?
Solved

TCP with SSL

Posted on 2006-04-21
10
Medium Priority
?
1,827 Views
Last Modified: 2013-11-29
Hi all!

I am writing a TCP server and i want to communicate over SSL to the clients.

I am using C++ on Linux and Windows but there are no standard functions who support SSL.

Can someone advise me abt good FREE librarys for SSL over TCP?

Thanks and Regards woigl
0
Comment
Question by:woigl
  • 5
  • 4
10 Comments
 
LVL 86

Assisted Solution

by:jkr
jkr earned 800 total points
ID: 16511599
The most wide-spread library for SLL communication is OpenSSL from www.openssl.org - if you need one lib that combines both encrypted as well as 'plain' TCP/IP, see e.g http://www.alhem.net/Sockets/ ("C++ Sockets Library")
0
 
LVL 5

Expert Comment

by:B1-66ER
ID: 16511601
only one link :)

www.openssl.org
0
 

Author Comment

by:woigl
ID: 16514844
Okay i download it... just some questions about OpenSSL

Is it working under Linux and under Windows OS?

Can someone advise me for easy use with a TCP Server of SSL wit Openssl?

Kind Regards woigl
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:woigl
ID: 16520367
Can someone help me please, i need a SSL Connection by using OPENSSL without Certificates.

I dont understand how to write this?

please help me?

Kind Regards Stefan
0
 
LVL 5

Accepted Solution

by:
B1-66ER earned 1200 total points
ID: 16522226
>> Can someone help me please, i need a SSL Connection by using OPENSSL without Certificates.

you need to create one cert for server side.
Then, using this cert, you need generate private/public keys, also for your server.
You can do all it using openssl command.

Simple code for server :

#include all headers

.......

 static const int m_Port = 113, m_Timeout = 15, m_Size = 1024,
                   m_MaxConnections = 10 ;
  int m_sock ;

  SSL * m_SSL ;
  SSL_CTX * m_CTX ;

 SSL_load_error_strings() ;
 SSLeay_add_ssl_algorithms() ;

 m_CTX = SSL_CTX_new(SSLv2_server_method()) ;
 SSL_CTX_set_options(m_CTX, SSL_OP_ALL) ;

 if (m_CTX == NULL)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_CTX_set_options: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }


 if (!SSL_CTX_use_certificate_file(m_CTX, "PATH_TO_CERT_FILE", SSL_FILETYPE_PEM))
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_CTX_use_certificate_file: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }

 SSL_CTX_set_default_passwd_cb(m_CTX, password_cb) ;

 if (!SSL_CTX_use_RSAPrivateKey_file(m_CTX, "PATH_TO_PRIV_KEY", SSL_FILETYPE_PEM))
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_CTX_use_RSAPrivateKey_file: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }

 addr.sin_family = AF_INET ;
 addr.sin_addr.s_addr = INADDR_ANY ;
 addr.sin_port = htons(PORT) ;
   
 m_sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ;
 if (m_sock < 0)
  throw Err_msg("Cant create socket") ;
   
 if (bind(m_sock, (struct sockaddr*)&addr, sizeof(addr)) != 0)
  throw Err_msg("Cant bind to port") ;
   
 listen(m_sock, m_MaxConnections) ;

 SSL *s ;

 if ((sock = accept(m_sock, NULL, NULL)) < 0)
  throw Err_msg("Cant accept new connection") ;

 s = SSL_new(m_CTX) ;
 if (s == NULL)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Error: SSL_new: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }
 
 if (SSL_set_fd(s, sock) == 0)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Warning: SSL_set_fd: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }

 if (SSL_accept(s) < 0)
 {
  i = ERR_get_error() ;
  string e ;
  e += "Warning: SSL_accept: " ;
  e += ERR_error_string(i, NULL) ;
  throw Err_msg(e) ;
 }


then using SSL_read/SSL_write you can send/recv data from socket

 SSL_read(m_SSL, "hello", 5) ;

When you write your server side, to test it work you also can use openssl command.


0
 
LVL 5

Expert Comment

by:B1-66ER
ID: 16522230
sorry :)

before using any SSL functions, you must call SSL_library_init() ;
0
 

Author Comment

by:woigl
ID: 16522926
Okay, so far this is really helpfull...

just one additional question: Is this also working if the Client is written in Java and using the javax.net.ssl?

