On Thu, Jun 15, 2006 at 02:56:52PM +0200, Christopher Kohlhoff wrote:
Scott <cheesy4poofs@cox.net> wrote:
I basically just want a simple encrypted tcp stream, with a minimal of fuss. I don't need certificates (at least I don't think I do). All I want is the server and client to generate keys on startup automatically and use those keys to negotiate the symmetric cypher during handshaking. If there's an easy way to hook that up, please let me know.
In general, if you don't use at least server authentication, then you are vulnerable to Man in the Middle attacks.
The example client/server SSL seems unwieldy. It actually makes you type a pass phrase when the server starts. I really don't want that.
According to the O'Reilly OpenSSL book, the passphrase is used to protect the private key if it's in PEM format. Private key files that use the ASN.1 format are not encrypted, so if you use one of these you shouldn't be prompted for a passphrase.
Both the DER und the PEM format of OpenSSL private keys files are ASN.1 data - they only differ in their encoding. The Distinguished Encoding Rules <URL:http://en.wikipedia.org/wiki/DER> define just one of several methods to encode ASN.1 data in binary format. PEM files contain the same data as their DER equivalents, but additionally Base64 encoded (whence you can treat them as ASCII text) and put in between informative header / footer lines. (The actual ASN.1 structure of the key files is defined by RSA's PKCS#1 and PKCS#8 specifications.) Christoph -- FH Worms - University of Applied Sciences Fachbereich Informatik / Telekommunikation Erenburgerstr. 19, 67549 Worms, Germany