Re: opened OpenSSL port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 02/27/11 1:50 AM, erikmccaskey64 wrote:
>
> Main question: is it safe, to open a port for an openssl server?
>
> e.g.:
>
> server side - generate a self-signed cert.
> time openssl req -x509 -nodes -days 365 -newkey rsa:8192 -keyout 
> mycert.pem -out mycert.pem
> openssl s_server -accept 52310 -cert mycert.pem
>
> Is it secure? - it could be DOSed' [DenialofService] or could it be 
> attacked in any way?
>
> Are there any iptables rule for restricting connections to dyndns names?
>
> e.g.: only allow connection from "asdfasdf.dyndns.com" and 
> "asdfasdf2.dyndns.com" and "asdfasdf3.dyndns.com"?
>

any host names used in iptables rules are looked up at the time the rule 
is created, and if the hostname->IP later changed, the iptables would 
not be aware of this until the next time they are reloaded.

> How could i restrict the openssl server to only accept traffic from 
> given clients? Please help me "think"..
>
> Or are there any "production ready" methods, that can do 
> authentication too? [+using ssl].
> "openssl s_server" and "openssl s_client" would be perfect, but the 
> problem is it doesn't has username/password auth :\
>

aren't those openssl s_server and s_client intended just for testing 
protocols?   If you want to secure an application, you implement ssl in 
your application via libssl, or you use a vpn tunnel such as openvpn 
(which uses SSL itself)

anyways, the whole idea of SSL is to use certificate based 
authentication rather than username/password.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux