[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems with SSL certification on openldap 2.1.3
Hi Tony
I understand that and I'm pretty close to do things working like I would
like to work. Another doubt I ahve is that if there is the server key, but
I haven't generated any key for my client with SSL, is the connection
encripted or the server is signing the message with his private key and I
am reading it using his public key, and I can just be sure that he was the
sender but everyone else can read that message too, since it can be
de-crypted with his public available key?
Am I suposed to create keys for every machine of my network? I think yes.
How can I verify if all the traffic is encrypted or just validated from
the server?
Thanks for your help
Eduardo
On 16 Aug 2002, Tony Earnshaw wrote:
> fre, 2002-08-16 kl. 20:59 skrev Eduardo Fernandes Piva:
>
> > TLS_CACERT /usr/share/ssl/certs/ca.cert
>
> > Is there any way to use SSL without my clients needing to do that? It's a
> > private network and I'm using self-signed certificates.
>
> The whole point about a CA certificate is that it MUST be available to
> the clients. Otherwise, what warranty does the client have that the
> server is who it says it is? That's what the certificate is for. It is
> from one who guarantees that the "bearer" is bonafide, like a passport
> or a driver's license.
>
> The only certificate that the clients MUST not see, is the server's
> private key, since that's the basis for the server's encryption and
> message digests.
>
> Openssl, as well as browsers such as Netscape, Mozilla, and MS Explorer,
> are delivered with a list of certificates from known Certificate
> Authorities. You yourself can view the browser certs in the browser
> itself. But you can't find your own self-signed CA certificate there,
> unless you import it first (which you have the choice of doing). If you
> import it, you're saying as much as "I trust the issuer".
>
> You can't view the CA certificates in Openssl, since they're hard coded
> in - but if you compile your own Openssl, you'll see, near the end of
> the compile, a list of the built-in certs it has.
>
> A good info site used to be the South African Thawte, but since it's
> been taken over by Verisign, it's turned into a kind of street booth.
> You could try www.rsasecurity.com - and read the PKI FAQ. You'll need
> that anyway, if you're serious about encryption :-)
>
> Best,
>
> Tony
>
>
>
--
Eduardo Fernandes Piva
eduardo@las.ic.unicamp.br