Regarding certificate verification using Asio

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Regarding certificate verification using Asio

Boost - Users mailing list
Hello,

This is more a general question about certificates verification in SSL
contexts. I hope this is not too much offtopic.

I know how asymmetric encryption works, but I never dig a lot into the
process of certificates verification.

I know how certificate checks are made with browsers, the server must
have a certificate signed by a trusted CA. But then, I must admit that I
don't know many more. For example, A lot of Linux package managers use
package signing to be sure that packages downloaded are correctly built
from the vendor. But this is another topic I guess.

Now, for example, I would like to create my own server process and my
own client. They are not open to the internet, so no need to buy trusted
authority certificates.

So by generating self-signed certificate and private key file. The
server can run.

The question is: how the client be sure that it is connecting to the
right server? Do this client needs to have the same certificate on its
local machine and use it? If yes, should I use
ssl::context::load_verify_file and ssl::verify_peer and I'm done?

If you have some resources to advice me on the certificate check
mechanisms, please give me.

Regards

--
David
_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users
Reply | Threaded
Open this post in threaded view
|

Re: Regarding certificate verification using Asio

Boost - Users mailing list
Hi David,
In order to establish trust without the use of PKI you need some method of secure, Out of Band communication, e.g. go and manually install the self-signed certificate in a client's keystore. If you expect to have multiple servers and multiple certificates, you should generate your own CA and add the CA's certificate to the list of trusted root CAs. Note that if this is for an organization (e.g. a server that sits on an intranet) you should also consider setting up an OCSP server when configuring the CA, so that you can safely perform certificate revocation in the future.

Security tip: If you go the custom CA route, remember that you don't need to put the CA private key on the server!

On Mon, Nov 5, 2018 at 10:38 AM David Demelier via Boost-users <[hidden email]> wrote:
Hello,

This is more a general question about certificates verification in SSL
contexts. I hope this is not too much offtopic.

I know how asymmetric encryption works, but I never dig a lot into the
process of certificates verification.

I know how certificate checks are made with browsers, the server must
have a certificate signed by a trusted CA. But then, I must admit that I
don't know many more. For example, A lot of Linux package managers use
package signing to be sure that packages downloaded are correctly built
from the vendor. But this is another topic I guess.

Now, for example, I would like to create my own server process and my
own client. They are not open to the internet, so no need to buy trusted
authority certificates.

So by generating self-signed certificate and private key file. The
server can run.

The question is: how the client be sure that it is connecting to the
right server? Do this client needs to have the same certificate on its
local machine and use it? If yes, should I use
ssl::context::load_verify_file and ssl::verify_peer and I'm done?

If you have some resources to advice me on the certificate check
mechanisms, please give me.

Regards

--
David
_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users

_______________________________________________
Boost-users mailing list
[hidden email]
https://lists.boost.org/mailman/listinfo.cgi/boost-users