Re: SSL/TLS - am I doing it right?

From: Paul Rubin <http://phr.cx@xxxxxxxxxxxxxx>
Date: 13 Mar 2006 04:37:07 -0800

"Frank Millman" <frank@xxxxxxxxxxxx> writes:

What I have not understood is how to prevent this. How can the client
distinguish between a valid server and a fraudulent one? If it obtains
the server credentials dynamically, the fraudulent server can supply
fraudulent credentials. If somehow the client must know in advance what
the credentials are, then these can only be as secure as the parameter
that tells the client how to connect in the first place.

The client and the server each needs to know the public key of the
"certificate authority" (or CA) that issued the root of the chain of
certificates that the other side presents. For a public server you'd
use a commercial CA. For a local network you could run your own CA;
for example, OpenSSL (www.openssl.org) comes with a simple Perl script
that acts as a rudimentary CA.

Note that TLSLite at the moment doesn't know how to authenticate
certificate chains all by itself without external libraries. I didn't
look at your code sample closely enough to figure out whether you were
using OpenSSL or M2Crypto in a way that takes care of that.

I am sure I am missing the point somewhere. Any advice, or links to
literature that explain this in more detail, will be much appreciated.

This might help:

http://www.modssl.org/docs/2.8/ssl_intro.html
.

Follow-Ups:
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel

References:
- SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman

Prev by Date: Re: SSL/TLS - am I doing it right?
Next by Date: Re: Please, I Have A Question before I get started
Previous by thread: Re: SSL/TLS - am I doing it right?
Next by thread: Re: SSL/TLS - am I doing it right?
Index(es):
- Date
- Thread

Relevant Pages

Reuse of Remoting Channels...
... makes it possible for the server to know the identity of the caller. ... If my client is on the other side of a Windows 'realm' (as in the ... RemotingConfiguration options) to reject any clients whose credentials ... "Remoting server cannot be reached. ...
(microsoft.public.dotnet.framework.remoting)
Re: SSPI Kerberos for delegation
... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
(comp.protocols.kerberos)
Re: Authentication woes
... I can not really understand how the client should connect to the DC when they are at work with the 192.x.x.x ip when the server is in 10.x.x.x network. ... If i read the output for the client it is member of domainb.internal and not member of domain.com like the DC, ... If the user logon with cached credentials, ...
(microsoft.public.windows.server.active_directory)
Re: Chicken and egg issue with Cookie based login?
... >> Cookies are created by the server, not by the client. ... a client can create a cookie as well. ... The credentials are created when the user logs into the server. ...
(comp.security.misc)
RE: Remoting security error
... Dim props As New Dictionary ... application(server and client), ... client and server, the client channel will automatically pass the current ... text username/password credentials in the application code. ...
(microsoft.public.dotnet.distributed_apps)