Re: Newbie: SSL and encryption

news <news@sea.gmane.org> wrote on 09.08.2005 21:27:55:

> will the asked "username/password" -pair be changed encrypted
> between the client and the server?
>
> The manual says:
>
> "The Neon library used by the Subversion client
> is not only able to verify server certificates,
> but can also supply client certificates when challenged.
> When the client and server have exchanged SSL certificates
> and successfully authenticated one another,
> all further communication is encrypted via a session key."
>
> This implies that encryption occurs only when BOTH
> server and client provide certificates.

No, not really. That implies only, that the server can also authenticate
the client, if client certificates are used. In SSL the certificates
(public/private key pairs) are mainly (always) used for authentication
only, and generation of a session key. All other traffic is encrypted
using session (symmetric) key.

All this (authentication and session key generation) is part of the SSL
session setup. If it fails at this step, you are not able to connect. All
other data is then encrypted, including the username and password.

It is of course possible to use null encryption in SSL, but that would
require a special setup on the server side.

Cheers,

---
  Miha Vitorovic
  Inženir v tehničnem področju
  Customer Support Engineer
   NIL Data Communications,  Tivolska cesta 48,  1000 Ljubljana,  Slovenia
   Phone +386 1 4746 500      Fax +386 1 4746 501     http://www.NIL.si
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org