Like Tree1Likes
  • 1 Post By dmh2000

Experimenting with SSL connections

This is a discussion on Experimenting with SSL connections within the C Programming forums, part of the General Programming Boards category; Hi Everyone I have written a simple SSL Client/Server set of programs from a few tutorials I have found on ...

  1. #1
    Registered User FiniteRed's Avatar
    Join Date
    Sep 2012
    Posts
    2

    Wink Experimenting with SSL connections

    Hi Everyone

    I have written a simple SSL Client/Server set of programs from a few tutorials I have found on the net - and these work fine. What I cant get my head around is the client side of things (See below)

    It looks as if from the code the client connects to the SSL server, blindly accepts the certificate it provides then then uses it to encrypt/decrypt the data sent to and from the pair.

    Should there not be something client side that validates the servers certificate for use? I mean I can change / swap the server side certificate with any new one and have it connect without so much as a wimper? How is this a secure method of connection? (or am I - as I suspect - missing something )

    Many thanks

    FR

    Code:
    void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile);
    int OpenConnection(const char *hostname, int port);
    void ShowCerts(SSL* ssl);
    SSL_CTX* InitCTX(void);
    
    
    int main(int count, char *strings[]) {
    
    
        char *hostname, *portnum;
        char buf[1024];
        SSL_CTX *ctx;
        SSL ........l;
        int server;
        int bytes;
    
    
        if ( count != 3 ) {
    
    
            printf("usage: %s <hostname> <portnum>\n", strings[0]);
            exit(0);
    
    
        } // if
    
    
        hostname=strings[1];
        portnum=strings[2];
    
    
        printf("\nSSL Client 0.1\n~~~~~~~~~~~~~~~\n\n");
    
    
        // Init. the SSL lib
        SSL_library_init();
        ctx = InitCTX();
    
    
        printf("Client SSL lib init complete\n");
    
    
        // Open the connection as normal
        server = OpenConnection(hostname, atoi(portnum));
    
    
        // Create new SSL connection state
        ssl = SSL_new(ctx);
    
    
        // Attach the socket descriptor
        SSL_set_fd(ssl, server);
    
    
        // Perform the connection
        if ( SSL_connect(ssl) != FAIL ) {
    
    
            char *msg = "Here is some data";
    
    
            printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
            ShowCerts(ssl);
    
    
            // Print any certs
            SSL_write(ssl, msg, strlen(msg));
    
    
            // Encrypt & send message */
            bytes = SSL_read(ssl, buf, sizeof(buf));
    
    
            // Get reply & decrypt
            buf[bytes] = 0;
            printf("Received: '%s'\n\n", buf);
    
    
            // Release connection state
            SSL_free(ssl);
    
    
        } // if
    
    
        else ERR_print_errors_fp(stderr);
    
    
        // Close socket
        close(server);
    
    
        // Release context
        SSL_CTX_free(ctx);
        return 0;
    
    
    } // main
    
    
    SSL_CTX* InitCTX(void) {
    
    
        SSL_METHOD const *method;
        SSL_CTX *ctx;
    
    
        // Load cryptos, et.al.
        OpenSSL_add_all_algorithms();
    
    
        // Bring in and register error messages
        SSL_load_error_strings();
    
    
        // Create new client-method instance
        method = SSLv3_client_method();
    
    
        // Create new context
        ctx = SSL_CTX_new(method);
    
    
        if ( ctx == NULL ) {
    
    
            ERR_print_errors_fp(stderr);
            abort();
    
    
        } // if
    
    
        return ctx;
    
    
    } //InitCTX
    
    
    int OpenConnection(const char *hostname, int port) {
    
    
        int sd;
        struct hostent *host;
        struct sockaddr_in addr;
    
    
        if ( (host = gethostbyname(hostname)) == NULL ) {
    
    
            perror(hostname);
            abort();
    
    
        } // if
    
    
        sd = socket(PF_INET, SOCK_STREAM, 0);
        bzero(&addr, sizeof(addr));
        addr.sin_family = AF_INET;
        addr.sin_port = htons(port);
        addr.sin_addr.s_addr = *(long*)(host->h_addr);
    
    
        if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 ) {
    
    
            close(sd);
            perror(hostname);
            abort();
    
    
        } // if
    
    
        return sd;
    
    
    } // OpenConnection
    
    
    void ShowCerts(SSL* ssl) {
    
    
        X509 *cert;
        char *line;
    
    
        cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
    
    
        if ( cert != NULL ) {
    
    
            printf("\nServer certificate:\n");
            line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
            printf("Subject: %s\n", line);
    
    
            // Free the malloc'ed string
            free(line);
            line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
            printf("Issuer: %s\n", line);
    
    
            // Free the malloc'ed string
            free(line);
    
    
            // Free the malloc'ed certificate copy
            X509_free(cert);
    
    
        } // if
    
    
        else printf("No certificates.\n");
    
    
    } // ShowCerts
    Last edited by FiniteRed; 09-17-2012 at 09:49 AM.

  2. #2
    Registered User
    Join Date
    Mar 2011
    Posts
    546
    you, the client, have to compare the certificate against a list of trusted certificate issuers and their public key. for example browsers maintain a list of trusted certificate authorities. your client code has to maintain such a list or get it from somewhere. here is a link that describes the process.
    Description of the Server Authentication Process During the SSL Handshake

    edit: for example, in google chrome, go to advanced settings and there is a button that shows you the list of trusted certificate authorities. IE and firefox would have something similar.
    Salem likes this.

  3. #3
    Registered User FiniteRed's Avatar
    Join Date
    Sep 2012
    Posts
    2
    ahha! That's just the sort of thing I was looking for, thank you dmh2000

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Using/Learning DTL for my DB connections
    By csonx_p in forum C++ Programming
    Replies: 2
    Last Post: 10-08-2008, 11:23 PM
  2. ppp dialup connections
    By rzcodeman in forum Networking/Device Communication
    Replies: 1
    Last Post: 04-15-2004, 01:26 PM
  3. net connections
    By sargas99 in forum C++ Programming
    Replies: 3
    Last Post: 09-11-2002, 06:14 PM
  4. Experimenting with Bluetooth
    By Shiro in forum A Brief History of Cprogramming.com
    Replies: 8
    Last Post: 01-29-2002, 11:48 AM

Tags for this Thread


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21