Boost logo

Boost :

From: Christoph Ludwig (ludwig_at_[hidden])
Date: 2006-06-15 14:33:00


On Thu, Jun 15, 2006 at 02:56:52PM +0200, Christopher Kohlhoff wrote:
> Scott <cheesy4poofs_at_[hidden]> wrote:
> > I basically just want a simple encrypted tcp stream, with a
> > minimal of fuss. I don't need certificates (at least I don't
> > think I do). All I want is the server and client to generate
> > keys on startup automatically and use those keys to negotiate
> > the symmetric cypher during handshaking. If there's an easy
> > way to hook that up, please let me know.

In general, if you don't use at least server authentication, then you are
vulnerable to Man in the Middle attacks.

> > The example client/server SSL seems unwieldy. It actually
> > makes you type a pass phrase when the server starts. I really
> > don't want that.
>
> According to the O'Reilly OpenSSL book, the passphrase is used to
> protect the private key if it's in PEM format. Private key files
> that use the ASN.1 format are not encrypted, so if you use one
> of these you shouldn't be prompted for a passphrase.

Both the DER und the PEM format of OpenSSL private keys files
are ASN.1 data - they only differ in their encoding. The Distinguished
Encoding Rules <URL:http://en.wikipedia.org/wiki/DER> define just one of
several methods to encode ASN.1 data in binary format. PEM files contain the
same data as their DER equivalents, but additionally Base64 encoded (whence
you can treat them as ASCII text) and put in between informative header /
footer lines. (The actual ASN.1 structure of the key files is defined by RSA's
PKCS#1 and PKCS#8 specifications.)

Christoph

-- 
FH Worms - University of Applied Sciences
Fachbereich Informatik / Telekommunikation
Erenburgerstr. 19, 67549 Worms, Germany

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk