> As for using server certificates and/or client certificates: it really depends on the application. With TLS, both endpoints of the
> connection *can* identify themselves with a certificate. In general it makes sense to use a certificate to have the client verify
> the identity of the server. If the server should only accept connections from trusted users/devices, you could use client
> certificates too. On the other hand, if the server accepts anonymous connections, there is nothing to be gained from verifying
> the client certificates so you're better off not asking for them in the first place.


It is a server / client TCP communication, I'll use by port of SSL although the TLS should also work. Our server should only accept connections from our trusted client of devices, so I should use the client certificates.

Could you elaborate in what circumstance that is possible "if the server accepts anonymous connections"? The server does not know who requests a connection from the SSL port, but the server will accept the connections if the client certificate and key are valid. I thought as long as the SSL is used, the server can only accept trusted connections, so I am not quite understand if the server could accepts an untrusted anonymous connections.

Thanks


On Sun, Feb 26, 2017 at 12:45 AM, Maarten de Vries <maarten@de-vri.es> wrote:
Hey,

On 25 February 2017 at 12:37, jupiter via Boost-users <boost-users@lists.boost.org> wrote:
I think I can use openssl to generate those self signed files, correct? I saw some programs use 4 use_certificate_chain_file, use_certificate_file, use_private_key_file and use_tmp_dh_file in both server and client sites, but I also saw some test program only use one ca.pem in client site and 3 use_certificate_chain_file, use_private_key_file and use_tmp_dh_file in server site, which is correct or better? Any guideline?


Yes, you can use openssl to generate self signed certificates​. If you need to, you can also easily get widely trusted certificates for free from letsencrypt.

As for using server certificates and/or client certificates: it really depends on the application. With TLS, both endpoints of the connection *can* identify themselves with a certificate. In general it makes sense to use a certificate to have the client verify the identity of the server. If the server should only accept connections from trusted users/devices, you could use client certificates too. On the other hand, if the server accepts anonymous connections, there is nothing to be gained from verifying the client certificates so you're better off not asking for them in the first place.

-- Maarten