Thread: Experimenting with SSL connections

  1. #1
    Registered User FiniteRed's Avatar
    Join Date
    Sep 2012

    Wink Experimenting with SSL connections

    Hi Everyone

    I have written a simple SSL Client/Server set of programs from a few tutorials I have found on the net - and these work fine. What I cant get my head around is the client side of things (See below)

    It looks as if from the code the client connects to the SSL server, blindly accepts the certificate it provides then then uses it to encrypt/decrypt the data sent to and from the pair.

    Should there not be something client side that validates the servers certificate for use? I mean I can change / swap the server side certificate with any new one and have it connect without so much as a wimper? How is this a secure method of connection? (or am I - as I suspect - missing something )

    Many thanks


    void LoadCertificates(SSL_CTX* ctx, char* CertFile, char* KeyFile);
    int OpenConnection(const char *hostname, int port);
    void ShowCerts(SSL* ssl);
    SSL_CTX* InitCTX(void);
    int main(int count, char *strings[]) {
        char *hostname, *portnum;
        char buf[1024];
        SSL_CTX *ctx;
        SSL ........l;
        int server;
        int bytes;
        if ( count != 3 ) {
            printf("usage: %s <hostname> <portnum>\n", strings[0]);
        } // if
        printf("\nSSL Client 0.1\n~~~~~~~~~~~~~~~\n\n");
        // Init. the SSL lib
        ctx = InitCTX();
        printf("Client SSL lib init complete\n");
        // Open the connection as normal
        server = OpenConnection(hostname, atoi(portnum));
        // Create new SSL connection state
        ssl = SSL_new(ctx);
        // Attach the socket descriptor
        SSL_set_fd(ssl, server);
        // Perform the connection
        if ( SSL_connect(ssl) != FAIL ) {
            char *msg = "Here is some data";
            printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
            // Print any certs
            SSL_write(ssl, msg, strlen(msg));
            // Encrypt & send message */
            bytes = SSL_read(ssl, buf, sizeof(buf));
            // Get reply & decrypt
            buf[bytes] = 0;
            printf("Received: '%s'\n\n", buf);
            // Release connection state
        } // if
        else ERR_print_errors_fp(stderr);
        // Close socket
        // Release context
        return 0;
    } // main
    SSL_CTX* InitCTX(void) {
        SSL_METHOD const *method;
        SSL_CTX *ctx;
        // Load cryptos,
        // Bring in and register error messages
        // Create new client-method instance
        method = SSLv3_client_method();
        // Create new context
        ctx = SSL_CTX_new(method);
        if ( ctx == NULL ) {
        } // if
        return ctx;
    } //InitCTX
    int OpenConnection(const char *hostname, int port) {
        int sd;
        struct hostent *host;
        struct sockaddr_in addr;
        if ( (host = gethostbyname(hostname)) == NULL ) {
        } // if
        sd = socket(PF_INET, SOCK_STREAM, 0);
        bzero(&addr, sizeof(addr));
        addr.sin_family = AF_INET;
        addr.sin_port = htons(port);
        addr.sin_addr.s_addr = *(long*)(host->h_addr);
        if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 ) {
        } // if
        return sd;
    } // OpenConnection
    void ShowCerts(SSL* ssl) {
        X509 *cert;
        char *line;
        cert = SSL_get_peer_certificate(ssl); /* get the server's certificate */
        if ( cert != NULL ) {
            printf("\nServer certificate:\n");
            line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
            printf("Subject: %s\n", line);
            // Free the malloc'ed string
            line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
            printf("Issuer: %s\n", line);
            // Free the malloc'ed string
            // Free the malloc'ed certificate copy
        } // if
        else printf("No certificates.\n");
    } // ShowCerts
    Last edited by FiniteRed; 09-17-2012 at 09:49 AM.

  2. #2
    Registered User
    Join Date
    Mar 2011
    you, the client, have to compare the certificate against a list of trusted certificate issuers and their public key. for example browsers maintain a list of trusted certificate authorities. your client code has to maintain such a list or get it from somewhere. here is a link that describes the process.
    Description of the Server Authentication Process During the SSL Handshake

    edit: for example, in google chrome, go to advanced settings and there is a button that shows you the list of trusted certificate authorities. IE and firefox would have something similar.

  3. #3
    Registered User FiniteRed's Avatar
    Join Date
    Sep 2012
    ahha! That's just the sort of thing I was looking for, thank you dmh2000

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Using/Learning DTL for my DB connections
    By csonx_p in forum C++ Programming
    Replies: 2
    Last Post: 10-08-2008, 11:23 PM
  2. ppp dialup connections
    By rzcodeman in forum Networking/Device Communication
    Replies: 1
    Last Post: 04-15-2004, 01:26 PM
  3. net connections
    By sargas99 in forum C++ Programming
    Replies: 3
    Last Post: 09-11-2002, 06:14 PM
  4. Experimenting with Bluetooth
    By Shiro in forum A Brief History of
    Replies: 8
    Last Post: 01-29-2002, 12:48 PM

Tags for this Thread