Newbie : is it possible to use SSL on multiple targets with justIP addresses ? - Openssl

This is a discussion on Newbie : is it possible to use SSL on multiple targets with justIP addresses ? - Openssl ; We are designing a new embedded system which runs its own web server. When installed in the field, the majority of the units will *not* have a domain-name, just a local IP address, since they will be mostly be used ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Newbie : is it possible to use SSL on multiple targets with justIP addresses ?

  1. Newbie : is it possible to use SSL on multiple targets with justIP addresses ?

    We are designing a new embedded system which runs its own web server.

    When installed in the field, the majority of the units will *not* have a domain-name, just a local IP address, since they will be mostly be used on company intranets (and so could be *any* ip address I guess).

    Most units will not have static IP addresses, but will rely on zeroconf or dhcp for address allocation.

    I guess some companies may wish to expose units to the internet and probably will have some form of domain name setup for each one (e.g. unit1.foobar.com, unit2.foobar.com, etc)

    So my question is this ...

    Can SSL + Certs be used / generated to work on such a dynamic type of network setup ?

    TBH, all we are requiring is to obtain a "secure" connection to the web server, rather than certifying that the embedded units are who they say they are. Is there some other way of doing this (either via SSL or some other web technology) ?

    I apologise if this is too open a question, but I've not managed to find a suitable Google search phrase that comes anywhere near to answering my question(s).

    Thank in advance
    Mark
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Re: Newbie : is it possible to use SSL on multiple targets with justIP addresses ?

    Hi,

    If I understand what you want to do, the answer is yes, it can be done.
    You can create a generic certificate with a given CN to be used in the
    embedded web server.

    The next question is... who will use this web server? If it's a program,
    so your system is used as an update server (for instance, although in
    this case identification would be critical), you can deactivate the CN
    checking, so that even if your CN does not correspond to the host name
    used in the URL the program will not complain.

    If you want a user to connect via a browser, the problem is that he will
    get a warning every time he connects (I'm not sure if this can be
    avoided just by accepting the certificate in the browser, as this is a
    CN problem, and not that the certificate is self-signed), although maybe
    this is not a problem for you.... depends on your application and who
    will use it.

    Well, any way the answer to your question is yes, a generic certificate
    can be used to create an SSL connection if you don't care about
    authentication.

    Best regards,

    Ion Larraņaga



    Mark Jackson(e)k dio:
    > We are designing a new embedded system which runs its own web server.
    >
    > When installed in the field, the majority of the units will *not* have a
    > domain-name, just a local IP address, since they will be mostly be used
    > on company intranets (and so could be *any* ip address I guess).
    >
    > Most units will not have static IP addresses, but will rely on zeroconf
    > or dhcp for address allocation.
    >
    > I guess some companies may wish to expose units to the internet and
    > probably will have some form of domain name setup for each one (e.g.
    > unit1.foobar.com, unit2.foobar.com, etc)
    >
    > So my question is this ...
    >
    > Can SSL + Certs be used / generated to work on such a dynamic type of
    > network setup ?
    >
    > TBH, all we are requiring is to obtain a "secure" connection to the web
    > server, rather than certifying that the embedded units are who they say
    > they are. Is there some other way of doing this (either via SSL or some
    > other web technology) ?
    >
    > I apologise if this is too open a question, but I've not managed to find
    > a suitable Google search phrase that comes anywhere near to answering my
    > question(s).
    >
    > Thank in advance
    > Mark
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread