Do I need an SSL certificate at both servers to communicate via TLS 1.2? [closed]

ssl

If two servers are communicating via TLS 1.2, do both servers need to have an SSL?

Only if both are acting as the server at some point in their conversation or if the service utilizes client certificates for authentication. If one server is just a client, then no.

For instance, ServerA is running an app that makes a request against a web service running on ServerB with no cert based auth. At the moment, only ServerB needs the certificate because ServerA is just acting as a client (like a browser). If ServerA is running its own web service that ServerB needs to connect to, then ServerA would also need a certificate.


If two servers are communicating via TLS 1.2, do both servers need to have an SSL?

TL;DR It depends, on who needs to authenticate who. So you may need 0, 1 or 2 certificates in your case. Read below for why.

First, please do not follow the crowd in an invalid terminology, "SSL certificate" is a misnommer, it is an X.509 certificate used in this case for a TLS communication. Another global error you could stop to follow: SSL is dead since years and does not exist, we use TLS now.

So with this out of the way we now have two completely separate things: the TLS protocol, and X.509 certificates.

The TLS protocol exists to secure a connection between two points, and will deliver essentially two features: confidentiality (no one spying on the exchange will understand anything) and authentication (knowing exactly who is at each endpoint of the exchange). And, as counter-intuitive as it may be, authentication is generally more important to have than confidentiality. But they are indeed two orthogonal features, you can setup your TLS exchange to have one, or the other, or both (or even none of them, but then it is not very much TLS anymore).

This leads to multiple consequences.

First, you could do a TLS exchange without any X.509 certificate. There exists other ways to prove identify than X.509 certificate. The authentication could be done with a preshared key for example. Or an OpenPGP key. Or in some very specific cases you could decide not to care at all about authentication and just using TLS for confidentiality (and integrity).

Now, if you use X.509 certificates, the number of them needed depends on which endpoint should be authenticated: basically each side that needs to be authenticated needs to have a certificate that the other side will use to verify the identity (typically by having a list of trusted CA and accepting any certificates that is valid and issued by any of these CAs).

For example, in the HTTPS world, more often only the client (browser) needs to authenticate the server (website), hence websites have certificates. But, websites could use client certificates (instead of login+password for example) to authenticate them, in which case clients would have certificates of them. And both can happen: in the past to declare your revenues in France you could connect to some HTTPS server, that was itself authenticated by its certificate and that was authentication the client by its own certificate for obvious reasons.

All the above is the same for any version of TLS.

Related

ports I open with iptables appear closed [closed]
Can user protect his files from untrusted administrator? [closed]
Is live.de allowed to block mails from my clean mailserver? [closed]
How to prevent process from knowing Network is up? [closed]
What are the basics of taking care for a common server? [closed]
DNS Subdoamin Issue [closed]
DNS lookup takes 10 plus seconds [closed]
No longer able to send e-mails from Ubuntu server to Gmail group [closed]
Don't work ssh in a VM Centos [closed]
FTP server configation [duplicate]
SQL Server 2008 R2 Express accepts only local connections? [closed]
Extend RAID 5 to use unused space and add additional disks?