[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with SSL certification on openldap 2.1.3



Hi Tony

I understand that and I'm pretty close to do things working like I would 
like to work. Another doubt I ahve is that if there is the server key, but 
I haven't generated any key for my client with SSL, is the connection 
encripted or the server is signing the message with his private key and I 
am reading it using his public key, and I can just be sure that he was the 
sender but everyone else can read that message too, since it can be 
de-crypted with his public available key?

Am I suposed to create keys for every machine of my network? I think yes. 
How can I verify if all the traffic is encrypted or just validated from 
the server?

Thanks for your help

Eduardo

On 16 Aug 2002, Tony Earnshaw wrote:

> fre, 2002-08-16 kl. 20:59 skrev Eduardo Fernandes Piva:
> 
> > TLS_CACERT /usr/share/ssl/certs/ca.cert
>  
> > Is there any way to use SSL without my clients needing to do that? It's a 
> > private network and I'm using self-signed certificates.
> 
> The whole point about a CA certificate is that it MUST be available to
> the clients. Otherwise, what warranty does the client have that the
> server is who it says it is? That's what the certificate is for. It is
> from one who guarantees that the "bearer" is bonafide, like a passport
> or a driver's license.
> 
> The only certificate that the clients MUST not see, is the server's
> private key, since that's the basis for the server's encryption and
> message digests.
> 
> Openssl, as well as browsers such as Netscape, Mozilla, and MS Explorer,
> are delivered with a list of certificates from known Certificate
> Authorities. You yourself can view the browser certs in the browser
> itself. But you can't find your own self-signed CA certificate there,
> unless you import it first (which you have the choice of doing). If you
> import it, you're saying as much as "I trust the issuer".
> 
> You can't view the CA certificates in Openssl, since they're hard coded
> in - but if you compile your own Openssl, you'll see, near the end of
> the compile, a list of the built-in certs it has.
> 
> A good info site used to be the South African Thawte, but since it's
> been taken over by Verisign, it's turned into a kind of street booth.
> You could try www.rsasecurity.com - and read the PKI FAQ. You'll need
> that anyway, if you're serious about encryption :-)
> 
> Best,
> 
> Tony
> 
> 
> 

-- 
Eduardo Fernandes Piva
eduardo@las.ic.unicamp.br