TCP with SSL

Hi all!

I am writing a TCP server and i want to communicate over SSL to the clients.

I am using C++ on Linux and Windows but there are no standard functions who support SSL.

Can someone advise me abt good FREE librarys for SSL over TCP?

Thanks and Regards woigl
woiglAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jkrCommented:
The most wide-spread library for SLL communication is OpenSSL from www.openssl.org - if you need one lib that combines both encrypted as well as 'plain' TCP/IP, see e.g http://www.alhem.net/Sockets/ ("C++ Sockets Library")
0
B1-66ERCommented:
only one link :)

www.openssl.org
0
woiglAuthor Commented:
Okay i download it... just some questions about OpenSSL

Is it working under Linux and under Windows OS?

Can someone advise me for easy use with a TCP Server of SSL wit Openssl?

Kind Regards woigl
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

woiglAuthor Commented:
Can someone help me please, i need a SSL Connection by using OPENSSL without Certificates.

I dont understand how to write this?

please help me?

Kind Regards Stefan
0
B1-66ERCommented:
>> Can someone help me please, i need a SSL Connection by using OPENSSL without Certificates.

you need to create one cert for server side.
Then, using this cert, you need generate private/public keys, also for your server.
You can do all it using openssl command.

Simple code for server :

#include all headers

.......

 static const int m_Port = 113, m_Timeout = 15, m_Size = 1024,
                   m_MaxConnections = 10 ;
  int m_sock ;

  SSL * m_SSL ;
  SSL_CTX * m_CTX ;

 SSL_load_error_strings() ;
 SSLeay_add_ssl_algorithms() ;

 m_CTX = SSL_CTX_new(SSLv2_server_method()) ;
 SSL_CTX_set_options(m_CTX, SSL_OP_ALL) ;

 if (m_CTX == NULL)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_CTX_set_options: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }


 if (!SSL_CTX_use_certificate_file(m_CTX, "PATH_TO_CERT_FILE", SSL_FILETYPE_PEM))
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_CTX_use_certificate_file: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }

 SSL_CTX_set_default_passwd_cb(m_CTX, password_cb) ;

 if (!SSL_CTX_use_RSAPrivateKey_file(m_CTX, "PATH_TO_PRIV_KEY", SSL_FILETYPE_PEM))
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_CTX_use_RSAPrivateKey_file: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }

 addr.sin_family = AF_INET ;
 addr.sin_addr.s_addr = INADDR_ANY ;
 addr.sin_port = htons(PORT) ;
   
 m_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ;
 if (m_sock < 0)
  throw Err_msg("Cant create socket") ;
   
 if (bind(m_sock, (struct sockaddr*)&addr, sizeof(addr)) != 0)
  throw Err_msg("Cant bind to port") ;
   
 listen(m_sock, m_MaxConnections) ;

 SSL *s ;

 if ((sock = accept(m_sock, NULL, NULL)) < 0)
  throw Err_msg("Cant accept new connection") ;

 s = SSL_new(m_CTX) ;
 if (s == NULL)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_new: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }
 
 if (SSL_set_fd(s, sock) == 0)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Warning: SSL_set_fd: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }

 if (SSL_accept(s) < 0)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Warning: SSL_accept: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }


then using SSL_read/SSL_write you can send/recv data from socket

 SSL_read(m_SSL, "hello", 5) ;

When you write your server side, to test it work you also can use openssl command.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
B1-66ERCommented:
sorry :)

before using any SSL functions, you must call SSL_library_init() ;
0
woiglAuthor Commented:
Okay, so far this is really helpfull...

just one additional question: Is this also working if the Client is written in Java and using the javax.net.ssl?

Regards woigl
0
B1-66ERCommented:
>> Is this also working if the Client is written in Java and using the javax.net.ssl?

to check it, you can use openssl command :)))
with argument

s_server
--------
This implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. It provides both an own command line oriented protocol for testing SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver.
--------

when you run such server, you can try to connect to it, using  javax.net.ssl.
0
woiglAuthor Commented:
if i use s_server i get following output:

[root@www apps]# openssl s_server -nocert -accept 1111 -debug -msg -state
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
read from 080AE9D0 [080B4058] (11 bytes => 11 (0xB))
0000 - 80 62 01 03 01 00 39                              .b....9
000b - <SPACES/NULS>
read from 080AE9D0 [080B4063] (89 bytes => 89 (0x59))
0000 - 00 00 04 01 00 80 00 00-05 00 00 2f 00 00 33 00   .........../..3.
0010 - 00 32 00 00 0a 07 00 c0-00 00 16 00 00 13 00 00   .2..............
0020 - 09 06 00 40 00 00 15 00-00 12 00 00 03 02 00 80   ...@............
0030 - 00 00 08 00 00 14 00 00-11 44 4c c3 69 86 51 33   .........DL.i.Q3
0040 - 20 64 1f 71 1b ef f3 33-c0 b7 bb a6 b7 b9 9f 75    d.q...3.......u
0050 - 8e 48 20 8e 5a 28 08 e1-66                        .H .Z(..f
<<< SSL 2.0 [length 0062], CLIENT-HELLO
    01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00
    00 05 00 00 2f 00 00 33 00 00 32 00 00 0a 07 00
    c0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15
    00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00
    00 11 44 4c c3 69 86 51 33 20 64 1f 71 1b ef f3
    33 c0 b7 bb a6 b7 b9 9f 75 8e 48 20 8e 5a 28 08
    e1 66
write to 080AE9D0 [080BE220] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
>>> TLS 1.0 Alert [length 0002], fatal handshake_failure
    02 28
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client hello B
SSL_accept:error in SSLv3 read client hello B
ERROR
21582:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:882:
shutting down SSL
CONNECTION CLOSED
ACCEPT


and the client reports a handshake failure...
0
B1-66ERCommented:
Using such command you run server without SSL support.
To use SSL you need private key, which you can get if you
have cert.
So you must create:

