SSL and certificates

1) As far as I know, it is not possible to establish a SSL connection where only the client is reuired to provide a certificate. Any idea why SSL doesn't allow this?

2) I assume SSL connection can be configured to either:

• require only server to provide a certificate
• require for both server and the client to provide their certificates

3) Probably a stupid question, but how does SSL "know" w开发者_StackOverflowhich side is a client and which side is a server?

4) Is it possible to establish a SSL connection without SSL requesting any certificates?

thank you

1. If the server is not authenticated, you really cannot have a private channel—it is too easy for a man-in-the-middle to eavesdrop, relaying traffic between the two legitimate parties. If you don't have privacy or authentication, why use SSL? There are actually "anonymous" modes where public-key cryptography is used to agree on an encryption key, but neither client or server present certificates; but, I've never seen them used, probably because they can't address the man-in-the-middle eavesdropping attack.

2. Yes, the server provides a certificate. The server can request a certificate from the client. The client can respond with a certificate, or ignore the request. If the request is ignored, the server can choose to continue with an anonymous client, or terminate the connection.

3. The roles of client and server are established during the SSL handshake. The first message is called ClientHello. The party that sends this message is the client. Normally, this would be the party that initiated the TCP connection, but it doesn't have to be (in fact, there's nothing in SSL that requires TCP as transport).

4. Yes, as I mentioned in #1, SSL has "anonymous" modes where neither party can securely authenticate the other. This would provide a private, tamper-proof channel between to unknown parties. However, since you don't know who's on the other end of the channel, you don't know that it's a man-in-the-middle, who has carried out two simultaneous handshakes and is intercepting all of the traffic between you and the party you thought you were talking to. To thwart this, you'd have to have an authentication protocol on top of SSL that, in order to be secure, would inevitably wind up looking a lot like authenticated SSL.

Good day,

Here are the responses to your questions:

1) As far as I know, it is not possible to establish a SSL connection where only the client is reuired to provide a certificate. Any idea why SSL doesn't allow this?

The SSL certificate will secure the website located on the server and the transmission of data between the computer of the user and the website will be secured. It also depends on the type of the certificate.

2) I assume SSL connection can be configured to either:

require only server to provide a certificate require for both server and the client to provide their certificates

The server is necessary indeed. But also the client needs to provide the CSR in order to have an unique SSL certificate to the specific website.

3) Probably a stupid question, but how does SSL "know" which side is a client and which side is a server?

The verifications of the client and the server are done during the SSL connection. When the visitor of the website gives vital information, as long as there is a SSL certificate, it is secured, but it also depends on the type of the certificate installed.

4) Is it possible to establish a SSL connection without SSL requesting any certificates?

It depends on the type of the certificate (auto-generated or from a Certificate Authority). The SSL certificate is unique and issued only for the specific website and according to the CSR given by the client.

Best regards,

www.networking4all.fr