SSL client-server setup

Networking/Security Forums -> Programming and More

Author: jenna PostPosted: Thu Apr 02, 2009 11:56 pm    Post subject: SSL client-server setup
    ----
Hi,

I hope I'm on the right forum to post this question.

My setup includes a client application sending/receiving messages over HTTPS to a server. The client application is distributed to users; it is using libcurl for the HTTP calls. The server's URL to which the client app sends data to is static and I control the server. I'm using SSL certificates to encrypt the data that is sent to the server and from the server. I'm trying to prevent a third party to see the transmitted data.

I created a certificate authority and a self signed certificate. I installed the self signed certificate on the server. When I make the libcurl calls I pass in the certificate authority public key file - which is distributed with the client app.

libcurl also allows to check for the server certificate but you must provide the unencrypted key as well and I don't want that because someone might use it to decrypt all other messages to this server. Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?

Is there any type of attack that I'm not taking into account in this setup?

Thanks,
J

Author: hebaLocation: Cremona (Italy) PostPosted: Mon Apr 27, 2009 11:49 am    Post subject: Re: SSL client-server setup
    ----
jenna wrote:
Hi,

Since I trust that I'm sending/receiving messages to the intended destination (my server's URL which the user cannot change), should I really check the server's certificate?

Is there any type of attack that I'm not taking into account in this setup?


hi,
if you can check the server's certificate is better, so the lamer can't pass the server and have the trust of the server, if a lamer have the trust of the server he/she will have the trust of the entire site.

Author: Fire AntLocation: London PostPosted: Mon Apr 27, 2009 12:39 pm    Post subject:
    ----
jenna,

When using SSL you are using a asymmetric encryption. Your clients require the public key and your server requires the private key. You should never distribute your private key.

Read the following Wiki for a complete understanding on the process.

http://en.wikipedia.org/wiki/Transport_Layer_Security

Matt_s

Author: hebaLocation: Cremona (Italy) PostPosted: Mon Apr 27, 2009 1:21 pm    Post subject:
    ----
matt_s wrote:
jenna,


Read the following Wiki for a complete understanding on the process.

http://en.wikipedia.org/wiki/Transport_Layer_Security

Matt_s


I think jenna asked other thing...Wink



Networking/Security Forums -> Programming and More


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group