«

I want to use SSL for client to server communication. The server is W2K.

I don't care about server authentication, I just want to encrypt the
connection.

Do I still have to create and install a dummy certificate for the
server, or is there a way to bypass it?

It appears the SSL/TLS standard does not require the server
authentication step during the handshake, but how is it implemented on W2K?

I browsed through the MS Knowledgebase but couldn't find the answer.

MS

> I don't care about server authentication, I just want to encrypt the
> connection.

You could use a shared secret.

There's plenty of IPSec information available on TechNet, if documentation
is what you're looking for.

MS wrote:
> I want to use SSL for client to server communication. The server is W2K.
>
> I don't care about server authentication, I just want to encrypt the
> connection.

I'll take theexample of an SSH connection.
You always need an authentication of the server, but you only need a
keypair, not a certificate.

--
Xandrex

"MS" <> wrote in message news:...
> I want to use SSL for client to server communication. The server is W2K.
> I don't care about server authentication, I just want to encrypt the
> connection.
> Do I still have to create and install a dummy certificate for the
> server, or is there a way to bypass it?

I'm not sure what your specific needs are but I got around this using 2K
at home by installing the windows certificate authority, and using it to
roll my own CA & website certificate.
HTH
DP

On Thu, 03 Jul 2003 08:59:50 -0400, MS <> wrote:

>I want to use SSL for client to server communication. The server is W2K.
>
>I don't care about server authentication, I just want to encrypt the
>connection.
>
>Do I still have to create and install a dummy certificate for the
>server, or is there a way to bypass it?
>
>It appears the SSL/TLS standard does not require the server
>authentication step during the handshake, but how is it implemented on W2K?
>
>I browsed through the MS Knowledgebase but couldn't find the answer.
>
>MS

Encryption without authentication is useless.

Sorry not familiar with it, but:

Entering your question (Microsoft implementation of ssl in Windows
2000) into the Search the Knowledge Base at the top of Microsoft's
Online Support site, provides several results, and hopefully some
might discuss that. I see the mention of white papers on
implementation, but have not read any of them so far.

Other possible helps might be the MSDN home website, and the
Windows Platform SDK.

Searches for "certificateless ssl" and "certificateless tls" at
those sites, as well as on the Web, might also produce other
results for you.

Regards, RobH.



"MS" <> wrote in message news:...
Splatter wrote:

As I stated in my original post, I cannot find the answers in
Microsoft
documentation. Anybody out there who is familiar with the
Microsoft
implementation of SSL in W2K and can answer my question?

MS

You can generate "test" sertificate and do not think about "anonymous tls"
http://www.stunnel.org/pem/

or you can use http://www.stunnel.org/ vs. MS ISAPI SSL filter on 443

but stunnel USEs sertificates too:
http://www.stunnel.org/faq/stunnel.html#certificates


"> Does the Microsoft W2K implementation of SSL=TLS allow bypassing the
> handshake step that sends server's certificate to the client? In other
> words, can I set up an SSL-encrypted connections to the W2K server
> without installing a certificate on the server?
>
> The specification of the TLS standard does allow that: The handshake
> protocol can be set up so that no certificates are used, and the client
> and the server use an "anonymous" key exchange protocol to agree on an
> encryption key. The question is, does Microsoft implementation allow it?
> And if so, how do I configure the server to operate this way?
>
>

Terry wrote:
> Quote: wrote that the client needs the server's
> cert
> because the client uses the public key from the cert to encrypt the data
> sent to the server. That is not correct. The data sent back and forth
> along the SSL connection are encrypted using a symmetric (secret) key,
> not a public key. The secret key is created during the SSL handshake.
>
> As far as I know, in a SSL connection, the server's cert sent to client is
> used to encrypt the session key(secret symmetric key) generated on the
> client side which is then sent to the server for use in the connection. So
> if the you dont use a server's cert, how can this be done?
>

The TLS standard allows "anonymous" key exchange. That is, the symmetric
key is generated without a priori authentication of the two parties. For
example, the Diffie-Hellman protocol can be used for that --- in
essence, each party creates a piece of the key, they exchange the two
pieces, and put them together to form the common secret key. And it's
done in such a way that an eavesdropper cannot recreate the key.

MS