Regards woigl
0
 
LVL 5

Expert Comment

by:B1-66ER
ID: 16523725
>> Is this also working if the Client is written in Java and using the javax.net.ssl?

to check it, you can use openssl command :)))
with argument

s_server
--------
This implements a generic SSL/TLS server which accepts connections from remote clients speaking SSL/TLS. It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL ssl library. It provides both an own command line oriented protocol for testing SSL functions and a simple HTTP response facility to emulate an SSL/TLS-aware webserver.
--------

when you run such server, you can try to connect to it, using  javax.net.ssl.
0
 

Author Comment

by:woigl
ID: 16524347
if i use s_server i get following output:

[root@www apps]# openssl s_server -nocert -accept 1111 -debug -msg -state
Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
read from 080AE9D0 [080B4058] (11 bytes => 11 (0xB))
0000 - 80 62 01 03 01 00 39                              .b....9
000b - <SPACES/NULS>
read from 080AE9D0 [080B4063] (89 bytes => 89 (0x59))
0000 - 00 00 04 01 00 80 00 00-05 00 00 2f 00 00 33 00   .........../..3.
0010 - 00 32 00 00 0a 07 00 c0-00 00 16 00 00 13 00 00   .2..............
0020 - 09 06 00 40 00 00 15 00-00 12 00 00 03 02 00 80   ...@............
0030 - 00 00 08 00 00 14 00 00-11 44 4c c3 69 86 51 33   .........DL.i.Q3
0040 - 20 64 1f 71 1b ef f3 33-c0 b7 bb a6 b7 b9 9f 75    d.q...3.......u
0050 - 8e 48 20 8e 5a 28 08 e1-66                        .H .Z(..f
<<< SSL 2.0 [length 0062], CLIENT-HELLO
    01 03 01 00 39 00 00 00 20 00 00 04 01 00 80 00
    00 05 00 00 2f 00 00 33 00 00 32 00 00 0a 07 00
    c0 00 00 16 00 00 13 00 00 09 06 00 40 00 00 15
    00 00 12 00 00 03 02 00 80 00 00 08 00 00 14 00
    00 11 44 4c c3 69 86 51 33 20 64 1f 71 1b ef f3
    33 c0 b7 bb a6 b7 b9 9f 75 8e 48 20 8e 5a 28 08
    e1 66
write to 080AE9D0 [080BE220] (7 bytes => 7 (0x7))
0000 - 15 03 01 00 02 02 28                              ......(
>>> TLS 1.0 Alert [length 0002], fatal handshake_failure
    02 28
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client hello B
SSL_accept:error in SSLv3 read client hello B
ERROR
21582:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:882:
shutting down SSL
CONNECTION CLOSED
ACCEPT


and the client reports a handshake failure...
0
 
LVL 5

Expert Comment

by:B1-66ER
ID: 16524848
Using such command you run server without SSL support.
To use SSL you need private key, which you can get if you
have cert.
So you must create:

