On 26 February 2017 at 01:32, jupiter <jupiter.hce@gmail.com> wrote:

It is a server / client TCP communication, I'll use by port of SSL although the TLS should also work. Our server should only accept connections from our trusted client of devices, so I should use the client certificates.

In that scenario it does indeed make sense to use both client and server certificates and have each side of the connection verify the certificate of the other endpoint.

SSL is a deprecated standard. TLS is the successor of SSL. Most programs/libraries nowadays support TLS even if the API or configuration uses the name SSL everywhere. Judging from the ASIO docs, it supports TLS (though not version 1.3):
http://www.boost.org/doc/libs/1_63_0/doc/html/boost_asio/reference.html#boost_asio.reference.ssl__context

Could you elaborate in what circumstance that is possible "if the server accepts anonymous connections"? The server does not know who requests a connection from the SSL port, but the server will accept the connections if the client certificate and key are valid. I thought as long as the SSL is used, the server can only accept trusted connections, so I am not quite understand if the server could accepts an untrusted anonymous connections.

By anonymous connection I mean an unauthenticated connection. If the server requires the client to present a valid certificate, you have a form of authentication so the connections are not anonymous.

You may wish to read some TLS best practises written by others who know more about it then me:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

Maarten