1

I want to use SSL/HTTPS protocol to secure the transmission between my server and my clients but I am not sure how to perform it in a fast and correct way.

From my understanding, if an HTTPS connection is established, I then have to ask the client to authenticate itself so the client is either accepted or rejected. This solution seems to me a bit expensive in time because of the additional authentication messages.

Looking into certificates, I found a field called challenge password. So the question is: Is it safe to use the challenge password to authenticate the client? Or in other words, is the client's certificate encrypted when sent to the server?

Anders
  • 64,406
  • 24
  • 178
  • 215
lcit
  • 111
  • 1
  • You do not have to ask for client authentication with the `https` protocol, see the RFC section 3.2 [here](https://tools.ietf.org/html/rfc2818#section-3.2) – iñaki murillo Oct 26 '16 at 09:39
  • I want to restrict the access to the server. To my understanding, HTTPS just secure the channel so anyone with correct certificate can access it. – lcit Oct 26 '16 at 09:57
  • 1
    Challenge password is something else, see [What's the use of challenge password in build-key-server and build-key from Easy-RSA](http://security.stackexchange.com/questions/77028/whats-the-use-of-challenge-password-in-build-key-server-and-build-key-from-easy). More important: it is not part of the certificate so you cannot use it there. – Steffen Ullrich Oct 26 '16 at 10:00

0 Answers0