1. cert

its my cert example

file cacert.pem

-----BEGIN CERTIFICATE-----
MIIDTDCCArWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB9MQswCQYDVQQGEwJVQTEP
MA0GA1UECBMGT2Rlc3NhMQ8wDQYDVQQHEwZPZGVzc2ExDTALBgNVBAoTBE9TUFUx
DTALBgNVBAsTBEtJU1MxDTALBgNVBAMTBElnb3IxHzAdBgkqhkiG9w0BCQEWEGFk
bWluX3ZiQG1haWwucnUwHhcNMDYwMzIwMDYxNjE2WhcNMDYwNDE5MDYxNjE2WjB9
MQswCQYDVQQGEwJVQTEPMA0GA1UECBMGT2Rlc3NhMQ8wDQYDVQQHEwZPZGVzc2Ex
DTALBgNVBAoTBE9TUFUxDTALBgNVBAsTBEtJU1MxDTALBgNVBAMTBElnb3IxHzAd
BgkqhkiG9w0BCQEWEGFkbWluX3ZiQG1haWwucnUwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAN7ckY2LoCALOLxj8xxKXvO0MII+1GOvvlLxyGD3jrFoi4muTXos
NL7iAdmFixxcpji9TfOreV+P94x63ZRPYtTgeh3OY96fa8DT8rw977rFiq0M3BY7
Zymu7nGvErwmREtNXsWOCm4ZmwJKMVK0hZL9P/Oj+ZxSDlkj9MLJ4FPvAgMBAAGj
gdswgdgwHQYDVR0OBBYEFDIwkf6Dwdt3YvA9w9UkAPGdy2vwMIGoBgNVHSMEgaAw
gZ2AFDIwkf6Dwdt3YvA9w9UkAPGdy2vwoYGBpH8wfTELMAkGA1UEBhMCVUExDzAN
BgNVBAgTBk9kZXNzYTEPMA0GA1UEBxMGT2Rlc3NhMQ0wCwYDVQQKEwRPU1BVMQ0w
CwYDVQQLEwRLSVNTMQ0wCwYDVQQDEwRJZ29yMR8wHQYJKoZIhvcNAQkBFhBhZG1p
bl92YkBtYWlsLnJ1ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
pa1yxHlA55iQc+2I5x0MoDeRu8JBvllRirikzgC7exekKkS7PVuHyXWhOWXOWH+S
uKITXidvwOSxXYOHVYEZJhYDPHclCNKmGRQq/GDdDxyZ/dK+XIDta9+t/qxF2/vN
aQ6FExYyxWgvz/CWbTakCRQZQTEVtwlx+3T450KwyeY=
-----END CERTIFICATE-----


2. priv key for server side

file cakey.pem (password for this key is 'qwerty')

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FEBF7098D82DFB46

/uyz3nUYsIf5aNlSzcIAQl0qEF0IV2G33ee3F9DB/rYprdahi8mZVKSgXMCmwN16
+0xB3ijSHrRyTr9T/3YnjYZKEVohl+WY0T6aI9MicplSwNE/LXmQW4NKBQDnmJKh
/2hTwxtWLtRqD0CR95HRM82TjPi0PRXsbCF7aK+Im5QrH0ZvQuG0lBC+hGu8yji6
SHosOG00LZg9lR6tySYRQpZatPZwkPQCBtvQg0GXKsjq2syUkywu8iO5Rlpy7iac
2bssqeW34AoZaJLsF5CBXOO6Sklb8WmKl74JTcPcgm6gbz1oEOo05mXugMlDdIdz
8RVYP5las7JUPcRtDR9d+Lmhqewrl8FEmXfVAjm27Y8eDFJqhfcBJGDFviVonniV
Y+BMUqqYtHk3X+DyJkRgjc5OBVl7YRCnl+c34ZHBYQ2kEXvVyoCxtSZnLDGUlxrC
CzmAChqHtWu8i7In0Oq3OiLUtw2LnofzCjsGkEOA4inac4Az7TjV6tEnZcoGu1BV
4aqT7CcNZvSikQ1VyrrmcKHYpHnyOMdeu9+NE2QAG7QExF2oTjKnp9EqYF3PQTee
jqcoNq0M4RpoGfKCbpiqJSvcr37gDBIY3Si4c42NfebSVBh4SrAWwv9sXMq8cP/T
yIhNSCsWFN9FFt9ISqjIvixwux4KT1ctPd30rI+GdKDD2SWHB5fS5Z5WKjwwNy+V
Qpq9/s2PDXjl8vX9TS3MB6K304wDQLFU9JaBVlYW7/sNJJWlcVytbX8TeenYko1z
H3uyeywYxYqxA+ejkqwj9dITgtyIUpVZiDZQ1UZLTOo/E2NyfDCmyw==
-----END RSA PRIVATE KEY-----

then run server:

openssl s_server -cert cacert.pem -key cakey.pem -debug -accept 12007

and now you can try to connect to it using javax....
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While opting for any web-to-print solution, you need to discuss with your team and some of your end users and know their opinions about your decisions. In this article we list down some questions you need to ask yourself.
Ranking ecommerce websites is a vital process. You need to have a strong SEO (Search Engine Optimization) strategy. If you don’t have one, you are losing out on brand impressions, clicks and sales. Check this guide on how to improve website traffic …
The viewer will learn additional member functions of the vector class. Specifically, the capacity and swap member functions will be introduced.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question