Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Mike Wake wrote: > Now is this correct, secure? > Should I really split the cvsnt-default.pem file into cert.pem and key.pem? > Where does self signing a certificate come into this? > Where does ca.pem come into this for that matter? If you want a good book on ssl try reading "SSL and TLS" by Eric Rescorla. It's for programmers but is quite an easy read. To summarise.. 3 parts to security: 1. Confidentiality - Stopping people from sniffing your packets 2. Integrity - Making sure what you received is what was sent 3. Endpoint authentication - Making sure the person you're talking to is who they say they are, and there's nobody in the middle rewriting packets. sserver can provide all 3 of these. The endpoint authentication is relatively weak though - it just checks that the certificate issued is from a valid certification authority that the client knows about (which is where you get into providing your own CA and repacing the ca.pem). sserver with selfsign certificates provides 1&2 but not 3. A selfsign certificate proves absolutely nothing about the person who owns it. btw. SSPI has 1&2 but only does 3 over a kerberos link (NTLM has no endpoint authentication at all). ssh does all 3 (and with RSA keys, it does (3) in both directions... the client checks the server is valid and the server checks the client is valid). I intend at some point to beef up the certificate checking for sserver (basically put it on a par with ssh) but that's not there yet... making it work without bringing in all the UI nastiness of ssh RSA keys is one of the big problems (checkout the number of posts about ssh on the wincvs lists). Tony