|
|
Boost Users : |
Subject: Re: [Boost-users] Generate SSL certificate, chain file, dh and key for boost::asio::ssl::context
From: Maarten de Vries (maarten_at_[hidden])
Date: 2017-02-26 16:49:23
On 26 February 2017 at 01:32, jupiter <jupiter.hce_at_[hidden]> wrote:
>
>
> It is a server / client TCP communication, I'll use by port of SSL
> although the TLS should also work. Our server should only accept
> connections from our trusted client of devices, so I should use the client
> certificates.
>
​In that scenario it does indeed make sense to use both client and server
certificates and have each side of the connection verify the certificate of
the other endpoint.​
​SSL is a deprecated standard. TLS is the successor of SSL. Most
programs/libraries nowadays support TLS even if the API or configuration
uses the name SSL everywhere.​ Judging from the ASIO docs, it supports TLS
(though not version 1.3):
http://www.boost.org/doc/libs/1_63_0/doc/html/boost_asio/reference.html#boost_asio.reference.ssl__context
> Could you elaborate in what circumstance that is possible "if the server
> accepts anonymous connections"? The server does not know who requests a
> connection from the SSL port, but the server will accept the connections if
> the client certificate and key are valid. I thought as long as the SSL is
> used, the server can only accept trusted connections, so I am not quite
> understand if the server could accepts an untrusted anonymous connections.
>
​By anonymous connection I mean an unauthenticated connection. If the
server requires the client to present a valid certificate, you have a form
of authentication so the connections are not anonymous.
You may wish to read some TLS best practises written by others who know
more about it then me:
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
​
--
​ Maarten​
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net