[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: ssl for conserver client/server communications

Bryan Stansell bryan@conserver.com
Fri, 27 Sep 2002 12:25:31 -0700 (PDT)

On Fri, Sep 27, 2002 at 01:48:46PM -0500, John R. Jackson wrote:
> I threatened to write this all up several months ago :-), but your
> letter prompted me to actually do it.  See:
>   ftp://gandalf.cc.purdue.edu/pub/conserver/README.ssh
> Note: I am by no stretch of the imagination a security person.  If anyone
> sees anything wrong with what I've done, please sing out.

this is so very cool!  i hope others out there can benefit from it.  i
didn't look at it closely, but what i saw was very helpful.

i figured i'd also take this opportunity to tell folks that i am making
progress in the ssl realm.  the server code is in and a
"proof-of-concept" of sorts of the client code is working -
unfortunately, the client code has to be adjusted more than i realized
so it too can take advantage of encryption.

i also want to warn folks that i'm not putting in any certificate
exchange/validation (which would require folks to build certs for the
server) into the code (yet).  this exposes (according to the book) the
app to man-in-the-middle attacks (and maybe other types of attacks that
i don't remember, but i don't think so).  i'm planning on adding certs
as an optional step, but the first round of code (call it alpha or beta
or whatever) will leave it out.  i'd just like to see an encrypted
(however nonauthenticated) session - and figured that would make a lot
of other folks happy as well.

i'll make patches available as soon as i get to a stable point and find
an internet cafe that lets me attach my laptop so i can upload them.