Subject | Re: [Firebird-Architect] RC4 |
---|---|
Author | Olivier Mascia |
Post date | 2010-11-15T14:05:13Z |
Le 15 nov. 2010 à 14:07, Alex Peshkoff a écrit :
Now let's consider real cases. Who will buy a certificate from a known authority for his Firebird server? I won't. If the client sites know the server to which they should connect they could have a very short list of well-known roots: the self-signed server certificate itself and nothing else.
If the client site doesn't care checking the identity of the server it connects to, then no certificate stuff is needed at the client site, but man in the middle attacks are of course possible. Once the session is engaged and *if* the server you're talking to is the right one, all is well and you can talk privately over that encrypted channel.
Some usages of SSL go a step further, they use client-side certificates to identify the client to the server so the server, too, knows who it is talking to.
—
Olivier Mascia
>> Ok, that's trash and dirty uncompilable code as is, but very close to be. Client code is similar though much shorter. It goes with a SSL_connect call after the socket connect() call, obviously.It all depends on what you want to do. If you want the server to expose a certificate which was obtained / purchased from a well-known certification authority and want the client to check that the certificate presented by the server is indeed signed by one of these certification authorities, then you have to let the client site check the certificate chain up to the root and validate it trusts the root. For that it obviously need a list of root certificates that it trusts. This is what web browsers do. Some do rely on some trusted list of root certificates exposed by the OS itself, that is the case with IE on Windows for instance. What about linux?
>
> Oliver, do we need .pem or some other file at client site? Or may be we
> need to access trusted authority center using internet?
Now let's consider real cases. Who will buy a certificate from a known authority for his Firebird server? I won't. If the client sites know the server to which they should connect they could have a very short list of well-known roots: the self-signed server certificate itself and nothing else.
If the client site doesn't care checking the identity of the server it connects to, then no certificate stuff is needed at the client site, but man in the middle attacks are of course possible. Once the session is engaged and *if* the server you're talking to is the right one, all is well and you can talk privately over that encrypted channel.
Some usages of SSL go a step further, they use client-side certificates to identify the client to the server so the server, too, knows who it is talking to.
—
Olivier Mascia