it dont have a any mechanism to validate the client certificate .
How can i prevent this from happeneing ?
Can I implement some challenge -response mechanism ?
Is there any algorithm for this in C++??
Regards
Binu
- Tags:
- SSL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2006 08:49 PM
тАО05-11-2006 08:49 PM
Re: SSL help requierd
OpenSSL provides variety of mechanism to handle this, Check http://www.openssl.org/docs/ for more information. Also, googling your questions should shed some lights.
-Arun
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2006 08:51 PM
тАО05-11-2006 08:51 PM
Re: SSL help requierd
This is just the first step: the client cannot make any requests before the SSL connection is established. When the client makes a request over that SSL connection, your server should be able to decide whether to accept it or not.
You can accept the connection (to see what the client is asking) but accepting the request should be a completely separate thing. After all, the request could be malformed, maybe even intentionally malformed to attempt an overflow attack to your server.
The client might also request something the server cannot deliver.
You need some way to recognize which clients are authorized and which are not. There are many possible methods: the designer of the software should choose an appropriate method (or several possible methods). Without knowing anything from your project it is impossible to make this choice.
Since you now have a secure SSL connection between your server and the unknown client, even a simple password authentication might be acceptable. If your server might be used with unsecured connections too, a challenge-response mechanism might be better.
A challenge-response mechanism needs to be integrated in the protocol between your client and server, so a generic algorithm would not be very useful. Basically, the challenge-response mechanism means something like this:
1.) The server and the client both know something (a shared secret). The server and client must also both have the same secure hash algorithm (MD5, SHA1...) available. The shared secret might be different for each client, so the client must tell the server who the client claims to be.
2.) The server creates a challenge, sends it to the client and stores a copy of the challenge to memory.
The challenge can be a string of random numbers, a timestamp or anything: the server *must not* use the same challenge twice (to prevent replay attacks).
3a) The client combines the challenge and the shared secret, then creates a hash from the combination using the secure hash algorithm. This is the client's response.
3b) The server makes the same operation using the stored copy of the challenge and the shared secret belonging to this client. This is the expected response.
4.) When the server receives the client's response, it is compared with the expected response. If they match, the client apparently knows the shared secret and so the server can be confident the client is whoever he claims to be.
It would be wise to make the choice of the hash algorithm configurable, and allow the use of any hash algorithm known to openssl (except ones known to be insecure). MD5 and SHA1 both have some known weaknesses, and it might be necessary to switch to some other algorithm in the future. It would be great if your program could use new algorithms that may become available in the future versions of openssl by simply using a newer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-11-2006 09:11 PM
тАО05-11-2006 09:11 PM
Re: SSL help requierd
"
Since you now have a secure SSL connection between your server and the unknown client, even a simple password authentication might be acceptable. If your server might be used with unsecured connections too, a challenge-response mechanism might be better. "
I dont want the server to used with unsecured connection
SO i suppose the first method which you have described whould be good enough .
Can you please give me some hints as to how to do this
Regards
Binu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-16-2006 03:01 AM
тАО05-16-2006 03:01 AM
Re: SSL help requierd
If I m going to go for a client certificate,
Is it necessary that both e client and server should use the same key and certificate?
I tried with both client and server using a different set of key ├в certificate .In tht case it was givg me error ├в ┬ж
Only when both client and server were using same set of key certificate it was working..
If that is the case ( ie if both client =server should use same key and certificate ) then we need not do any challenge response rit?
Binu