Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SSL and certificates

Tags:

certificate

ssl

ssl-certificate

1) As far as I know, it is not possible to establish a SSL connection where only the client is reuired to provide a certificate. Any idea why SSL doesn't allow this?

2) I assume SSL connection can be configured to either:

  • require only server to provide a certificate
  • require for both server and the client to provide their certificates

3) Probably a stupid question, but how does SSL "know" which side is a client and which side is a server?

4) Is it possible to establish a SSL connection without SSL requesting any certificates?

thank you

like image 676
user437291 Avatar asked Dec 28 '22 04:12

user437291

1 Answers

  1. If the server is not authenticated, you really cannot have a private channel—it is too easy for a man-in-the-middle to eavesdrop, relaying traffic between the two legitimate parties. If you don't have privacy or authentication, why use SSL? There are actually "anonymous" modes where public-key cryptography is used to agree on an encryption key, but neither client or server present certificates; but, I've never seen them used, probably because they can't address the man-in-the-middle eavesdropping attack.

  2. Yes, the server provides a certificate. The server can request a certificate from the client. The client can respond with a certificate, or ignore the request. If the request is ignored, the server can choose to continue with an anonymous client, or terminate the connection.

  3. The roles of client and server are established during the SSL handshake. The first message is called ClientHello. The party that sends this message is the client. Normally, this would be the party that initiated the TCP connection, but it doesn't have to be (in fact, there's nothing in SSL that requires TCP as transport).

  4. Yes, as I mentioned in #1, SSL has "anonymous" modes where neither party can securely authenticate the other. This would provide a private, tamper-proof channel between to unknown parties. However, since you don't know who's on the other end of the channel, you don't know that it's a man-in-the-middle, who has carried out two simultaneous handshakes and is intercepting all of the traffic between you and the party you thought you were talking to. To thwart this, you'd have to have an authentication protocol on top of SSL that, in order to be secure, would inevitably wind up looking a lot like authenticated SSL.

like image 185
erickson Avatar answered Jan 08 '23 16:01

erickson
Sign in to Comment

Related questions

CXF SSL configuration for consuming SOAP webservice
Host name does not match the certificate subject provided by the peer, but it's a perfect match
Asio dependency on OpenSSL
Cannot install any ruby gems on Mac OS - SSL_connect error
Jetty "javax.net.ssl.SSLHandshakeException: no cipher suites in common"
Secure traffic between pods in cluster
How to install ssl certificate received from SSLForFree.com on IIS
FTPS with PHP Curl getting partial download
Docker Container Virtual Host SSL Configuration
How to configure https support in 443 for apache AND node?
NET::ERR_CERT_REVOKED issue in chrome
Unable to `openssl verify' letsencrypt certificate
How to disable ssl check in react native XMLHttpRequest API or in Fetch Api?
SSl Handshake validation error in connection to SQL Server by JDBC driver
How to configure a Reactive WebClient to use 2-way TLS?
NPM install Error: self signed certificate in certificate chain
node.js can i use multiple ssl certificates and keys for same project and how?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
Is there any way to configure multiple SSL sites on the same server without a wildcard certificate?
cURL + HTTP_POST, keep getting 500 error. Has no idea?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!