|
Boost Users : |
Subject: Re: [Boost-users] Regarding certificate verification using Asio
From: Damian Jarek (damian.jarek93_at_[hidden])
Date: 2018-11-05 12:21:28
Hi David,
In order to establish trust without the use of PKI you need some method of
secure, Out of Band communication, e.g. go and manually install the
self-signed certificate in a client's keystore. If you expect to have
multiple servers and multiple certificates, you should generate your own CA
and add the CA's certificate to the list of trusted root CAs. Note that if
this is for an organization (e.g. a server that sits on an intranet) you
should also consider setting up an OCSP server when configuring the CA, so
that you can safely perform certificate revocation in the future.
Security tip: If you go the custom CA route, remember that you don't need
to put the CA private key on the server!
On Mon, Nov 5, 2018 at 10:38 AM David Demelier via Boost-users <
boost-users_at_[hidden]> wrote:
> Hello,
>
> This is more a general question about certificates verification in SSL
> contexts. I hope this is not too much offtopic.
>
> I know how asymmetric encryption works, but I never dig a lot into the
> process of certificates verification.
>
> I know how certificate checks are made with browsers, the server must
> have a certificate signed by a trusted CA. But then, I must admit that I
> don't know many more. For example, A lot of Linux package managers use
> package signing to be sure that packages downloaded are correctly built
> from the vendor. But this is another topic I guess.
>
> Now, for example, I would like to create my own server process and my
> own client. They are not open to the internet, so no need to buy trusted
> authority certificates.
>
> So by generating self-signed certificate and private key file. The
> server can run.
>
> The question is: how the client be sure that it is connecting to the
> right server? Do this client needs to have the same certificate on its
> local machine and use it? If yes, should I use
> ssl::context::load_verify_file and ssl::verify_peer and I'm done?
>
> If you have some resources to advice me on the certificate check
> mechanisms, please give me.
>
> Regards
>
> --
> David
> _______________________________________________
> Boost-users mailing list
> Boost-users_at_[hidden]
> https://lists.boost.org/mailman/listinfo.cgi/boost-users
>
Boost-users list run by williamkempf at hotmail.com, kalb at libertysoft.com, bjorn.karlsson at readsoft.com, gregod at cs.rpi.edu, wekempf at cox.net