Re: [boost] [asio] Trying to make SSL work with an existing client/server system
Hi Chris, Thanks very much for the reply.
It sounds to me as though you're using the SSL example from the "boost layout" asio proposal (where everything is in the namespace boost::asio) with the headers from the non-boost package of asio (where the namespace is just asio). The SSL example is found in src/examples/ssl in the non-boost package.
You are correct. We grabbed the version from sourceforge several months ago (v3.6). I downloaded the latest from anonymous CVS - wow. Quite a few changes there (demuxer is now io_service, etc. etc.). I'm in the process of rewriting our code to the latest asio. When I'm done, I hope you (or someone with SSL experience) wouldn't mind answering a few questions about getting SSL working. I basically just want a simple encrypted tcp stream, with a minimal of fuss. I don't need certificates (at least I don't think I do). All I want is the server and client to generate keys on startup automatically and use those keys to negotiate the symmetric cypher during handshaking. If there's an easy way to hook that up, please let me know. The example client/server SSL seems unwieldy. It actually makes you type a pass phrase when the server starts. I really don't want that. Thanks, Scott
Hi Scott, Scott <cheesy4poofs@cox.net> wrote:
When I'm done, I hope you (or someone with SSL experience) wouldn't mind answering a few questions about getting SSL working.
My knowledge of SSL is pretty limited, so I'll do my best.
I basically just want a simple encrypted tcp stream, with a minimal of fuss. I don't need certificates (at least I don't think I do). All I want is the server and client to generate keys on startup automatically and use those keys to negotiate the symmetric cypher during handshaking. If there's an easy way to hook that up, please let me know.
For the client, you can remove the need for certificates by making the following change to the example program: --- client.cpp 3 May 2006 13:12:46 -0000 1.10 +++ client.cpp 15 Jun 2006 12:47:19 -0000 @@ -115,8 +115,7 @@ asio::ip::tcp::resolver::iterator iterator = resolver.resolve(query); asio::ssl::context ctx(io_service, asio::ssl::context::sslv23); - ctx.set_verify_mode(asio::ssl::context::verify_peer); - ctx.load_verify_file("ca.pem"); + ctx.set_verify_mode(asio::ssl::context::verify_none); client c(io_service, ctx, iterator);
The example client/server SSL seems unwieldy. It actually makes you type a pass phrase when the server starts. I really don't want that.
According to the O'Reilly OpenSSL book, the passphrase is used to protect the private key if it's in PEM format. Private key files that use the ASN.1 format are not encrypted, so if you use one of these you shouldn't be prompted for a passphrase. I.e. the server would be changed to use: context_.use_private_key_file( "privatekey.asn1", asio::ssl::context::asn1); I don't know if it's possible to have a server without a private key. The examples in the book all seem to use one. Cheers, Chris
On Thu, Jun 15, 2006 at 02:56:52PM +0200, Christopher Kohlhoff wrote:
Scott <cheesy4poofs@cox.net> wrote:
I basically just want a simple encrypted tcp stream, with a minimal of fuss. I don't need certificates (at least I don't think I do). All I want is the server and client to generate keys on startup automatically and use those keys to negotiate the symmetric cypher during handshaking. If there's an easy way to hook that up, please let me know.
In general, if you don't use at least server authentication, then you are vulnerable to Man in the Middle attacks.
The example client/server SSL seems unwieldy. It actually makes you type a pass phrase when the server starts. I really don't want that.
According to the O'Reilly OpenSSL book, the passphrase is used to protect the private key if it's in PEM format. Private key files that use the ASN.1 format are not encrypted, so if you use one of these you shouldn't be prompted for a passphrase.
Both the DER und the PEM format of OpenSSL private keys files are ASN.1 data - they only differ in their encoding. The Distinguished Encoding Rules <URL:http://en.wikipedia.org/wiki/DER> define just one of several methods to encode ASN.1 data in binary format. PEM files contain the same data as their DER equivalents, but additionally Base64 encoded (whence you can treat them as ASCII text) and put in between informative header / footer lines. (The actual ASN.1 structure of the key files is defined by RSA's PKCS#1 and PKCS#8 specifications.) Christoph -- FH Worms - University of Applied Sciences Fachbereich Informatik / Telekommunikation Erenburgerstr. 19, 67549 Worms, Germany
participants (3)
-
Christoph Ludwig -
Christopher Kohlhoff -
Scott