Thanks Maarten, appreciate your kind explanations and links.

On Mon, Feb 27, 2017 at 3:49 AM, Maarten de Vries <maarten@de-vri.es> wrote:


On 26 February 2017 at 01:32, jupiter <jupiter.hce@gmail.com> wrote:


It is a server / client TCP communication, I'll use by port of SSL although the TLS should also work. Our server should only accept connections from our trusted client of devices, so I should use the client certificates.

​In that scenario it does indeed make sense to use both client and server certificates and have each side of the connection verify the certificate of the other endpoint.​
 

​SSL is a deprecated standard. TLS is the successor of SSL. Most programs/libraries nowadays support TLS even if the API or configuration uses the name SSL everywhere.​ Judging from the ASIO docs, it supports TLS (though not version 1.3):
http://www.boost.org/doc/libs/1_63_0/doc/html/boost_asio/reference.html#boost_asio.reference.ssl__context

 
Could you elaborate in what circumstance that is possible "if the server accepts anonymous connections"? The server does not know who requests a connection from the SSL port, but the server will accept the connections if the client certificate and key are valid. I thought as long as the SSL is used, the server can only accept trusted connections, so I am not quite understand if the server could accepts an untrusted anonymous connections.

​By anonymous connection I mean an unauthenticated connection. If the server requires the client to present a valid certificate, you have a form of authentication so the connections are not anonymous.

You may wish to read some TLS best practises written by others who know more about it then me:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

 --
​ Maarten​