[cvsnt] Re: :sserver: setup.

[Tony Hoyle]

Mike Wake wrote:

> Now is this correct, secure?
> Should I really split the cvsnt-default.pem file into cert.pem and key.pem?
> Where does self signing a certificate come into this?
> Where does ca.pem come into this for that matter?

If you want a good book on ssl try reading "SSL and TLS" by Eric 
Rescorla.  It's for programmers but is quite an easy read.

To summarise.. 3 parts to security:

1. Confidentiality - Stopping people from sniffing your packets
2. Integrity - Making sure what you received is what was sent
3. Endpoint authentication - Making sure the person you're talking to is 
who they say they are, and there's nobody in the middle rewriting packets.

sserver can provide all 3 of these.  The endpoint authentication is 
relatively weak though - it just checks that the certificate issued is 
from a valid certification authority that the client knows about (which 
is where you get into providing your own CA and repacing the ca.pem).

sserver with selfsign certificates provides 1&2 but not 3.  A selfsign 
certificate proves absolutely nothing about the person who owns it.

btw. SSPI has 1&2 but only does 3 over a kerberos link (NTLM has no 
endpoint authentication at all).

ssh does all 3 (and with RSA keys, it does (3) in both directions... the 
client checks the server is valid and the server checks the client is 
valid).

I intend at some point to beef up the certificate checking for sserver 
(basically put it on a par with ssh) but that's not there yet... making 
it work without bringing in all the UI nastiness of ssh RSA keys is one 
of the big problems (checkout the number of posts about ssh on the 
wincvs lists).

Tony