Certificate question

lightman47 · Post by **lightman47** » 2017/05/24 15:18:07

Not a CentOS question admittedly, but if I have an https server and I generate a self-signed certificate, will transfers then be encrypted for their duration, or is the cert. merely a 'verification of ID' upon connection kind of thing?

- background - this sever on my internal network would normally not be running, and only awakened (ether-wake from another network machine into which I have SSHd) when I wish to access it - to download a file or two from my internal network when I am away. After the transfer, the https server would then be 'shutdown' again.

Thank you.

aks · Post by **aks** » 2017/05/24 17:00:09

Not a CentOS question admittedly, but if I have an https server and I generate a self-signed certificate, will transfers then be encrypted for their duration, or is the cert. merely a 'verification of ID' upon connection kind of thing?

Why yes it is. TLS is subject to man in the middle attacks (as actually what we do is public key for a bit and then agree a secret key and go back to "normal" crypto. - if you get that exchange, then it's like knowing the password).
Anyway, certificates are there to say that the server you are connecting to is really the server you are expecting to connect to (for example think of DNS poisoning et al). To do that we believe certain certificate authorities (whom of late, have been found wanting, but that's another story). If that 3rd party certificate authority says that yes this is that site, then we believe them - otherwise an exception is thrown....
It actually has very little to do with the actual on the wire cyrpto...

lightman47 · Post by **lightman47** » 2017/05/24 17:08:22

OK - so, if I want the 'crypto part' for the transfer, I need to provide it myself.

Thank you. That's exactly what I needed to know.

aks · Post by **aks** » 2017/05/25 18:28:09

Look at the packets .... they don't lie.

lightman47 · Post by **lightman47** » 2017/05/25 18:48:50

Heh - I trust you and still dealing with packet types, sources, destinations.

Thank you.

hunter86_bg · Post by **hunter86_bg** » 2017/05/25 18:49:14

Self signed certificate will provide encryption,but visitors' browser won't be able to distinguish your web site and man in the middle attacker.
Of course, there are companies like 'Let's encrypt' that provide legitimate and free certificates.

aks · Post by **aks** » 2017/05/25 18:53:27

... unless you import the CA signer into the trusted store ...

CentOS

Certificate question

Certificate question

Re: Certificate question

Re: Certificate question

Re: Certificate question

Re: Certificate question

Re: Certificate question

Re: Certificate question