|
|
Boost Users : |
Subject: Re: [Boost-users] Generate SSL certificate, chain file, dh and key for boost::asio::ssl::context
From: jupiter (jupiter.hce_at_[hidden])
Date: 2017-02-26 00:32:28
> As for using server certificates and/or client certificates: it really
depends on the application. With TLS, both endpoints of the
> connection *can* identify themselves with a certificate. In general it
makes sense to use a certificate to have the client verify
> the identity of the server. If the server should only accept connections
from trusted users/devices, you could use client
> certificates too. On the other hand, if the server accepts anonymous
connections, there is nothing to be gained from verifying
> the client certificates so you're better off not asking for them in the
first place.
It is a server / client TCP communication, I'll use by port of SSL although
the TLS should also work. Our server should only accept connections from
our trusted client of devices, so I should use the client certificates.
Could you elaborate in what circumstance that is possible "if the server
accepts anonymous connections"? The server does not know who requests a
connection from the SSL port, but the server will accept the connections if
the client certificate and key are valid. I thought as long as the SSL is
used, the server can only accept trusted connections, so I am not quite
understand if the server could accepts an untrusted anonymous connections.
Thanks
On Sun, Feb 26, 2017 at 12:45 AM, Maarten de Vries <maarten_at_[hidden]>
wrote:
> Hey,
>
> On 25 February 2017 at 12:37, jupiter via Boost-users <
> boost-users_at_[hidden]> wrote:
>
>> I think I can use openssl to generate those self signed files, correct? I
>> saw some programs use 4 use_certificate_chain_file, use_certificate_file,
>> use_private_key_file and use_tmp_dh_file in both server and client sites,
>> but I also saw some test program only use one ca.pem in client site and 3
>> use_certificate_chain_file, use_private_key_file and use_tmp_dh_file in
>> server site, which is correct or better? Any guideline?
>>
>>
> Yes, you can use openssl to generate self signed certificates​. If you
> need to, you can also easily get widely trusted certificates for free from
> letsencrypt.
>
> As for using server certificates and/or client certificates: it really
> depends on the application. With TLS, both endpoints of the connection
> *can* identify themselves with a certificate. In general it makes sense to
> use a certificate to have the client verify the identity of the server. If
> the server should only accept connections from trusted users/devices, you
> could use client certificates too. On the other hand, if the server accepts
> anonymous connections, there is nothing to be gained from verifying the
> client certificates so you're better off not asking for them in the first
> place.
>
> -- Maarten
>
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net