Regarding certificate verification using Asio
Hello, This is more a general question about certificates verification in SSL contexts. I hope this is not too much offtopic. I know how asymmetric encryption works, but I never dig a lot into the process of certificates verification. I know how certificate checks are made with browsers, the server must have a certificate signed by a trusted CA. But then, I must admit that I don't know many more. For example, A lot of Linux package managers use package signing to be sure that packages downloaded are correctly built from the vendor. But this is another topic I guess. Now, for example, I would like to create my own server process and my own client. They are not open to the internet, so no need to buy trusted authority certificates. So by generating self-signed certificate and private key file. The server can run. The question is: how the client be sure that it is connecting to the right server? Do this client needs to have the same certificate on its local machine and use it? If yes, should I use ssl::context::load_verify_file and ssl::verify_peer and I'm done? If you have some resources to advice me on the certificate check mechanisms, please give me. Regards -- David
Hi David, In order to establish trust without the use of PKI you need some method of secure, Out of Band communication, e.g. go and manually install the self-signed certificate in a client's keystore. If you expect to have multiple servers and multiple certificates, you should generate your own CA and add the CA's certificate to the list of trusted root CAs. Note that if this is for an organization (e.g. a server that sits on an intranet) you should also consider setting up an OCSP server when configuring the CA, so that you can safely perform certificate revocation in the future. Security tip: If you go the custom CA route, remember that you don't need to put the CA private key on the server! On Mon, Nov 5, 2018 at 10:38 AM David Demelier via Boost-users < boost-users@lists.boost.org> wrote:
Hello,
This is more a general question about certificates verification in SSL contexts. I hope this is not too much offtopic.
I know how asymmetric encryption works, but I never dig a lot into the process of certificates verification.
I know how certificate checks are made with browsers, the server must have a certificate signed by a trusted CA. But then, I must admit that I don't know many more. For example, A lot of Linux package managers use package signing to be sure that packages downloaded are correctly built from the vendor. But this is another topic I guess.
Now, for example, I would like to create my own server process and my own client. They are not open to the internet, so no need to buy trusted authority certificates.
So by generating self-signed certificate and private key file. The server can run.
The question is: how the client be sure that it is connecting to the right server? Do this client needs to have the same certificate on its local machine and use it? If yes, should I use ssl::context::load_verify_file and ssl::verify_peer and I'm done?
If you have some resources to advice me on the certificate check mechanisms, please give me.
Regards
-- David _______________________________________________ Boost-users mailing list Boost-users@lists.boost.org https://lists.boost.org/mailman/listinfo.cgi/boost-users
participants (2)
-
Damian Jarek
-
David Demelier