1. cert

its my cert example

file cacert.pem

-----BEGIN CERTIFICATE-----
MIIDTDCCArWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJVQTEP
MA0GA1UECBMGT2Rlc3NhMQ8wDQYDVQQHEwZPZGVzc2ExDTALBgNVBAoTBE9TUFUx
DTALBgNVBAsTBEtJU1MxDTALBgNVBAMTBElnb3IxHzAdBgkqhkiG9w0BCQEWEGFk
bWluX3ZiQG1haWwucnUwHhcNMDYwMzIwMDYxNjE2WhcNMDYwNDE5MDYxNjE2WjB9
MQswCQYDVQQGEwJVQTEPMA0GA1UECBMGT2Rlc3NhMQ8wDQYDVQQHEwZPZGVzc2Ex
DTALBgNVBAoTBE9TUFUxDTALBgNVBAsTBEtJU1MxDTALBgNVBAMTBElnb3IxHzAd
BgkqhkiG9w0BCQEWEGFkbWluX3ZiQG1haWwucnUwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAN7ckY2LoCALOLxj8xxKXvO0MII+1GOvvlLxyGD3jrFoi4muTXos
NL7iAdmFixxcpji9TfOreV+P94x63ZRPYtTgeh3OY96fa8DT8rw977rFiq0M3BY7
Zymu7nGvErwmREtNXsWOCm4ZmwJKMVK0hZL9P/Oj+ZxSDlkj9MLJ4FPvAgMBAAGj
gdswgdgwHQYDVR0OBBYEFDIwkf6Dwdt3YvA9w9UkAPGdy2vwMIGoBgNVHSMEgaAw
gZ2AFDIwkf6Dwdt3YvA9w9UkAPGdy2vwoYGBpH8wfTELMAkGA1UEBhMCVUExDzAN
BgNVBAgTBk9kZXNzYTEPMA0GA1UEBxMGT2Rlc3NhMQ0wCwYDVQQKEwRPU1BVMQ0w
CwYDVQQLEwRLSVNTMQ0wCwYDVQQDEwRJZ29yMR8wHQYJKoZIhvcNAQkBFhBhZG1p
bl92YkBtYWlsLnJ1ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
pa1yxHlA55iQc+2I5x0MoDeRu8JBvllRirikzgC7exekKkS7PVuHyXWhOWXOWH+S
uKITXidvwOSxXYOHVYEZJhYDPHclCNKmGRQq/GDdDxyZ/dK+XIDta9+t/qxF2/vN
aQ6FExYyxWgvz/CWbTakCRQZQTEVtwlx+3T450KwyeY=
-----END CERTIFICATE-----


2. priv key for server side

file cakey.pem (password for this key is 'qwerty')

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FEBF7098D82DFB46

/uyz3nUYsIf5aNlSzcIAQl0qEF0IV2G33ee3F9DB/rYprdahi8mZVKSgXMCmwN16
+0xB3ijSHrRyTr9T/3YnjYZKEVohl+WY0T6aI9MicplSwNE/LXmQW4NKBQDnmJKh
/2hTwxtWLtRqD0CR95HRM82TjPi0PRXsbCF7aK+Im5QrH0ZvQuG0lBC+hGu8yji6
SHosOG00LZg9lR6tySYRQpZatPZwkPQCBtvQg0GXKsjq2syUkywu8iO5Rlpy7iac
2bssqeW34AoZaJLsF5CBXOO6Sklb8WmKl74JTcPcgm6gbz1oEOo05mXugMlDdIdz
8RVYP5las7JUPcRtDR9d+Lmhqewrl8FEmXfVAjm27Y8eDFJqhfcBJGDFviVonniV
Y+BMUqqYtHk3X+DyJkRgjc5OBVl7YRCnl+c34ZHBYQ2kEXvVyoCxtSZnLDGUlxrC
CzmAChqHtWu8i7In0Oq3OiLUtw2LnofzCjsGkEOA4inac4Az7TjV6tEnZcoGu1BV
4aqT7CcNZvSikQ1VyrrmcKHYpHnyOMdeu9+NE2QAG7QExF2oTjKnp9EqYF3PQTee
jqcoNq0M4RpoGfKCbpiqJSvcr37gDBIY3Si4c42NfebSVBh4SrAWwv9sXMq8cP/T
yIhNSCsWFN9FFt9ISqjIvixwux4KT1ctPd30rI+GdKDD2SWHB5fS5Z5WKjwwNy+V
Qpq9/s2PDXjl8vX9TS3MB6K304wDQLFU9JaBVlYW7/sNJJWlcVytbX8TeenYko1z
H3uyeywYxYqxA+ejkqwj9dITgtyIUpVZiDZQ1UZLTOo/E2NyfDCmyw==
-----END RSA PRIVATE KEY-----

then run server:

openssl s_server -cert cacert.pem -key cakey.pem -debug -accept 12007

and now you can try to connect to it using javax....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
E-Commerce

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.