client/server communication with OpenSSL && with passwords or passphrase

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

we develop a business application as client/server with TCP/IP
communication and a human readable protocol, which is encrypted by
OpenSSL. The servers are C-written on top of PostgreSQL on Linux, while
the clients are mostly Java-written and running on Win10 PCs of the
staff, talking over the network to the servers. This runs well for many
years already. The clients have no key material and "trust" the server
servers. How the keys are made is explained below in some older post
from me. The connection establishment is from the client to the server.

This only as background for the actual situation.

What we now want to have is strengthen the communication in some
directions:

1) Each client should have its own key for the OpenSSL. They must be
   built central, copied to the Win PC and installed there.

2) The usage of the key and OpenSSL communication should be protected by some
   passphrase (like for a SSH connection the usage of the private RSA
   key).

Is there some usecase example or some tutorial for this, or any other
hints?

Thanks in advance

	matthias

----- Forwarded message from Matthias Apitz <guru@xxxxxxxxxxx> -----

Date: Tue, 19 Feb 2019 09:57:11 +0100
From: Matthias Apitz <guru@xxxxxxxxxxx>
To: openssl-users@xxxxxxxxxxx
Subject: understand 'openssl dhparms ....'


Hello,

Some years ago (in 2012) I wrote an OpenSSL server, loosely based on the example
sources 'openssl-examples-20020110' which nowadays still exist in 
https://github.com/smbutton/DataCommProject/tree/master/openssl-examples-20020110/openssl-examples-20020110

There was also some guiding available about how to create the necessary
key material, which goes more or less like this:

--------------------------------------------------------------------------------

  $ mkdir newca
  $ cd newca
  $ cp /usr/local/openssl/misc/CA.sh .
  $ ./CA.sh -newca

  will create a new CA. Remember the passphrase as you will need
  it to sign certificates.

  $ cp demoCA/cacert.pem ../root.pem

  Second step

  $ ./CA.sh -newreq

  will create a certificate and a certification request.
  Set the passphrase to 'password' as this is hard-coded in
  the examples' source code. It is important to set the
  [Common Name] to 'localhost'.


  Third step

  $ ./CA.sh -sign

  will sign your newly created certificate. Enter the password for
  your CA which you have defined in step 1.


  Fourth step

  $ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem
  $ cd ..
  $ ln -s localhost.pem server.pem
  $ ln -s localhost.pem client.pem

  Maybe you also want to issue

  $ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM

  in order to update the DH parameters.


...

--------------------------------------------------------------------------------



----- End forwarded message -----

-- 
Matthias Apitz, ✉ guru@xxxxxxxxxxx, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux